CVE-2020-11585 : What You Need to Know

A detailed information disclosure vulnerability in DNN (formerly DotNetNuke) 9.5 allows registered users to enumerate files in the Admin File Manager.

Understanding CVE-2020-11585

This CVE involves an information disclosure issue in a specific module of DNN, enabling users to access files in the Admin File Manager.

What is CVE-2020-11585?

The vulnerability in DNN 9.5 allows registered users to view any file in the Admin File Manager by sending themselves a message with the file attached.

The Impact of CVE-2020-11585

The vulnerability permits unauthorized access to sensitive files, potentially compromising the confidentiality of data stored in the Admin File Manager.

Technical Details of CVE-2020-11585

This section provides technical insights into the vulnerability.

Vulnerability Description

The issue lies within the Activity-Feed/Messaging/Userid/Message Center module of DNN 9.5, allowing users to enumerate files by manipulating the fileIds parameter.

Affected Systems and Versions

Product: DNN (formerly DotNetNuke) 9.5
Vendor: Not specified
Versions: All versions are affected.

Exploitation Mechanism

Registered users exploit the vulnerability by attaching a file to a message and using an arbitrary small integer value in the fileIds parameter.

Mitigation and Prevention

Protecting systems from CVE-2020-11585 requires immediate actions and long-term security measures.

Immediate Steps to Take

Disable the affected module or restrict file access permissions for registered users.
Monitor file access and user activities within the Admin File Manager.

Long-Term Security Practices

Regularly update DNN to the latest secure version.
Conduct security audits to identify and address similar vulnerabilities.

Patching and Updates

Apply patches or security updates provided by DNN to fix the information disclosure issue.