FKIE_CVE-2008-6540

Vulnerability from fkie_nvd - Published: 2009-03-30 01:30 - Updated: 2025-04-09 00:30
Severity ?
Summary
DotNetNuke before 4.8.2, during installation or upgrade, does not warn the administrator when the default (1) ValidationKey and (2) DecryptionKey values cannot be modified in the web.config file, which allows remote attackers to bypass intended access restrictions by using the default keys.
References
cve@mitre.orghttp://osvdb.org/43720
cve@mitre.orghttp://secunia.com/advisories/29488Vendor Advisory
cve@mitre.orghttp://www.dotnetnuke.com/News/SecurityBulletins/SecurityBulletinno12/tabid/1148/Default.aspxVendor Advisory
cve@mitre.orghttp://www.securityfocus.com/archive/1/489957/100/0/threaded
cve@mitre.orghttp://www.securityfocus.com/bid/28391Exploit
cve@mitre.orghttps://exchange.xforce.ibmcloud.com/vulnerabilities/41399
af854a3a-2127-422b-91ae-364da2661108http://osvdb.org/43720
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/29488Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.dotnetnuke.com/News/SecurityBulletins/SecurityBulletinno12/tabid/1148/Default.aspxVendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/archive/1/489957/100/0/threaded
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/bid/28391Exploit
af854a3a-2127-422b-91ae-364da2661108https://exchange.xforce.ibmcloud.com/vulnerabilities/41399
Impacted products
Vendor Product Version
dotnetnuke dotnetnuke *
dotnetnuke dotnetnuke 1.0.6
dotnetnuke dotnetnuke 1.0.7
dotnetnuke dotnetnuke 1.0.8
dotnetnuke dotnetnuke 1.0.9
dotnetnuke dotnetnuke 1.0.10d
dotnetnuke dotnetnuke 1.0.10e
dotnetnuke dotnetnuke 2.1.1
dotnetnuke dotnetnuke 2.1.2
dotnetnuke dotnetnuke 3.0.7
dotnetnuke dotnetnuke 3.0.8
dotnetnuke dotnetnuke 3.0.11
dotnetnuke dotnetnuke 3.1.0
dotnetnuke dotnetnuke 3.3.5
dotnetnuke dotnetnuke 4.0
dotnetnuke dotnetnuke 4.3.5
dotnetnuke dotnetnuke 4.5.2
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:dotnetnuke:dotnetnuke:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "EFFBB6F1-D566-4D0D-B8F2-F8817D3DB7CA",
              "versionEndIncluding": "4.8.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dotnetnuke:dotnetnuke:1.0.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "4300BB9D-1A72-4005-AA68-35DB57A551E1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dotnetnuke:dotnetnuke:1.0.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "797726FF-24E9-415A-AC8B-2AE3301F8824",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dotnetnuke:dotnetnuke:1.0.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "DC6BB8DE-9497-42D7-A29D-BCAC75337A96",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dotnetnuke:dotnetnuke:1.0.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "54AB8E47-5484-4449-88BA-90F0CCED285A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dotnetnuke:dotnetnuke:1.0.10d:*:*:*:*:*:*:*",
              "matchCriteriaId": "B111556A-56AC-413C-A1B7-D973492BA8F5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dotnetnuke:dotnetnuke:1.0.10e:*:*:*:*:*:*:*",
              "matchCriteriaId": "FE94AE61-4CA4-48B5-BB08-D808CF750CFA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dotnetnuke:dotnetnuke:2.1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "C7863328-514C-4885-B5DD-5E04503962E8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dotnetnuke:dotnetnuke:2.1.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "750F735B-1419-4FCF-84F0-05E13608B73D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dotnetnuke:dotnetnuke:3.0.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "BF8EC31D-9C28-46D7-83C6-9720AA0DBC1E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dotnetnuke:dotnetnuke:3.0.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "81D4BDCE-EF83-48E2-BDC7-F6F6CE5CE51F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dotnetnuke:dotnetnuke:3.0.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "E2A5E7E9-4530-4CA9-BD61-4A22D17A898F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dotnetnuke:dotnetnuke:3.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "D7DEB2BD-8543-4408-B96E-616AFEBEEB12",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dotnetnuke:dotnetnuke:3.3.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "72A73BE5-6668-484E-8E7C-16E839E98882",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dotnetnuke:dotnetnuke:4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "31D0AA24-9FA3-4AFD-920A-295898473918",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dotnetnuke:dotnetnuke:4.3.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "34AF4B04-B86C-4BD0-94D9-3157AC55E542",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dotnetnuke:dotnetnuke:4.5.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "68F28416-0ABF-4B2F-87A4-C4EC4D0CA227",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "DotNetNuke before 4.8.2, during installation or upgrade, does not warn the administrator when the default (1) ValidationKey and (2) DecryptionKey values cannot be modified in the web.config file, which allows remote attackers to bypass intended access restrictions by using the default keys."
    },
    {
      "lang": "es",
      "value": "DotNetNuke anteriores a v4.8.2, durante la instalaci\u00f3n o actualizaci\u00f3n, no avisan al administrador que los valores (1) ValidationKey y (2) DecryptionKey  no pueden ser modificados  en el fichero web.config, lo que permite a atacantes remotos saltarse las restricciones de intento de acceso utilizando las claves por defecto.\r\n"
    }
  ],
  "id": "CVE-2008-6540",
  "lastModified": "2025-04-09T00:30:58.490",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "HIGH",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 5.1,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 4.9,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2009-03-30T01:30:00.327",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "http://osvdb.org/43720"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/29488"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.dotnetnuke.com/News/SecurityBulletins/SecurityBulletinno12/tabid/1148/Default.aspx"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securityfocus.com/archive/1/489957/100/0/threaded"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit"
      ],
      "url": "http://www.securityfocus.com/bid/28391"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41399"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://osvdb.org/43720"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/29488"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.dotnetnuke.com/News/SecurityBulletins/SecurityBulletinno12/tabid/1148/Default.aspx"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/archive/1/489957/100/0/threaded"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit"
      ],
      "url": "http://www.securityfocus.com/bid/28391"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41399"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-264"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.