Detections
Analytics
DotNetNuke 5.x < 9.1.1 Remote Code Execution
high Web App Scanning Plugin ID 113335
Language:
Synopsis
DotNetNuke 5.x < 9.1.1 Remote Code ExecutionDescription
DotNetNuke CMS versions 5.0.0 to 9.1.0 are affected by an insecure deserialization vulnerability that leads to Remote Code Execution (RCE). DotNetNuke uses the DNNPersonalization cookie to store anonymous users personalization options. This cookie is used when the application serves a custom 404 Error page, which is the default settings.Solution
Upgrade to DNN Platform 9.1.1 or later.See Also
https://www.dnnsoftware.com/community/security/security-center
Plugin Details
Severity: High
ID: 113335
Type: remote
Family: Component Vulnerability
Published: 9/6/2022
Updated: 7/13/2023
Scan Template: basic, full, pci, scan
Risk Information
VPR
Risk Factor: High
Score: 7.4
CVSS v2
Risk Factor: Medium
Base Score: 6.5
Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS Score Source: CVE-2017-9822
CVSS v3
Risk Factor: High
Base Score: 8.8
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS Score Source: CVE-2017-9822
Vulnerability Information
CPE: cpe:2.3:a:dnnsoftware:dotnetnuke:*:*:*:*:*:*:*:*
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 7/5/2017
Vulnerability Publication Date: 7/20/2017
CISA Known Exploited Vulnerability Due Dates: 5/3/2022
Reference Information
CVE: CVE-2017-9822
BID: 102213
CWE: 20
OWASP: 2010-A4, 2013-A4, 2013-A9, 2017-A5, 2017-A9, 2021-A3, 2021-A6
WASC: Improper Input Handling
CAPEC: 10, 101, 104, 108, 109, 110, 120, 13, 135, 136, 14, 153, 182, 209, 22, 23, 230, 231, 24, 250, 261, 267, 28, 3, 31, 42, 43, 45, 46, 47, 473, 52, 53, 588, 63, 64, 67, 7, 71, 72, 73, 78, 79, 8, 80, 81, 83, 85, 88, 9
DISA STIG: APSC-DV-002560, APSC-DV-002630
HIPAA: 164.306(a)(1), 164.306(a)(2)
ISO: 27001-A.14.2.5
NIST: sp800_53-CM-6b, sp800_53-SI-10
OWASP API: 2019-API7, 2023-API8
OWASP ASVS: 4.0.2-14.2.1, 4.0.2-5.1.3