CVE-2020-11585

Name of the Vulnerable Software and Affected Versions DNN (formerly DotNetNuke) version 9.5

Description The issue allows a registered user to disclose information about files in the Admin File Manager by sending a message with an attached file. This is achieved by using an arbitrary small integer value in the fileIds parameter. The vulnerability is within the built-in Activity-Feed/Messaging/Userid/ Message Center module.

Recommendations For DNN (formerly DotNetNuke) version 9.5, as a temporary workaround, consider restricting access to the fileIds parameter in the affected module to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.