QwikSec

Security Database

CVE

CWE

Training

CVE-2008-6540

Published: Mar 30, 2009

Modified: Aug 7, 2024

PUBLISHED

Description

DotNetNuke before 4.8.2, during installation or upgrade, does not warn the administrator when the default (1) ValidationKey and (2) DecryptionKey values cannot be modified in the web.config file, which allows remote attackers to bypass intended access restrictions by using the default keys.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

dotnetnuke-webconfig-weak-security(41399)

vdb-entry

x_refsource_XF

http://www.dotnetnuke.com/News/SecurityBulletins/SecurityBulletinno12/tabid/1148/Default.aspx

x_refsource_CONFIRM

vdb-entry

x_refsource_BID

third-party-advisory

x_refsource_SECUNIA

20080321 DotNetNuke Default Machine Key Exposure

mailing-list

x_refsource_BUGTRAQ

vdb-entry

x_refsource_OSVDB

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.