There is an information disclosure issue in DNN (formerly DotNetNuke) 9.5 within the built-in Activity-Feed/Messaging/Userid/ Message Center module. A registered user is able to enumerate any file in the Admin File Manager (other than ones contained in a secure folder) by sending themselves a message with the file attached, e.g., by using an arbitrary small integer value in the fileIds parameter.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2020-04-06T20:27:46

Updated: 2024-08-04T11:35:13.326Z

Reserved: 2020-04-06T00:00:00

Link: CVE-2020-11585

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2020-04-06T21:15:13.687

Modified: 2024-11-21T04:58:10.753

Link: CVE-2020-11585

cve-icon Redhat

No data.