There is an information disclosure issue in DNN (formerly DotNetNuke) 9.5 within the built-in Activity-Feed/Messaging/Userid/ Message Center module. A registered user is able to enumerate any file in the Admin File Manager (other than ones contained in a secure folder) by sending themselves a message with the file attached, e.g., by using an arbitrary small integer value in the fileIds parameter.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2020-04-06T20:27:46
Updated: 2024-08-04T11:35:13.326Z
Reserved: 2020-04-06T00:00:00
Link: CVE-2020-11585
Vulnrichment
No data.
NVD
Status : Modified
Published: 2020-04-06T21:15:13.687
Modified: 2024-11-21T04:58:10.753
Link: CVE-2020-11585
Redhat
No data.