Connor Neff

**Name of the Vulnerable Software and Affected Versions** DNN (formerly DotNetNuke) version 9.5 **Description** The issue allows a registered user to disclose information about files in the Admin File Manager by sending a message with an attached file. This is achieved by using an arbitrary small integer value in the `fileIds` parameter. The vulnerability is within the built-in Activity-Feed/Messaging/Userid/ Message Center module. **Recommendations** For DNN (formerly DotNetNuke) version 9.5, as a temporary workaround, consider restricting access to the `fileIds` parameter in the affected module to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.