CVE-2022-47053: DNN Security Updates | DNN (DotNetNuke)

DNN Platform Version:

2022-01 (Critical) Moment.js Security Enhancements Published: 9/28/2022

2022-02 (Critical) CKEditor Security Enhancements Published: 9/28/2022

2022-03 (Medium) Stored XSS Injection Vulnerability Published: 9/28/2022

2022-04 (Medium) XSS in Digital Asset Manager Published: 9/28/2022

2022-05 (Medium) jQuery and jQuery UI Security Enhancements Published: 9/28/2022

2022-06 (Low) Unrestricted Website Redirect in Plugin Published: 9/28/2022

2022-07 (Medium) Knockout.js Security Enhancements Published: 9/28/2022

2022-08 (Medium) Secure Credential Disclosure Published: 9/28/2022

2022-09 (Critical) Newtonsoft JSON Security Updates Published: 9/28/2022

2022-10 (Critical) Sharp Zip Lib Security Enhancements Published: 9/28/2022

2022-11 (Medium) Log4Net Security Enhancements Published: 9/28/2022

2022-12 (Medium) Remote File Download and Path Traversal Published: 9/28/2022

2022-13 (Medium) Authentication Provider Bypass Published: 9/28/2022

2021-01 (Critical) Optional Telerik Removal Suggested Published: 8/24/2021

2021-02 (Critical) Anonymous User File Download Published: 8/24/2021

2020-07 (Low) jQuery Security Issue Published: 5/14/2020

2020-01 (Low) Interaction with “soft-deleted” modules Published: 5/7/2020

2020-02 (Critical) Telerik CVE-2019-19790 (Path Traversal) Published: 5/7/2020

2020-03 (Medium) Javascript Library Vulnerabilities Published: 5/7/2020

2020-04 (Medium) XSS Scripting Risk Published: 5/7/2020

2020-05 (Critical) Path Traversal & Manipulation (ZipSlip) Published: 5/7/2020

2020-06 (Low) Access Control Bypass - Private Message Attachment Published: 5/7/2020

2019-04 (Critical) Possible Unauthorized File Access Published: 11/22/2019

2019-05 (Medium) Possible User Information Discovery Published: 11/22/2019

2019-06 (Low) Possible Stored Cross-Site Scripting (XSS) Execution Published: 11/22/2019

2019-07 (Medium) Possibility of Uploading Malicious Files Published: 11/22/2019

2019-01 (Low) Possible Denial of Service (DDos) or XSS Issue Published: 4/16/2019

2019-02 (Medium) Possible Cross Site Scripting (XSS) Execution Published: 4/16/2019

2019-03 (Medium) Possible Leaked Cryptographic Information Published: 4/16/2019

2018-13 (Critical) Possible Leaked Cryptographic Information Published: 10/1/2018

2018-14 (Low) Possible Cross-Site Scripting (XSS) Vulnerability Published: 10/1/2018

2018-11 (Low) Possibility for Denial of Service (DOS) Published: 3/29/2018

2018-12 (Low) Possibility to Upload Images as Anonymous User Published: 3/29/2018

2018-01 (Low) Active Directory module is subject to blind LDAP injection Published: 3/29/2018

2018-02 (Low) Return URL open to phishing attacks Published: 3/29/2018

2018-03 (Low) Potential XSS issue in user profile Published: 3/29/2018

2018-04 (Low) WEB API allowing file path traversal Published: 3/29/2018

2018-05 (Low) Possible XML External Entity (XXE) Processing Published: 3/29/2018

2018-06 (Low) Activity Stream file sharing API can share other user’s files Published: 3/29/2018

2018-07 (Low) SVG XSS Vulnerability Published: 3/29/2018

2018-08 (Low) Admin Security Settings Vulnerability Published: 3/29/2018

2018-09 (Low) Possible Server Side Request Forgery (SSRF) / CVE-2017-0929 Published: 3/29/2018

2017-06 (Low) Vulnerable ASP.NET MVC library (assembly) in Platform 8.0.0 and Evoq 8.3.0 Published: 7/5/2017

2017-07 (Low) SWF files can be vulnerable to XSS attacks Published: 7/5/2017

2017-08 (Critical) Possible remote code execution on DNN sites Published: 7/5/2017

2017-09 (Low) HTML5: overly permissive message posting policy on DNN sites Published: 7/5/2017

2017-11 (Low) Possibility of URL redirection abuse in DNN sites Published: 7/5/2017

2017-10 (Critical) Possibility of uploading malicious files to DNN sites Published: 7/5/2017

2017-05 (Critical) Revealing of Profile Properties Published: 2/17/2017

2017-01 (Medium) Antiforgery checks on Web APIs can be ignored in certain situations Published: 1/26/2017

2017-02 (Low) Authorization can be bypassed for few Web APIs Published: 1/26/2017

2017-03 (Low) Socially engineered link can trick users into some unwanted actions Published: 1/26/2017

2017-04 (Low) Unauthorized file-copies can cause disk space issues Published: 1/26/2017

2016-08 (Low) Certain keywords in Search may give an error page Published: 8/20/2016

2016-09 (Medium) Non-Admin users with Edit permissions may change site containers Published: 8/20/2016

2016-10 (Low) Registration link may be used to redirect users to external links Published: 8/20/2016

2016-07 (Low) Image files may be copied from DNN’s folder to anywhere on Server Published: 8/20/2016

2016-06 (Critical) Unauthorized users may create new SuperUser accounts Published: 5/26/2016

2016-05 (Critical) Potential file upload by unauthenticated users Published: 4/21/2016

2016-01 (Low) Potential open-redirect and XSS issue on the query string parameter - returnurl Published: 3/16/2016

2016-02 (Low) Potential XSS issue when enable SSL Client Redirect Published: 3/16/2016

2016-03 (Low) Potential XSS issue on user’s profile Published: 3/16/2016

2016-04 (Critical) Potential CSRF issue on WebAPI POST requests Published: 3/16/2016

2015-06 (Low) Potential XSS issue when using tabs dialog Published: 10/6/2015

2015-07 (Medium) Users are getting registered even though User Registration is set to None Published: 10/6/2015

2015-02 (Low) ability to confirm file existance Published: 5/26/2015

2015-03 (Low) Version information leakage Published: 5/26/2015

2015-04 (Low) Server-Side Request Forgery in File Upload Published: 5/26/2015

2015-05 (Critical) unauthorized users may create new host accounts Published: 5/26/2015

2015-01 (Low) potential persistent cross-site scripting issue Published: 2/4/2015

2014-03 (Medium) Failure to validate user messaging permissions Published: 10/1/2014

2014-02 (Critical) improve captcha logic & mitigate against automated registration attacks Published: 8/13/2014

2014-01 (Low) potential persistent cross-site scripting issue Published: 3/19/2014

2013-10 (Low) potential reflective xss issue Published: 12/4/2013

2013-07 (Low) potential reflective xss issue Published: 8/13/2013

2013-08 (Low) malformed html may allow XSS issue Published: 8/13/2013

2013-09 (Low) fix issue that could lead to redirect ‘Phishing’ attack Published: 8/13/2013

2013-04 (Medium) Failure to reapply folder permissions check Published: 4/3/2013

2013-05 (Low) Potential XSS in language skin object Published: 4/3/2013

2013-06 (Low) Non-compliant HTML tag can cause site redirects Published: 4/3/2013

2013-01 (Low) Added defensive code to protect against denial of service Published: 1/7/2013

2013-02 (Critical) Protect against member directory filtering issue Published: 1/7/2013

2013-03 (Low) Filter out unrequired tag Published: 1/7/2013

2012-9 (Low) Failure to encode module title Published: 11/15/2012

2012-10 (Low) List function contains a cross-site scripting issue Published: 11/15/2012

2012-11 (Low) Member directory results fail to apply extended visibility correctly Published: 11/15/2012

2012-12 (Critical) Member directory results fail to apply extended visibility correctly Published: 11/15/2012

2012-5 (Low) Deny folder permissions were not respected when generating folder lists Published: 7/2/2012

2012-6 (Medium) Module Permission Inheritance Published: 7/2/2012

2012-7 (Low) Cross-site scripting issue with list function Published: 7/2/2012

2012-8 (Low) Journal image paths can contain javascript Published: 7/2/2012

2012-4 (Medium) Filemanager function fails to check for valid file extensions Published: 3/7/2012

2012-1 (Low) Potential XSS issue via modal popups Published: 1/2/2012

2012-2 (Critical) Non-approved users can access user and role functions Published: 1/2/2012

2012-3 (Low) Radeditor provider function could confirm the existence of a file Published: 1/2/2012

2011-16 (Low) Cached failed passwords could theoretically be retrieved from browser cache Published: 12/14/2011

2011-17 (Low) invalid install permissions can lead to unauthorized access error which echoes path Published: 12/14/2011

2011-14 (Low) able autoremember during registration Published: 11/1/2011

2011-15 (Medium) failure to sanitize certain xss strings Published: 11/1/2011

2011-13 (Low) incorrect logic in module administration check Published: 8/24/2011

2011-8 (Low) ability to reactivate user profiles of soft-deleted users Published: 6/6/2011

2011-9 (Critical) User management mechanisms can be executed by invalid users Published: 6/6/2011

2011-10 (Low) Cached failed passwords could theoretically be retrieved from browser cache Published: 6/6/2011

2011-11 (Medium) remove support for legacy skin/container upload from filemanager Published: 6/6/2011

2011-12 (Medium) Module Permissions Editable by anyone with the URL Published: 6/6/2011

2011-1 (Critical) Edit Level Users have Admin rights to modules Published: 1/19/2011

2011-2 (Critical) Unauthenticated user can install/uninstall modules Published: 1/19/2011

2011-3 (Low) Failure to filter viewstate exception details can lead to reflective xss issue Published: 1/19/2011

2011-4 (Low) Remove OS identification code Published: 1/19/2011

2011-5 (Low) Add additional checks to core input filter Published: 1/19/2011

2011-6 (Low) Change localized text to stop user enumeration Published: 1/19/2011

2011-7 (Low) Ensure that profile properties are correctly filtered Published: 1/19/2011

2010-12 (Medium) Potential resource exhaustion Published: 8/17/2010

2010-06 (Low) Logfiles contents after exception may lead to information leakage Published: 6/17/2010

2010-07 (Medium) Cross-site request forgery possible against other users of a site Published: 6/14/2010

2010-08 (Low) update inputfilter blacklist for invalid tag that could allow XSS attack Published: 6/14/2010

2010-09 (Low) Mail function can result in unauthorized email access Published: 6/14/2010

2010-10 (Low) Member only profile properties could be exposed under certain conditions Published: 6/14/2010

2010-11 (Low) Profile properties not htmlencoding data Published: 6/14/2010

2010-05 (Low) HTML/Script Code Injection Vulnerability in User messaging Published: 5/19/2010

2010-04 (Low) Install Wizard information leakage Published: 5/18/2010

2010-03 (Critical) System mails stored in cleartext in User messaging Published: 4/20/2010

2010-02 (Low) HTML/Script Code Injection Vulnerability Published: 3/17/2010

2010-01 (Low) User account escalation Vulnerability Published: 2/17/2010

2009-06 (Low) 2009-06 Published: 11/26/2009

2009-07 (Low) 2009-07 Published: 11/26/2009

2009-04 (Low) HTML/Script Code Injection Vulnerability when working with multiple languages Published: 9/2/2009

2009-05 (Medium) HTML/Script Code Injection Vulnerability in ClientAPI Published: 5/20/2009

2009-02 (Low) Errorpage information leakage Published: 5/19/2009

2009-03 (Low) HTML/Script Code Injection Vulnerability Published: 5/19/2009

2009-01 (Low) HTML/Script Code Injection Vulnerability Published: 4/7/2009

2008-14 (Critical) User can gain access to additional roles Published: 12/24/2008

2008-12 (Low) Install wizard information leakage Published: 9/10/2008

2008-13 (Critical) Failure to validate when loading skins Published: 9/10/2008

2008-11 (Critical) Authentication blindspot in User functions Published: 9/9/2008

2008-4 (Low) Version information leakage Published: 5/27/2008

2008-5 (Low) Denial of Service attack Published: 5/27/2008

2008-6 (Critical) Force existing database scripts to re-run Published: 5/27/2008

2008-7 (Critical) Failure to revalidate file and folder permissions correctly for uploads Published: 5/27/2008

2008-8 (Low) HTML/Script Code Injection Vulnerability Published: 5/11/2008

2008-9 (Low) HTML/Script Code Injection Vulnerability Published: 5/11/2008

2008-10 (Low) HTML/Script Code Injection Vulnerability when operating with multiple languages Published: 5/11/2008

2018-10 (Low) Custom 404 Error Page Vulnerability Published: 3/29/2008

2008-1 (Critical) Administrator account permission escalation Published: 3/19/2008

2008-2 (Critical) Validationkey can be a known value Published: 3/19/2008

2008-3 (Critical) Ability to create dynamic scripts on server Published: 3/19/2008

2007-3 (Low) HTML/Script Code Injection Vulnerability Published: 11/6/2007

2007-4 (Critical) HTML/Text module authentication blindspot Published: 11/6/2007

2007-2 (Low) Phishing risk in login redirect code Published: 7/20/2007

2007-1 (Medium) Phishing risk in link code Published: 4/5/2007

2006-6 (Medium) Anonymous access to vendor details Published: 11/30/2006

2006-4 (Critical) Cross site scripting permission escalation Published: 11/16/2006

2006-5 (Low) Information Leakage Published: 11/16/2006

2006-3 (Low) HTML Code Injection Vulnerability Published: 9/17/2006

2006-1 (Medium) Vulnerability in DotNetNuke could allow restricted file types to be uploaded Published: 8/2/2006

2006-2 (Critical) Vulnerability in DotNetNuke could allow access to user profile details Published: 8/2/2006