CVE-2008-6540
published 2009-03-30CVE-2008-6540: DotNetNuke before 4.8.2, during installation or upgrade, does not warn the administrator when the default (1) ValidationKey and (2) DecryptionKey values cannot…
PriorityP334medium5.1CVSS 2.0
AVNACHAuNCPIPAP
EXPLOIT
EPSS
2.50%
82.7th percentile
DotNetNuke before 4.8.2, during installation or upgrade, does not warn the administrator when the default (1) ValidationKey and (2) DecryptionKey values cannot be modified in the web.config file, which allows remote attackers to bypass intended access restrictions by using the default keys.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dnnsoftware | dotnetnuke | <= 4.8.1 | — |
| dnnsoftware | dotnetnuke | — | — |
| dnnsoftware | dotnetnuke | — | — |
| dnnsoftware | dotnetnuke | — | — |
| dnnsoftware | dotnetnuke | — | — |
| dnnsoftware | dotnetnuke | — | — |
| dnnsoftware | dotnetnuke | — | — |
| dnnsoftware | dotnetnuke | — | — |
| dnnsoftware | dotnetnuke | — | — |
| dnnsoftware | dotnetnuke | — | — |
| dnnsoftware | dotnetnuke | — | — |
| dnnsoftware | dotnetnuke | — | — |
| dnnsoftware | dotnetnuke | — | — |
| dnnsoftware | dotnetnuke | — | — |
| dnnsoftware | dotnetnuke | — | — |
| dnnsoftware | dotnetnuke | — | — |
| dnnsoftware | dotnetnuke | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
DotNetNuke up to 4.8.1 Access Restriction web.config access control (EDB-31465 / Nessus ID 31643)
vuldb·2026-04-29·CVSS 5.1
CVE-2008-6540 [MEDIUM] DotNetNuke up to 4.8.1 Access Restriction web.config access control (EDB-31465 / Nessus ID 31643)
A vulnerability classified as problematic was found in DotNetNuke. This affects an unknown part of the file web.config of the component Access Restriction. Such manipulation leads to improper access controls.
This vulnerability is referenced as CVE-2008-6540. It is possible to launch the attack remotely. Furthermore, an exploit is available.
Upgrading the affected component is advised.
GHSA
DotNetNuke Default Machine Key Exposure
ghsa·2022-05-14
CVE-2008-6540 [MEDIUM] CWE-453 DotNetNuke Default Machine Key Exposure
DotNetNuke Default Machine Key Exposure
DotNetNuke before 4.8.2, during installation or upgrade, does not warn the administrator when the default (1) ValidationKey and (2) DecryptionKey values cannot be modified in the web.config file, which allows remote attackers to bypass intended access restrictions by using the default keys.
OSV
DotNetNuke Default Machine Key Exposure
osv·2022-05-14
CVE-2008-6540 [MEDIUM] DotNetNuke Default Machine Key Exposure
DotNetNuke Default Machine Key Exposure
DotNetNuke before 4.8.2, during installation or upgrade, does not warn the administrator when the default (1) ValidationKey and (2) DecryptionKey values cannot be modified in the web.config file, which allows remote attackers to bypass intended access restrictions by using the default keys.
Suricata
ET WEB_SPECIFIC_APPS iGaming CMS reviews.php browse parameter SQL injection
suricata·2010-07-30
CVE-2008-5841 ET WEB_SPECIFIC_APPS iGaming CMS reviews.php browse parameter SQL injection
ET WEB_SPECIFIC_APPS iGaming CMS reviews.php browse parameter SQL injection
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGaming CMS reviews.php browse parameter SQL injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/reviews.php?"; nocase; content:"browse="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:cve,2008-5841; reference:bugtraq,31340; reference:url,milw0rm.com/exploits/6540; classtype:web-application-attack; sid:2009069; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, cve CVE_2008_5841, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04, mitre_tactic_id TA0001, mi
Suricata
ET WEB_SPECIFIC_APPS iGaming CMS previews.php browse parameter SQL injection
suricata·2010-07-30
CVE-2008-5841 ET WEB_SPECIFIC_APPS iGaming CMS previews.php browse parameter SQL injection
ET WEB_SPECIFIC_APPS iGaming CMS previews.php browse parameter SQL injection
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGaming CMS previews.php browse parameter SQL injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/previews.php?"; nocase; content:"browse="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:cve,2008-5841; reference:bugtraq,31340; reference:url,milw0rm.com/exploits/6540; classtype:web-application-attack; sid:2009068; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, cve CVE_2008_5841, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04, mitre_tactic_id TA0001,
No writeups or analysis indexed.
http://osvdb.org/43720http://secunia.com/advisories/29488http://www.dotnetnuke.com/News/SecurityBulletins/SecurityBulletinno12/tabid/1148/Default.aspxhttp://www.securityfocus.com/archive/1/489957/100/0/threadedhttp://www.securityfocus.com/bid/28391https://exchange.xforce.ibmcloud.com/vulnerabilities/41399http://osvdb.org/43720http://secunia.com/advisories/29488http://www.dotnetnuke.com/News/SecurityBulletins/SecurityBulletinno12/tabid/1148/Default.aspxhttp://www.securityfocus.com/archive/1/489957/100/0/threadedhttp://www.securityfocus.com/bid/28391https://exchange.xforce.ibmcloud.com/vulnerabilities/41399
2009-03-30
Published