DotNetNuke Cross Site Request Forgery Vulnerability
- Published: 14 Jun 2010
DotNetNuke Cross Site Request Forgery Vulnerability
Share
Type
- DotNetNuke Cross Site Request Forgery Vulnerability
Severity
- High
Affected products
- DotNetNuke
Date
- 2010-06-14
CVE Reference
- N/A
DotNetNuke is a Content Management System (CMS) for the .NET platform, which powers “over 500,000” websites. This vulnerability affects version 5.4.2 and earlier.
It was discovered that the application enabled some sensitive actions, such as changing a registered email address, to be performed with only the session identifier used as authentication. This could enable an attacker to alter a user’s email address through a Cross Site Request Forgery (CSRF) attack. The forgotten password functionality could then be used to reset the password and consequently compromise the account.