New Community Website

Ordinarily, you'd be at the right spot, but we've recently separated and launched a brand new community website... For the community, by the community.

Yay... Take Me to the Official DNN Security Center!

DNN Security Center

2022-01 (Critical) Moment.js Security Enhancements Published: 9/28/2022
2022-02 (Critical) CKEditor Security Enhancements Published: 9/28/2022
2022-03 (Medium) Stored XSS Injection Vulnerability Published: 9/28/2022
2022-04 (Medium) XSS in Digital Asset Manager Published: 9/28/2022
2022-05 (Medium) jQuery and jQuery UI Security Enhancements Published: 9/28/2022
2022-06 (Low) Unrestricted Website Redirect in Plugin Published: 9/28/2022
2022-07 (Medium) Knockout.js Security Enhancements Published: 9/28/2022
2022-08 (Medium) Secure Credential Disclosure Published: 9/28/2022
2022-09 (Critical) Newtonsoft JSON Security Updates Published: 9/28/2022
2022-10 (Critical) Sharp Zip Lib Security Enhancements Published: 9/28/2022
2022-11 (Medium) Log4Net Security Enhancements Published: 9/28/2022
2022-12 (Medium) Remote File Download and Path Traversal Published: 9/28/2022
2022-13 (Medium) Authentication Provider Bypass Published: 9/28/2022
2021-01 (Critical) Optional Telerik Removal Suggested Published: 8/24/2021
2021-02 (Critical) Anonymous User File Download Published: 8/24/2021
2020-07 (Low) jQuery Security Issue Published: 5/14/2020
2020-01 (Low) Interaction with “soft-deleted” modules Published: 5/7/2020
2020-02 (Critical) Telerik CVE-2019-19790 (Path Traversal) Published: 5/7/2020
2020-03 (Medium) Javascript Library Vulnerabilities Published: 5/7/2020
2020-04 (Medium) XSS Scripting Risk Published: 5/7/2020
2020-05 (Critical) Path Traversal & Manipulation (ZipSlip) Published: 5/7/2020
2020-06 (Low) Access Control Bypass - Private Message Attachment Published: 5/7/2020
2019-04 (Critical) Possible Unauthorized File Access Published: 11/22/2019
2019-05 (Medium) Possible User Information Discovery Published: 11/22/2019
2019-06 (Low) Possible Stored Cross-Site Scripting (XSS) Execution Published: 11/22/2019
2019-07 (Medium) Possibility of Uploading Malicious Files Published: 11/22/2019
2019-01 (Low) Possible Denial of Service (DDos) or XSS Issue Published: 4/16/2019
2019-02 (Medium) Possible Cross Site Scripting (XSS) Execution Published: 4/16/2019
2019-03 (Medium) Possible Leaked Cryptographic Information Published: 4/16/2019
2018-13 (Critical) Possible Leaked Cryptographic Information Published: 10/1/2018
2018-14 (Low) Possible Cross-Site Scripting (XSS) Vulnerability Published: 10/1/2018
2018-11 (Low) Possibility for Denial of Service (DOS) Published: 3/29/2018
2018-12 (Low) Possibility to Upload Images as Anonymous User Published: 3/29/2018
2018-01 (Low) Active Directory module is subject to blind LDAP injection Published: 3/29/2018
2018-02 (Low) Return URL open to phishing attacks Published: 3/29/2018
2018-03 (Low) Potential XSS issue in user profile Published: 3/29/2018
2018-04 (Low) WEB API allowing file path traversal Published: 3/29/2018
2018-05 (Low) Possible XML External Entity (XXE) Processing Published: 3/29/2018
2018-06 (Low) Activity Stream file sharing API can share other user's files Published: 3/29/2018
2018-07 (Low) SVG XSS Vulnerability Published: 3/29/2018
2018-08 (Low) Admin Security Settings Vulnerability Published: 3/29/2018
2018-09 (Low) Possible Server Side Request Forgery (SSRF) / CVE-2017-0929 Published: 3/29/2018
2017-06 (Low) Vulnerable ASP.NET MVC library (assembly) in Platform 8.0.0 and Evoq 8.3.0 Published: 7/5/2017
2017-07 (Low) SWF files can be vulnerable to XSS attacks Published: 7/5/2017
2017-08 (Critical) Possible remote code execution on DNN sites Published: 7/5/2017
2017-09 (Low) HTML5: overly permissive message posting policy on DNN sites Published: 7/5/2017
2017-11 (Low) Possibility of URL redirection abuse in DNN sites Published: 7/5/2017
2017-10 (Critical) Possibility of uploading malicious files to DNN sites Published: 7/5/2017
2017-05 (Critical) Revealing of Profile Properties Published: 2/17/2017
2017-01 (Medium) Antiforgery checks on Web APIs can be ignored in certain situations Published: 1/26/2017
2017-02 (Low) Authorization can be bypassed for few Web APIs Published: 1/26/2017
2017-03 (Low) Socially engineered link can trick users into some unwanted actions Published: 1/26/2017
2017-04 (Low) Unauthorized file-copies can cause disk space issues Published: 1/26/2017
2016-08 (Low) Certain keywords in Search may give an error page Published: 8/20/2016
2016-09 (Medium) Non-Admin users with Edit permissions may change site containers Published: 8/20/2016
2016-10 (Low) Registration link may be used to redirect users to external links Published: 8/20/2016
2016-07 (Low) Image files may be copied from DNN's folder to anywhere on Server Published: 8/20/2016
2016-06 (Critical) Unauthorized users may create new SuperUser accounts Published: 5/26/2016
2016-05 (Critical) Potential file upload by unauthenticated users Published: 4/21/2016
2016-01 (Low) Potential open-redirect and XSS issue on the query string parameter - returnurl Published: 3/16/2016
2016-02 (Low) Potential XSS issue when enable SSL Client Redirect Published: 3/16/2016
2016-03 (Low) Potential XSS issue on user's profile Published: 3/16/2016
2016-04 (Critical) Potential CSRF issue on WebAPI POST requests Published: 3/16/2016
2015-06 (Low) Potential XSS issue when using tabs dialog Published: 10/6/2015
2015-07 (Medium) Users are getting registered even though User Registration is set to None Published: 10/6/2015
2015-02 (Low) ability to confirm file existance Published: 5/26/2015
2015-03 (Low) Version information leakage Published: 5/26/2015
2015-04 (Low) Server-Side Request Forgery in File Upload Published: 5/26/2015
2015-05 (Critical) unauthorized users may create new host accounts Published: 5/26/2015
2015-01 (Low) potential persistent cross-site scripting issue Published: 2/4/2015
2014-03 (Medium) Failure to validate user messaging permissions Published: 10/1/2014
2014-02 (Critical) improve captcha logic & mitigate against automated registration attacks Published: 8/13/2014
2014-01 (Low) potential persistent cross-site scripting issue Published: 3/19/2014
2013-10 (Low) potential reflective xss issue Published: 12/4/2013
2013-07 (Low) potential reflective xss issue Published: 8/13/2013
2013-08 (Low) malformed html may allow XSS issue Published: 8/13/2013
2013-09 (Low) fix issue that could lead to redirect 'Phishing' attack Published: 8/13/2013
2013-04 (Medium) Failure to reapply folder permissions check Published: 4/3/2013
2013-05 (Low) Potential XSS in language skin object Published: 4/3/2013
2013-06 (Low) Non-compliant HTML tag can cause site redirects Published: 4/3/2013
2013-01 (Low) Added defensive code to protect against denial of service Published: 1/7/2013
2013-02 (Critical) Protect against member directory filtering issue Published: 1/7/2013
2013-03 (Low) Filter out unrequired tag Published: 1/7/2013
2012-9 (Low) Failure to encode module title Published: 11/15/2012
2012-10 (Low) List function contains a cross-site scripting issue Published: 11/15/2012
2012-11 (Low) Member directory results fail to apply extended visibility correctly Published: 11/15/2012
2012-12 (Critical) Member directory results fail to apply extended visibility correctly Published: 11/15/2012
2012-5 (Low) Deny folder permissions were not respected when generating folder lists Published: 7/2/2012
2012-6 (Medium) Module Permission Inheritance Published: 7/2/2012
2012-7 (Low) Cross-site scripting issue with list function Published: 7/2/2012
2012-8 (Low) Journal image paths can contain javascript Published: 7/2/2012
2012-4 (Medium) Filemanager function fails to check for valid file extensions Published: 3/7/2012
2012-1 (Low) Potential XSS issue via modal popups Published: 1/2/2012
2012-2 (Critical) Non-approved users can access user and role functions Published: 1/2/2012
2012-3 (Low) Radeditor provider function could confirm the existence of a file Published: 1/2/2012
2011-16 (Low) Cached failed passwords could theoretically be retrieved from browser cache Published: 12/14/2011
2011-17 (Low) invalid install permissions can lead to unauthorized access error which echoes path Published: 12/14/2011
2011-14 (Low) able autoremember during registration Published: 11/1/2011
2011-15 (Medium) failure to sanitize certain xss strings Published: 11/1/2011
2011-13 (Low) incorrect logic in module administration check Published: 8/24/2011
2011-8 (Low) ability to reactivate user profiles of soft-deleted users Published: 6/6/2011
2011-9 (Critical) User management mechanisms can be executed by invalid users Published: 6/6/2011
2011-10 (Low) Cached failed passwords could theoretically be retrieved from browser cache Published: 6/6/2011
2011-11 (Medium) remove support for legacy skin/container upload from filemanager Published: 6/6/2011
2011-12 (Medium) Module Permissions Editable by anyone with the URL Published: 6/6/2011
2011-1 (Critical) Edit Level Users have Admin rights to modules Published: 1/19/2011
2011-2 (Critical) Unauthenticated user can install/uninstall modules Published: 1/19/2011
2011-3 (Low) Failure to filter viewstate exception details can lead to reflective xss issue Published: 1/19/2011
2011-4 (Low) Remove OS identification code Published: 1/19/2011
2011-5 (Low) Add additional checks to core input filter Published: 1/19/2011
2011-6 (Low) Change localized text to stop user enumeration Published: 1/19/2011
2011-7 (Low) Ensure that profile properties are correctly filtered Published: 1/19/2011
2010-12 (Medium) Potential resource exhaustion Published: 8/17/2010
2010-06 (Low) Logfiles contents after exception may lead to information leakage Published: 6/17/2010
2010-07 (Medium) Cross-site request forgery possible against other users of a site Published: 6/14/2010
2010-08 (Low) update inputfilter blacklist for invalid tag that could allow XSS attack Published: 6/14/2010
2010-09 (Low) Mail function can result in unauthorized email access Published: 6/14/2010
2010-10 (Low) Member only profile properties could be exposed under certain conditions Published: 6/14/2010
2010-11 (Low) Profile properties not htmlencoding data Published: 6/14/2010
2010-05 (Low) HTML/Script Code Injection Vulnerability in User messaging Published: 5/19/2010
2010-04 (Low) Install Wizard information leakage Published: 5/18/2010
2010-03 (Critical) System mails stored in cleartext in User messaging Published: 4/20/2010
2010-02 (Low) HTML/Script Code Injection Vulnerability Published: 3/17/2010
2010-01 (Low) User account escalation Vulnerability Published: 2/17/2010
2009-06 (Low) 2009-06 Published: 11/26/2009
2009-07 (Low) 2009-07 Published: 11/26/2009
2009-04 (Low) HTML/Script Code Injection Vulnerability when working with multiple languages Published: 9/2/2009
2009-05 (Medium) HTML/Script Code Injection Vulnerability in ClientAPI Published: 5/20/2009
2009-02 (Low) Errorpage information leakage Published: 5/19/2009
2009-03 (Low) HTML/Script Code Injection Vulnerability Published: 5/19/2009
2009-01 (Low) HTML/Script Code Injection Vulnerability Published: 4/7/2009
2008-14 (Critical) User can gain access to additional roles Published: 12/24/2008
2008-12 (Low) Install wizard information leakage Published: 9/10/2008
2008-13 (Critical) Failure to validate when loading skins Published: 9/10/2008
2008-11 (Critical) Authentication blindspot in User functions Published: 9/9/2008
2008-4 (Low) Version information leakage Published: 5/27/2008
2008-5 (Low) Denial of Service attack Published: 5/27/2008
2008-6 (Critical) Force existing database scripts to re-run Published: 5/27/2008
2008-7 (Critical) Failure to revalidate file and folder permissions correctly for uploads Published: 5/27/2008
2008-8 (Low) HTML/Script Code Injection Vulnerability Published: 5/11/2008
2008-9 (Low) HTML/Script Code Injection Vulnerability Published: 5/11/2008
2008-10 (Low) HTML/Script Code Injection Vulnerability when operating with multiple languages Published: 5/11/2008
2018-10 (Low) Custom 404 Error Page Vulnerability Published: 3/29/2008
2008-1 (Critical) Administrator account permission escalation Published: 3/19/2008
2008-2 (Critical) Validationkey can be a known value Published: 3/19/2008
2008-3 (Critical) Ability to create dynamic scripts on server Published: 3/19/2008
2007-3 (Low) HTML/Script Code Injection Vulnerability Published: 11/6/2007
2007-4 (Critical) HTML/Text module authentication blindspot Published: 11/6/2007
2007-2 (Low) Phishing risk in login redirect code Published: 7/20/2007
2007-1 (Medium) Phishing risk in link code Published: 4/5/2007
2006-6 (Medium) Anonymous access to vendor details Published: 11/30/2006
2006-4 (Critical) Cross site scripting permission escalation Published: 11/16/2006
2006-5 (Low) Information Leakage Published: 11/16/2006
2006-3 (Low) HTML Code Injection Vulnerability Published: 9/17/2006
2006-1 (Medium) Vulnerability in DotNetNuke could allow restricted file types to be uploaded Published: 8/2/2006
2006-2 (Critical) Vulnerability in DotNetNuke could allow access to user profile details Published: 8/2/2006

Security Policy

We make every effort to ensure speedy analysis of reported issues and, where required, provide workarounds and updated application releases to fix them. If you see suspected issues/security scan results please report them by sending an email to:

All submitted information is viewed only by members of the DNN Security Task Force, and will not be discussed outside the Task Force without the permission of the person/company who reported the issue. Each confirmed issue is assigned a severity level (critical, moderate, or low) corresponding to its potential impact on the security of DNN installations.

  • Critical means the issue can be exploited by a remote attacker to gain access to DNN data or functionality. All critical issue security bulletins include a recommended workaround or fix that should be applied as soon as possible.
  • Moderate means the issue can compromise data or functionality on a portal/website only if some other condition is met (e.g. a particular module or a user within a particular role is required). Moderate issue security bulletins typically include recommended actions to resolve the issue.
  • Low means the issue is very difficult to exploit or has a limited potential impact.
The Security Task Force then issues a security bulletin via DNN security forum posts and, where judged necessary, email. The bulletin provides details about the issue, the DNN versions impacted, and suggested fixes or workarounds. Security bulletins are issued as required.

Download the latest Security Analyzer tool here.

What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out