Security Center

Security Center allows you view any security bulletins that might be related to the version of DNN you are currently running.

2014-02 (Critical) improve captcha logic & mitigate against automated registration attacks Published: 8/13/2014
2014-01 (Low) potential persistent cross-site scripting issue Published: 3/19/2014
2013-10 (Low) potential reflective xss issue Published: 12/4/2013
2013-07 (Low) potential reflective xss issue Published: 8/13/2013
2013-08 (Low) malformed html may allow XSS issue Published: 8/13/2013
2013-09 (Low) fix issue that could lead to redirect 'Phishing' attack Published: 8/13/2013
2013-04 (Medium) Failure to reapply folder permissions check Published: 4/3/2013
2013-05 (Low) Potential XSS in language skin object Published: 4/3/2013
2013-06 (Low) Non-compliant HTML tag can cause site redirects Published: 4/3/2013
2013-01 (Low) Added defensive code to protect against denial of service Published: 1/7/2013
2013-02 (Critical) Protect against member directory filtering issue Published: 1/7/2013
2013-03 (Low) Filter out unrequired tag Published: 1/7/2013
2012-9 (Low) Failure to encode module title Published: 11/15/2012
2012-10 (Low) List function contains a cross-site scripting issue Published: 11/15/2012
2012-11 (Low) Member directory results fail to apply extended visibility correctly Published: 11/15/2012
2012-12 (Critical) Member directory results fail to apply extended visibility correctly Published: 11/15/2012
2012-5 (Low) Deny folder permissions were not respected when generating folder lists Published: 7/2/2012
2012-6 (Medium) Module Permission Inheritance Published: 7/2/2012
2012-7 (Low) Cross-site scripting issue with list function Published: 7/2/2012
2012-8 (Low) Journal image paths can contain javascript Published: 7/2/2012
2012-4 (Medium) Filemanager function fails to check for valid file extensions Published: 3/7/2012
2012-1 (Low) Potential XSS issue via modal popups Published: 1/2/2012
2012-2 (Critical) Non-approved users can access user and role functions Published: 1/2/2012
2012-3 (Low) Radeditor provider function could confirm the existence of a file Published: 1/2/2012
2011-16 (Low) Cached failed passwords could theoretically be retrieved from browser cache Published: 12/14/2011
2011-17 (Low) invalid install permissions can lead to unauthorized access error which echoes path Published: 12/14/2011
2011-14 (Low) able autoremember during registration Published: 11/1/2011
2011-15 (Medium) failure to sanitize certain xss strings Published: 11/1/2011
2011-13 (Low) incorrect logic in module administration check Published: 8/24/2011
2011-8 (Low) ability to reactivate user profiles of soft-deleted users Published: 6/6/2011
2011-9 (Critical) User management mechanisms can be executed by invalid users Published: 6/6/2011
2011-10 (Low) Cached failed passwords could theoretically be retrieved from browser cache Published: 6/6/2011
2011-11 (Medium) remove support for legacy skin/container upload from filemanager Published: 6/6/2011
2011-12 (Medium) Module Permissions Editable by anyone with the URL Published: 6/6/2011
2011-1 (Critical) Edit Level Users have Admin rights to modules Published: 1/19/2011
2011-2 (Critical) Unauthenticated user can install/uninstall modules Published: 1/19/2011
2011-3 (Low) Failure to filter viewstate exception details can lead to reflective xss issue Published: 1/19/2011
2011-4 (Low) Remove OS identification code Published: 1/19/2011
2011-5 (Low) Add additional checks to core input filter Published: 1/19/2011
2011-6 (Low) Change localized text to stop user enumeration Published: 1/19/2011
2011-7 (Low) Ensure that profile properties are correctly filtered Published: 1/19/2011
2010-12 (Medium) Potential resource exhaustion Published: 8/17/2010
2010-06 (Low) Logfiles contents after exception may lead to information leakage Published: 6/17/2010
2010-07 (Medium) Cross-site request forgery possible against other users of a site Published: 6/14/2010
2010-08 (Low) update inputfilter blacklist for invalid tag that could allow XSS attack Published: 6/14/2010
2010-09 (Low) Mail function can result in unauthorized email access Published: 6/14/2010
2010-10 (Low) Member only profile properties could be exposed under certain conditions Published: 6/14/2010
2010-11 (Low) Profile properties not htmlencoding data Published: 6/14/2010
2010-05 (Low) HTML/Script Code Injection Vulnerability in User messaging Published: 5/19/2010
2010-04 (Low) Install Wizard information leakage Published: 5/18/2010
2010-03 (Critical) System mails stored in cleartext in User messaging Published: 4/20/2010
2010-02 (Low) HTML/Script Code Injection Vulnerability Published: 3/17/2010
2010-01 (Low) User account escalation Vulnerability Published: 2/17/2010
2009-06 (Low) 2009-06 Published: 11/26/2009
2009-07 (Low) 2009-07 Published: 11/26/2009
2009-04 (Low) HTML/Script Code Injection Vulnerability when working with multiple languages Published: 9/2/2009
2009-05 (Medium) HTML/Script Code Injection Vulnerability in ClientAPI Published: 5/20/2009
2009-02 (Low) Errorpage information leakage Published: 5/19/2009
2009-03 (Low) HTML/Script Code Injection Vulnerability Published: 5/19/2009
2009-01 (Low) HTML/Script Code Injection Vulnerability Published: 4/7/2009
2008-14 (Critical) User can gain access to additional roles Published: 12/24/2008
2008-12 (Low) Install wizard information leakage Published: 9/10/2008
2008-13 (Critical) Failure to validate when loading skins Published: 9/10/2008
2008-11 (Critical) Authentication blindspot in User functions Published: 9/9/2008
2008-4 (Low) Version information leakage Published: 5/27/2008
2008-5 (Low) Denial of Service attack Published: 5/27/2008
2008-6 (Critical) Force existing database scripts to re-run Published: 5/27/2008
2008-7 (Critical) Failure to revalidate file and folder permissions correctly for uploads Published: 5/27/2008
2008-8 (Low) HTML/Script Code Injection Vulnerability Published: 5/11/2008
2008-9 (Low) HTML/Script Code Injection Vulnerability Published: 5/11/2008
2008-10 (Low) HTML/Script Code Injection Vulnerability when operating with multiple languages Published: 5/11/2008
2008-1 (Critical) Administrator account permission escalation Published: 3/19/2008
2008-2 (Critical) Validationkey can be a known value Published: 3/19/2008
2008-3 (Critical) Ability to create dynamic scripts on server Published: 3/19/2008
2007-3 (Low) HTML/Script Code Injection Vulnerability Published: 11/6/2007
2007-4 (Critical) HTML/Text module authentication blindspot Published: 11/6/2007
2007-2 (Low) Phishing risk in login redirect code Published: 7/20/2007
2007-1 (Medium) Phishing risk in link code Published: 4/5/2007
2006-6 (Medium) Anonymous access to vendor details Published: 11/30/2006
2006-4 (Critical) Cross site scripting permission escalation Published: 11/16/2006
2006-5 (Low) Information Leakage Published: 11/16/2006
2006-3 (Low) HTML Code Injection Vulnerability Published: 9/17/2006
2006-1 (Medium) Vulnerability in DotNetNuke could allow restricted file types to be uploaded Published: 8/2/2006
2006-2 (Critical) Vulnerability in DotNetNuke could allow access to user profile details Published: 8/2/2006

Security Policy

We make every effort to ensure speedy analysis of reported issues and, where required, provide workarounds and updated application releases to fix them. If you see suspected issues/security scan results please report them by sending an email to:

security@dnnsoftware.com

All submitted information is viewed only by members of the DNN Security Task Force, and will not be discussed outside the Task Force without the permission of the person/company who reported the issue. Each confirmed issue is assigned a severity level (critical, moderate, or low) corresponding to its potential impact on the security of DNN installations.


  • Critical means the issue can be exploited by a remote attacker to gain access to DNN data or functionality. All critical issue security bulletins include a recommended workaround or fix that should be applied as soon as possible.
  • Moderate means the issue can compromise data or functionality on a portal/website only if some other condition is met (e.g. a particular module or a user within a particular role is required). Moderate issue security bulletins typically include recommended actions to resolve the issue.
  • Low means the issue is very difficult to exploit or has a limited potential impact.
The Security Task Force then issues a security bulletin via DNN security forum posts and, where judged necessary, email. The bulletin provides details about the issue, the DNN versions impacted, and suggested fixes or workarounds. Security bulletins are issued as required.

 


Copyright 2014 by DNN Corp | Terms of Use | Privacy | Design by Parker Moore Design