Detections
Analytics
DNN (DotNetNuke) < 6.2.9 / 7.1.1 Multiple Vulnerabilities
medium Nessus Plugin ID 70294
Language:
Synopsis
The remote web server contains an ASP.NET application that is affected by multiple vulnerabilities.Description
The version of DNN installed on the remote host is affected by multiple vulnerabilities :- The application is affected by a persistent cross-site scripting vulnerability because input to the 'Display Name' in the 'Manage Profile' view is not properly sanitized. (CVE-2013-3943)
- The application is affected by a cross-site scripting vulnerability because user-supplied input to the '__dnnVariable' parameter is not properly sanitized.
(CVE-2013-4649)
- An unspecified open redirect flaw exists that can allow an attacker to perform a phishing attack by enticing a user to click on a malicious URL.
(CVE-2013-7335)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Upgrade to DNN version 6.2.9 / 7.1.1 or later.See Also
https://www.dnnsoftware.com/community/security/security-center
Plugin Details
Severity: Medium
ID: 70294
File Name: dotnetnuke_6_2_9.nasl
Version: 1.14
Type: remote
Family: CGI abuses
Published: 10/3/2013
Updated: 6/5/2024
Configuration: Enable thorough checks
Supported Sensors: Nessus
Enable CGI Scanning: true
Risk Information
VPR
Risk Factor: Low
Score: 3.8
CVSS v2
Risk Factor: Medium
Base Score: 4.3
Temporal Score: 3.4
Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N
Vulnerability Information
CPE: cpe:/a:dotnetnuke:dotnetnuke
Required KB Items: installed_sw/DNN
Excluded KB Items: Settings/disable_cgi_scanning
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 8/13/2013
Vulnerability Publication Date: 8/13/2013