Description

DNN (DotNetNuke) CMS is a .NET content management system.

DNN uses usafe deserialization for a DNNPersonalization cookie. Arbitrary object deserialization is inherently unsafe, and should never be performed on untrusted data. An attacker can leverage this vulnerability to execute arbitrary code on the system.

Remediation

Upgrade to the latest version of DNN

References

Security Center

ysoserial.net

Related Vulnerabilities

Python object deserialization of user-supplied data

JavaMelody XML External Entity (XXE) vulnerability

WebLogic Deserialization of Untrusted Data Vulnerability (CVE-2020-11620)

Remote code execution in bootstrap-sass 3.2.0.3

Keycloak request_uri SSRF (CVE-2020-10770)

Severity

High

Classification

CWE-502 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Insecure Deserialization Acumonitor