FKIE_CVE-2008-6542

Vulnerability from fkie_nvd - Published: 2009-03-30 01:30 - Updated: 2026-04-24 17:34
Severity ?
Summary
Unspecified vulnerability in the Skin Manager in DotNetNuke before 4.8.2 allows remote authenticated administrators to perform "server-side execution of application logic" by uploading a static file that is converted into a dynamic script via unknown vectors related to HTM or HTML files.
References
cve@mitre.orghttp://osvdb.org/43721
cve@mitre.orghttp://secunia.com/advisories/29488Vendor Advisory
cve@mitre.orghttp://www.dotnetnuke.com/News/SecurityBulletins/SecurityBulletinno13/tabid/1149/Default.aspxVendor Advisory
cve@mitre.orghttp://www.securityfocus.com/bid/28438
cve@mitre.orghttps://exchange.xforce.ibmcloud.com/vulnerabilities/49767
af854a3a-2127-422b-91ae-364da2661108http://osvdb.org/43721
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/29488Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.dotnetnuke.com/News/SecurityBulletins/SecurityBulletinno13/tabid/1149/Default.aspxVendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/bid/28438
af854a3a-2127-422b-91ae-364da2661108https://exchange.xforce.ibmcloud.com/vulnerabilities/49767
Impacted products
Vendor Product Version
dnnsoftware dotnetnuke *
dnnsoftware dotnetnuke 1.0.6
dnnsoftware dotnetnuke 1.0.7
dnnsoftware dotnetnuke 1.0.8
dnnsoftware dotnetnuke 1.0.9
dnnsoftware dotnetnuke 1.0.10d
dnnsoftware dotnetnuke 1.0.10e
dnnsoftware dotnetnuke 2.1.1
dnnsoftware dotnetnuke 2.1.2
dnnsoftware dotnetnuke 3.0.7
dnnsoftware dotnetnuke 3.0.8
dnnsoftware dotnetnuke 3.0.11
dnnsoftware dotnetnuke 3.1.0
dnnsoftware dotnetnuke 4.0
dnnsoftware dotnetnuke 4.5.2
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:dnnsoftware:dotnetnuke:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "271C6D19-F11C-4DEB-A34D-2E8B3BAD6643",
              "versionEndIncluding": "4.8.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dnnsoftware:dotnetnuke:1.0.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "2548573E-7FDD-425D-95B6-ADCEAA77F722",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dnnsoftware:dotnetnuke:1.0.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "2577EF82-53B4-4214-89EA-A292DE87F30B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dnnsoftware:dotnetnuke:1.0.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "C1E536AA-D810-4D2D-BF58-A1CDB37D9B1A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dnnsoftware:dotnetnuke:1.0.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "9E04BBB1-E7C2-44E5-AAD7-405EC5CEE5C5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dnnsoftware:dotnetnuke:1.0.10d:*:*:*:*:*:*:*",
              "matchCriteriaId": "DF31E99C-DD44-4016-82C2-9F52D54C691F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dnnsoftware:dotnetnuke:1.0.10e:*:*:*:*:*:*:*",
              "matchCriteriaId": "2ED5EEC4-20B7-40A8-AF4F-34A3520F5011",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dnnsoftware:dotnetnuke:2.1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "C0DE6E92-32F1-4388-89A3-386D6054A274",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dnnsoftware:dotnetnuke:2.1.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "B1310A0F-89BC-4199-9588-A676A65B8985",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dnnsoftware:dotnetnuke:3.0.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "A385977D-BE60-4EA3-B416-D2D33B1616CC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dnnsoftware:dotnetnuke:3.0.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "A63CE487-4186-4264-9E65-39B3F4ABC3FC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dnnsoftware:dotnetnuke:3.0.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "8AC3E38B-1C6A-406B-96BF-3BE49094DF49",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dnnsoftware:dotnetnuke:3.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "B169A9F8-CEB6-4F99-B0BE-A25BEF964208",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dnnsoftware:dotnetnuke:4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F2824231-B0CD-46A2-967E-93691A53F30B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dnnsoftware:dotnetnuke:4.5.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "225B1E93-6963-4569-AF6F-E534E4DC351E",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Unspecified vulnerability in the Skin Manager in DotNetNuke before 4.8.2 allows remote authenticated administrators to perform \"server-side execution of application logic\" by uploading a static file that is converted into a dynamic script via unknown vectors related to HTM or HTML files."
    },
    {
      "lang": "es",
      "value": "Vulnerabilidad no espec\u00edfica en Skin Manager en DotNetNuke anteriores a v4.8.2 permite a administradores autentificados remotos ejecutar una aplicaci\u00f3n l\u00f3gica desde el lado del servidor, subiendo un fichero est\u00e1tico que es convertido a script din\u00e1mico a trav\u00e9s de vectores desconocidos, relativos a ficheros HTM y HTML."
    }
  ],
  "evaluatorComment": "Per vendor advisory: http://www.dotnetnuke.com/News/SecurityBulletins/SecurityBulletinno13/tabid/1149/Default.aspx\r\n\r\n\r\nMitigating factors\r\n\r\n    * The host user must have added the HTM or HTML file type to the default File Upload Extensions\r\n    * The user must have access to the file manager.\r\n    * By default this issue only affects Admin users.\r\n",
  "id": "CVE-2008-6542",
  "lastModified": "2026-04-24T17:34:37.240",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "HIGH",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 4.6,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2009-03-30T01:30:00.377",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "http://osvdb.org/43721"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/29488"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.dotnetnuke.com/News/SecurityBulletins/SecurityBulletinno13/tabid/1149/Default.aspx"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securityfocus.com/bid/28438"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/49767"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://osvdb.org/43721"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/29488"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.dotnetnuke.com/News/SecurityBulletins/SecurityBulletinno13/tabid/1149/Default.aspx"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/28438"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/49767"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.