DotNetNuke Cross Site Request Forgery Vulnerability

    Type

  • DotNetNuke Cross Site Request Forgery Vulnerability
  • Severity

  • High
  • Affected products

  • DotNetNuke
  • Date

  • 2010-06-14
  • CVE Reference

  • N/A

DotNetNuke is a Content Management System (CMS) for the .NET platform, which powers “over 500,000” websites. This vulnerability affects version 5.4.2 and earlier.

It was discovered that the application enabled some sensitive actions, such as changing a registered email address, to be performed with only the session identifier used as authentication. This could enable an attacker to alter a user’s email address through a Cross Site Request Forgery (CSRF) attack. The forgotten password functionality could then be used to reset the password and consequently compromise the account.