cbcvebase.
CVE-2018-15811
published 2019-07-03

CVE-2018-15811: DNN (aka DotNetNuke) 9.2 through 9.2.1 uses a weak encryption algorithm to protect input parameters.

PriorityP183high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
74.05%
99.4th percentile
DNN (aka DotNetNuke) 9.2 through 9.2.1 uses a weak encryption algorithm to protect input parameters.

Affected

2 ranges
VendorProductVersion rangeFixed in
dnnsoftwaredotnetnuke9.2 – 9.2.2
dnnsoftwaredotnetnuke9.2 – 9.2.1

Detection & IOCsextracted from sources · hover to see the quote

cookieDNNPersonalization=WriteFileC:\Windows\win.ini
path/__
urlGET /__ HTTP/1.1
  • The DNNPersonalization cookie carries a serialized XML payload; monitor for unexpected or malformed values in this cookie, especially on 404 responses.
  • Exploitation is triggered via DNN's built-in 404 error handler; look for requests to non-existent paths (e.g., /__) accompanied by a DNNPersonalization cookie.
  • For DNN versions 9.2.0+, exploitation requires an authenticated session; look for the .DOTNETNUKE session cookie alongside a malicious DNNPersonalization cookie.
  • Successful exploitation of the PoC/detection template results in a 404 HTTP status with response body containing '[extensions]' and 'for 16-bit app support' (contents of C:\Windows\win.ini).
  • The X-Requested-With: XMLHttpRequest header is present in exploit requests; correlate with DNNPersonalization cookie anomalies.
  • ·Versions 9.2.0–9.2.1 require encryption of the cookie payload; KEY and IV values must be recovered (e.g., from a verification code) to craft a working exploit.
  • ·Versions 5.0.0–9.1.1 do not require cookie encryption or an authenticated session, making them easier to exploit without credentials.
  • ·CVE-2018-18325 is an incomplete fix for CVE-2018-15811; DNN 9.2.2 remains vulnerable. Full remediation requires upgrading to 9.3.0 or later.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
ghsa7.5HIGH
osv7.5HIGH
vulncheck7.5HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.