Critical Security Update - Versions Older than 7.1.2
Our security team was recently informed of a security vulnerability in a third-party component suite that is used within DNN Products. It is critical that you follow the instructions provided in this email to ensure that your site isn’t compromised.
IMPORTANT NOTE: Officially, any version prior to 8.4 is no longer supported. We are offering this patch because we realize that some users are unable to upgrade at this time. Please be aware that there are numerous other security vulnerabilities still in older versions. This patch doesn't not protect your site from any other issue that have been previously reported in older version. Your best course of action to ensure your site is protected is to upgrade to Version 9.1 and apply the security patch.
This vulnerability affects all versions of Evoq and DNN Platform.
In order to protect your site, you will need to download and install the Security Patch. You will install this package just like any other module in your site. Please follow the instructions in our documentation center for how to install an extension.
Please do not wait to protect your site. It will only take a few minutes to install the patch.
Frequently Asked Questions
What versions of DNN products are affected by this issue?
All DNN products since DNN 5.2 are affected.
Are there any special requirements for installing this patch? Will this patch work with Microsoft .NET 3.5?
In order for this patch to work properly on older versions, your site must be running in an IIS Application Pool that is set to .NET 4.0 or higher. This patch will not work on sites running in an IIS Application Pool that is set to .NET 3.5. Please the Microsoft site for more information about IIS Application Pools.
What if I’m on a version older than 7.1.2?
There are other security vulnerabilities in versions prior to 7.1.2. This patch alone will not protect your site. You must upgrade to a newer version for this patch to work properly. Evoq customers may contact support for more information.
How do I install this patch?
You will install this patch just like any other module or extension. Please follow the steps outlined in our documentation center for installing modules.
What happens if I get an error installing the patch?
In most cases, the only problem with installing this patch is related to the default limits for uploading files. Please review this article that will walk your through increasing the maximum upload size.
What will happen if I don’t install this patch?
This patch is necessary to ensure that your site is secure. Failure to install this patch may compromise the security of your site.
Is it possible that my site has already been compromised?
We recommend using DNN’s Security Analyzer to check if your site has been compromised. Evoq customers may contact customer support for more details.
How do I access the Security Analyzer tool?
In version 9, you can access the Security Analyzer from Settings > Security > Security Analyzer. Older versions should download and install the Security Analyzer tool.
Where is the Security Bulletin about this issue?
We will post a security bulletin within the next week. We want to ensure that DNN customers have time to patch their sites properly.
Will this patch cause any problems with my site?
This patch is intended to make sure your site is secure. Because this is patching an older feature, there can be a negative impact on some functionality. In versions 7.1.2 or higher, you will lose the ability to insert links using the Page Picker within the Telerik HTML Editor. In versions, prior to 7.1.2, you will lose the ability to use the Document Manager or Image Manager from within the Telerik HTML Editor.
What if I have more questions?
Evoq customers may create a support ticket to ask additional questions. Other DNN users may send an email to [email protected]