CVE-2018-15811
published 2019-07-03CVE-2018-15811: DNN (aka DotNetNuke) 9.2 through 9.2.1 uses a weak encryption algorithm to protect input parameters.
PriorityP183high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
74.05%
99.4th percentile
DNN (aka DotNetNuke) 9.2 through 9.2.1 uses a weak encryption algorithm to protect input parameters.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dnnsoftware | dotnetnuke | 9.2 – 9.2.2 | — |
| dnnsoftware | dotnetnuke | 9.2 – 9.2.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The DNNPersonalization cookie carries a serialized XML payload; monitor for unexpected or malformed values in this cookie, especially on 404 responses. ↗
- →Exploitation is triggered via DNN's built-in 404 error handler; look for requests to non-existent paths (e.g., /__) accompanied by a DNNPersonalization cookie. ↗
- →For DNN versions 9.2.0+, exploitation requires an authenticated session; look for the .DOTNETNUKE session cookie alongside a malicious DNNPersonalization cookie. ↗
- →Successful exploitation of the PoC/detection template results in a 404 HTTP status with response body containing '[extensions]' and 'for 16-bit app support' (contents of C:\Windows\win.ini). ↗
- →The X-Requested-With: XMLHttpRequest header is present in exploit requests; correlate with DNNPersonalization cookie anomalies. ↗
- ·Versions 9.2.0–9.2.1 require encryption of the cookie payload; KEY and IV values must be recovered (e.g., from a verification code) to craft a working exploit. ↗
- ·Versions 5.0.0–9.1.1 do not require cookie encryption or an authenticated session, making them easier to exploit without credentials. ↗
- ·CVE-2018-18325 is an incomplete fix for CVE-2018-15811; DNN 9.2.2 remains vulnerable. Full remediation requires upgrading to 9.3.0 or later. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
ghsa7.5HIGH
osv7.5HIGH
vulncheck7.5HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Inadequate Encryption Strength in DotNetNuke
osv·2019-07-05·CVSS 7.5
CVE-2018-18325 [HIGH] Inadequate Encryption Strength in DotNetNuke
Inadequate Encryption Strength in DotNetNuke
DNN (aka DotNetNuke) 9.2 through 9.2.2 uses a weak encryption algorithm to protect input parameters. NOTE: this issue exists because of an incomplete fix for CVE-2018-15811.
GHSA
Inadequate Encryption Strength in DotNetNuke
ghsa·2019-07-05
CVE-2018-15811 [HIGH] CWE-326 Inadequate Encryption Strength in DotNetNuke
Inadequate Encryption Strength in DotNetNuke
DNN (aka DotNetNuke) 9.2 through 9.2.1 uses a weak encryption algorithm to protect input parameters.
GHSA
Inadequate Encryption Strength in DotNetNuke
ghsa·2019-07-05·CVSS 7.5
CVE-2018-18325 [HIGH] CWE-326 Inadequate Encryption Strength in DotNetNuke
Inadequate Encryption Strength in DotNetNuke
DNN (aka DotNetNuke) 9.2 through 9.2.2 uses a weak encryption algorithm to protect input parameters. NOTE: this issue exists because of an incomplete fix for CVE-2018-15811.
OSV
Inadequate Encryption Strength in DotNetNuke
osv·2019-07-05
CVE-2018-15811 [HIGH] Inadequate Encryption Strength in DotNetNuke
Inadequate Encryption Strength in DotNetNuke
DNN (aka DotNetNuke) 9.2 through 9.2.1 uses a weak encryption algorithm to protect input parameters.
VulnCheck
DotNetNuke (DNN) Inadequate Encryption Strength Vulnerability
vulncheck·2018·CVSS 7.5
CVE-2018-18325 [HIGH] CWE-326 DotNetNuke (DNN) Inadequate Encryption Strength Vulnerability
DotNetNuke (DNN) Inadequate Encryption Strength Vulnerability
DotNetNuke (DNN) contains an inadequate encryption strength vulnerability resulting from the use of a weak encryption algorithm to protect input parameters. This CVE ID resolves an incomplete patch for CVE-2018-15811.
Affected: DotNetNuke (DNN) DotNetNuke (DNN)
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-05-03
VulnCheck
DotNetNuke (DNN) Inadequate Encryption Strength Vulnerability
vulncheck·2018·CVSS 7.5
CVE-2018-15811 [HIGH] CWE-326 DotNetNuke (DNN) Inadequate Encryption Strength Vulnerability
DotNetNuke (DNN) Inadequate Encryption Strength Vulnerability
DotNetNuke (DNN) contains an inadequate encryption strength vulnerability resulting from the use of a weak encryption algorithm to protect input parameters.
Affected: DotNetNuke (DNN) DotNetNuke (DNN)
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-05-03
CISA
DotNetNuke (DNN) Inadequate Encryption Strength Vulnerability
cisa·2021-11-03·CVSS 7.5
CVE-2018-18325 [HIGH] CWE-326 DotNetNuke (DNN) Inadequate Encryption Strength Vulnerability
Vulnerability: DotNetNuke (DNN) Inadequate Encryption Strength Vulnerability
Affected: DotNetNuke (DNN) DotNetNuke (DNN)
DotNetNuke (DNN) contains an inadequate encryption strength vulnerability resulting from the use of a weak encryption algorithm to protect input parameters. This CVE ID resolves an incomplete patch for CVE-2018-15811.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2018-18325
Remediation Due Date: 2022-05-03
CISA
DotNetNuke (DNN) Inadequate Encryption Strength Vulnerability
cisa·2021-11-03·CVSS 7.5
CVE-2018-15811 [HIGH] CWE-326 DotNetNuke (DNN) Inadequate Encryption Strength Vulnerability
Vulnerability: DotNetNuke (DNN) Inadequate Encryption Strength Vulnerability
Affected: DotNetNuke (DNN) DotNetNuke (DNN)
DotNetNuke (DNN) contains an inadequate encryption strength vulnerability resulting from the use of a weak encryption algorithm to protect input parameters.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2018-15811
Remediation Due Date: 2022-05-03
Suricata
ET EXPLOIT DotNetNuke 9.2-9.2.2 Cookie Deserialization Exploit (CVE-2018-15811)
suricata·2021-11-01·CVSS 7.5
CVE-2017-9822 [HIGH] ET EXPLOIT DotNetNuke 9.2-9.2.2 Cookie Deserialization Exploit (CVE-2018-15811)
ET EXPLOIT DotNetNuke 9.2-9.2.2 Cookie Deserialization Exploit (CVE-2018-15811)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT DotNetNuke 9.2-9.2.2 Cookie Deserialization Exploit (CVE-2018-15811)"; flow:established,to_server; content:"ExpandedWrapperOfObjectStateFormatterObjectDataProvider"; fast_pattern; http.cookie; content:"DNNPersonalization="; nocase; content:"<profile"; nocase; content:"MethodName"; nocase; distance:0; content:"Deserialize"; nocase; distance:0; content:"MethodParameters"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/48336; reference:cve,2017-9822; reference:cve,2018-15811; reference:cve,2018-18326; reference:cve,2018-18325; reference:cve,2018-15812; classtype:attempted-admin; sid:2034308; rev:1; metadata:attack_target Ser
Exploit-DB
DotNetNuke - Cookie Deserialization Remote Code Execution (Metasploit)
exploitdb·2020-04-16
CVE-2018-18326 DotNetNuke - Cookie Deserialization Remote Code Execution (Metasploit)
DotNetNuke - Cookie Deserialization Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/exploit/powershell'
require 'openssl'
require 'set'
class MetasploitModule active_timeout
}
# payload handler is normally set up and started here
# but has been removed so we can start the handler when needed.
end
def initialize(info = {})
super(update_info(
info,
'Name' => "DotNetNuke Cookie Deserialization Remote Code Execution",
'Description' => %q(
This module exploits a deserialization vulnerability in DotNetNuke (DNN) versions 5.0.0 to 9.3.0-RC.
Vulnerable versions store profile information for users in the DNNPersonalization cookie as XML.
The expect
Metasploit
DotNetNuke Cookie Deserialization Remote Code Excecution
metasploit
DotNetNuke Cookie Deserialization Remote Code Excecution
DotNetNuke Cookie Deserialization Remote Code Excecution
This module exploits a deserialization vulnerability in DotNetNuke (DNN) versions 5.0.0 to 9.3.0-RC. Vulnerable versions store profile information for users in the DNNPersonalization cookie as XML. The expected structure includes a "type" attribute to instruct the server which type of object to create on deserialization. The cookie is processed by the application whenever it attempts to load the current user's profile data. This occurs when DNN is configured to handle 404 errors with its built-in error page (default configuration). An attacker can leverage this vulnerability to execute arbitrary code on the system.
Nuclei
DotNetNuke 9.2 - 9.2.1 - Weak Encryption & Cookie Deserialization
nuclei·CVSS 7.5
CVE-2018-15811 [HIGH] DotNetNuke 9.2 - 9.2.1 - Weak Encryption & Cookie Deserialization
DotNetNuke 9.2 - 9.2.1 - Weak Encryption & Cookie Deserialization
DNN (DotNetNuke) versions 9.2 through 9.2.1 use a weak encryption algorithm to protect input parameters. This cryptographic weakness enables attackers to craft malicious DNNPersonalization cookies that can be deserialized, leading to remote code execution.
Template:
id: CVE-2018-15811
info:
name: DotNetNuke 9.2 - 9.2.1 - Weak Encryption & Cookie Deserialization
author: pdteam
severity: high
description: |
DNN (DotNetNuke) versions 9.2 through 9.2.1 use a weak encryption algorithm to protect input parameters. This cryptographic weakness enables attackers to craft malicious DNNPersonalization cookies that can be deserialized, leading to remote code execution.
impact: |
Attackers can exploit weak encryption to decrypt or ta
Nuclei
DotNetNuke 9.2 - 9.2.2 - Weak Encryption & Cookie Deserialization
nuclei·CVSS 7.5
CVE-2018-18325 [HIGH] DotNetNuke 9.2 - 9.2.2 - Weak Encryption & Cookie Deserialization
DotNetNuke 9.2 - 9.2.2 - Weak Encryption & Cookie Deserialization
DNN (DotNetNuke) versions 9.2 through 9.2.2 use a weak encryption algorithm to protect input parameters because of an incomplete fix for CVE-2018-15811. This cryptographic weakness enables attackers to craft malicious DNNPersonalization cookies that can be deserialized, leading to remote code execution.
Template:
id: CVE-2018-18325
info:
name: DotNetNuke 9.2 - 9.2.2 - Weak Encryption & Cookie Deserialization
author: pdteam
severity: high
description: |
DNN (DotNetNuke) versions 9.2 through 9.2.2 use a weak encryption algorithm to protect input parameters because of an incomplete fix for CVE-2018-15811. This cryptographic weakness enables attackers to craft malicious DNNPersonalization cookies that can be deserialized, le
No writeups or analysis indexed.
http://packetstormsecurity.com/files/157080/DotNetNuke-Cookie-Deserialization-Remote-Code-Execution.htmlhttps://github.com/dnnsoftware/Dnn.Platform/releaseshttps://www.dnnsoftware.com/community/security/security-centerhttp://packetstormsecurity.com/files/157080/DotNetNuke-Cookie-Deserialization-Remote-Code-Execution.htmlhttps://github.com/dnnsoftware/Dnn.Platform/releaseshttps://www.dnnsoftware.com/community/security/security-centerhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-15811
2019-07-03
Published
2021-11-03
Added to CISA KEV
Exploited in the wild