CVE-2009-4109

The install wizard in DotNetNuke 4.0 through 5.1.4 does not prevent anonymous users from accessing functionality related to determination of the need for an upgrade, which allows remote attackers to access version information and possibly other sensitive information.

CVSS v2.0 5.0 MEDIUM

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://osvdb.org/60520
http://secunia.com/advisories/37480	Vendor Advisory
http://www.dotnetnuke.com/News/SecurityPolicy/securitybulletinno30/tabid/1449/Default.aspx	Vendor Advisory
http://www.securityfocus.com/bid/37139

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:dotnetnuke:dotnetnuke:4.0:::::::*
	cpe:2.3:a:dotnetnuke:dotnetnuke:4.3.5:::::::*
	cpe:2.3:a:dotnetnuke:dotnetnuke:4.4.1:::::::*
	cpe:2.3:a:dotnetnuke:dotnetnuke:4.5.2:::::::*
	cpe:2.3:a:dotnetnuke:dotnetnuke:4.5.4:::::::*
	cpe:2.3:a:dotnetnuke:dotnetnuke:4.5.5:::::::*
	cpe:2.3:a:dotnetnuke:dotnetnuke:4.6.0:::::::*
	cpe:2.3:a:dotnetnuke:dotnetnuke:4.6.1:::::::*
	cpe:2.3:a:dotnetnuke:dotnetnuke:4.6.2:::::::*
	cpe:2.3:a:dotnetnuke:dotnetnuke:4.7.0:::::::*
	cpe:2.3:a:dotnetnuke:dotnetnuke:4.8.0:::::::*
	cpe:2.3:a:dotnetnuke:dotnetnuke:4.8.1:::::::*
	cpe:2.3:a:dotnetnuke:dotnetnuke:4.8.2:::::::*
	cpe:2.3:a:dotnetnuke:dotnetnuke:4.8.3:::::::*
	cpe:2.3:a:dotnetnuke:dotnetnuke:4.8.4:::::::*
	cpe:2.3:a:dotnetnuke:dotnetnuke:4.9:::::::*
	cpe:2.3:a:dotnetnuke:dotnetnuke:4.9.1:::::::*
	cpe:2.3:a:dotnetnuke:dotnetnuke:4.9.2:::::::*
	cpe:2.3:a:dotnetnuke:dotnetnuke:5.0:::::::*
	cpe:2.3:a:dotnetnuke:dotnetnuke:5.1:::::::*
	cpe:2.3:a:dotnetnuke:dotnetnuke:5.1.1:::::::*
	cpe:2.3:a:dotnetnuke:dotnetnuke:5.1.2:::::::*
	cpe:2.3:a:dotnetnuke:dotnetnuke:5.1.3:::::::*
	cpe:2.3:a:dotnetnuke:dotnetnuke:5.1.4:::::::*

History

No history.

Information

Published : 2009-11-29 13:08

Updated : 2009-11-30 05:00

NVD link : CVE-2009-4109

Mitre link : CVE-2009-4109

CVE.ORG link : CVE-2009-4109

JSON object : View

Products Affected

dotnetnuke

dotnetnuke

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2009-4109", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2009-11-29T13:08:29.610", "references": [{"url": "http://osvdb.org/60520", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/37480", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.dotnetnuke.com/News/SecurityPolicy/securitybulletinno30/tabid/1449/Default.aspx", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/37139", "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "The install wizard in DotNetNuke 4.0 through 5.1.4 does not prevent anonymous users from accessing functionality related to determination of the need for an upgrade, which allows remote attackers to access version information and possibly other sensitive information."}, {"lang": "es", "value": "El asistente de instalaci\u00f3n en DotNetNuke v4.0 a la v5.1.4, no prev\u00e9 el acceso de usuarios an\u00f3nimos a la funcionalidad relacionada con la necesidad de una actualizaci\u00f3n, lo que permite a atacantes remotos acceder a la informaci\u00f3n de la versi\u00f3n de la aplicaci\u00f3n y posiblemente a otros datos."}], "lastModified": "2009-11-30T05:00:00.000", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dotnetnuke:dotnetnuke:4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "31D0AA24-9FA3-4AFD-920A-295898473918"}, {"criteria": "cpe:2.3:a:dotnetnuke:dotnetnuke:4.3.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "34AF4B04-B86C-4BD0-94D9-3157AC55E542"}, {"criteria": "cpe:2.3:a:dotnetnuke:dotnetnuke:4.4.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6FB3D130-5DC4-4FE6-B178-EF1638E3A43D"}, {"criteria": "cpe:2.3:a:dotnetnuke:dotnetnuke:4.5.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "68F28416-0ABF-4B2F-87A4-C4EC4D0CA227"}, {"criteria": "cpe:2.3:a:dotnetnuke:dotnetnuke:4.5.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F1681BA4-9C05-45DF-B51B-D89633EB0C70"}, {"criteria": "cpe:2.3:a:dotnetnuke:dotnetnuke:4.5.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "884BA1BF-BD03-4437-A02C-825B59634A76"}, {"criteria": "cpe:2.3:a:dotnetnuke:dotnetnuke:4.6.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C627743E-9B8B-431B-A513-89CBF7C1E742"}, {"criteria": "cpe:2.3:a:dotnetnuke:dotnetnuke:4.6.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "677B54A1-6945-459F-9ADA-D6D9E89F2436"}, {"criteria": "cpe:2.3:a:dotnetnuke:dotnetnuke:4.6.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E6D101EF-4506-45D8-9717-5EE9A99B0A43"}, {"criteria": "cpe:2.3:a:dotnetnuke:dotnetnuke:4.7.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C7059E6A-4A54-4364-8977-400C18905D01"}, {"criteria": "cpe:2.3:a:dotnetnuke:dotnetnuke:4.8.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "92A018EB-3C16-44BB-A872-E80D6F165395"}, {"criteria": "cpe:2.3:a:dotnetnuke:dotnetnuke:4.8.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1285FF8E-EDB0-4C50-815B-DE40B1786601"}, {"criteria": "cpe:2.3:a:dotnetnuke:dotnetnuke:4.8.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "625C6564-F098-4C9B-AFE7-6686275A1016"}, {"criteria": "cpe:2.3:a:dotnetnuke:dotnetnuke:4.8.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6293D07D-4C07-4A5D-9532-455A7D5AA6BA"}, {"criteria": "cpe:2.3:a:dotnetnuke:dotnetnuke:4.8.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "250EE0BC-F79D-40D0-A185-8307F82DA8BF"}, {"criteria": "cpe:2.3:a:dotnetnuke:dotnetnuke:4.9:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2902A37C-97AA-42CD-A038-3DA1A6E4653A"}, {"criteria": "cpe:2.3:a:dotnetnuke:dotnetnuke:4.9.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "403D90A9-C191-496A-BBB9-4915D39B675D"}, {"criteria": "cpe:2.3:a:dotnetnuke:dotnetnuke:4.9.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6B40DA1D-12CF-4DFF-9364-D60A53ED898D"}, {"criteria": "cpe:2.3:a:dotnetnuke:dotnetnuke:5.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "102921DE-5513-4BCB-8383-D22A78C59735"}, {"criteria": "cpe:2.3:a:dotnetnuke:dotnetnuke:5.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7DC26BE5-265B-455A-83AE-E289A0C79B3F"}, {"criteria": "cpe:2.3:a:dotnetnuke:dotnetnuke:5.1.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DFAD2896-6A9C-4953-8074-E689F359C900"}, {"criteria": "cpe:2.3:a:dotnetnuke:dotnetnuke:5.1.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "74B90994-F7F0-4BC9-99E4-E798B98899AD"}, {"criteria": "cpe:2.3:a:dotnetnuke:dotnetnuke:5.1.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9A6FB531-44C1-4EA1-B69D-0D591673D7C2"}, {"criteria": "cpe:2.3:a:dotnetnuke:dotnetnuke:5.1.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2B3A0857-2E5D-4BCD-AAE6-D50FCAE6FF67"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}