a "denial of service" attackThe number of invalid requests depends on a number of factors including the size of the DotNetNuke site and the capacity of it's webserver(s) and database server(s).If during install/upgrade an error occurs, the exception details are written to the logfiles. Additional hardening to resolve this issue was completed as part of the 9.3.1 release.A malicious user may use information provided by some installations to decipher or calculate certain key cryptographic information, this could allow further unintended access to be gained to the application.A DNN/Evoq installation must be configured in a specific manner and the malicious user would need specific knowledge to leverage the vulnerability. It is recommended that ALL users validate their allowed file types setting to ensure dynamic file types are excluded.To remediate this issue an upgrade to DNN Platform Version (9.4.1 or later) is required.At this point in time, there is no known patch for prior versions.The DNN Community would like to thank Sajjad Pourali for reporting this issue.DNN provides a user account mechanism that can be used to register users in the system.

In addition DotNetNuke contains a number of pieces of protection against cross-site scripting issues including the use of the HTTPOnly attribute which stops XSS code accessing users cookies.If a site does not have sufficent permissions to do an install/upgrade, then a  HTTP 403 status is thrown and a custom permisions page is generated. Works Cited / For Further Reading: DNN / DotNetNuke / Evoq — Secure and Latest Versions. You need to replace the assembly you have with this one and add This unvalidated input could lead to html and script injections such as cross-site scripting.To fix this problem, you are recommended to update to one of the latest versions of DotNetnuke - either 4.9.5 or 5.1.2 at time of writing.Note: Whilst 4.9.5 has a fix for this issue, site admins are recommended to use the 5.1.2 version which contains additional defensive coding to harden the ClientAPI against potential future issues.DotNetNuke has a custom errorpage for handling displaying information to users.The errorpage contains details of the current running version. However, no information can be changed via this vulnerability.To fix this problem, you are recommended to update to the latest versions of the Products - DNN Platform 9.0.2 or EVOQ 9.0.2 at the time of writing. Whilst the W3C specification for this tag states that it will not work unless it is in the HEAD of the document, testing found that it does work within the BODY in a number of major browsers. operations such as upload, delete, copy, etc. Once user clicks on such a link and arrives at such a DNN page, the user must further act willingly to the message displayed. Theoretically knowning the drive and folder of the website is useful information to a potential hacker so this has been removed.This issue is more theoretical than practical as even if the path details are viewed, the site has insufficent permissions for a hacker to access. In the files area, there is also the ability to upload files from your client machine. Then they must submit crafted

specifically crafted requests to identify some parameters and then use these to If this string contained an invalid HTML tag, a XSS attack could occur. The RequestVerificationToken is not verified at all and all POST requests can go through even if that token is not present in the request header. These images can be displayed in various pages / components in the site.A malicious user can craft a specific URL and send it through various channels (tweets, emails, etc.) The fixes cover three main areas:We make every effort to ensure speedy analysis of reported issues and, where required, provide workarounds and updated application releases to fix them. Some of these profile properties can be supplied during user registration, but all of them can be updated under the user’s profile area of DNN. fix this problem, you are recommended to update to the latest versions of the This is the recommended manner to guarantee file security for confidential documents as it is the only method that provides a secure file check at download.Upgrading to DNN Platform version 9.6.0 or later is required to mitigate this issue.The DNN Community would like to thank the following for their assistance with this issue.DNN provides a number of methods that allow users to manipulate the file system as part of the content management system functionality that is provided.