DotNetNuke Cross Site Request Forgery Vulnerability

Product DotNetNuke
Severity High
CVE Reference N/A
Type DotNetNuke Cross Site Request Forgery Vulnerability

DotNetNuke is a Content Management System (CMS) for the .NET platform, which powers “over 500,000” websites. This vulnerability affects version 5.4.2 and earlier.

It was discovered that the application enabled some sensitive actions, such as changing a registered email address, to be performed with only the session identifier used as authentication. This could enable an attacker to alter a user’s email address through a Cross Site Request Forgery (CSRF) attack. The forgotten password functionality could then be used to reset the password and consequently compromise the account.