DotNetNuke DNNArticle Module SQL Injection Vulnerability Network Vulnerability

Summary

This host is installed with DotNetNuke DNNArticle and is prone to cross site scripting vulnerability.

Impact

Successful exploitation will allow remote attackers to manipulate SQL queries by injecting arbitrary SQL code. Impact Level: Application

Solution

Upgrade to version 10.1 or later, For updates refer to http://www.zldnn.com

Insight

Input passed via the 'categoryid' GET parameter to 'desktopmodules/ dnnarticle/dnnarticlerss.aspx' (when 'moduleid' is set) is not properly sanitized before being used in a SQL query.

Affected

DotNetNuke DNNArticle module versions 10.0 and prior

Detection

Send a crafted HTTP GET request and check whether it is able to read the SQL server version or not.

References

http://packetstormsecurity.com/files/122824
http://secunia.com/advisories/54545
http://www.exploit-db.com/exploits/27602

Updated on 2017-03-28

Severity

Classification

CVE CVE-2013-5117
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Advantech Studio 'NTWebServer.exe' Directory Traversal Vulnerability
Adiscon LogAnalyzer Multiple SQL Injection and XSS Vulnerabilities
Alchemy Eye HTTP Command Execution
AdPeeps 'index.php' Multiple Vulnerabilities.
Apache Struts2 'URL' & 'Anchor' tags Arbitrary Java Method Execution Vulnerabilities

Take action and discover your vulnerabilities