CVE-2008-6540
Summary
| CVE | CVE-2008-6540 |
|---|---|
| State | PUBLISHED |
| Assigner | mitre |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2009-03-30 01:30:00 UTC |
| Updated | 2026-04-24 17:34:37 UTC |
| Description | DotNetNuke before 4.8.2, during installation or upgrade, does not warn the administrator when the default (1) ValidationKey and (2) DecryptionKey values cannot be modified in the web.config file, which allows remote attackers to bypass intended access restrictions by using the default keys. |
Risk And Classification
Primary CVSS: v2.0 5.1 from [email protected]
AV:N/AC:H/Au:N/C:P/I:P/A:P
EPSS: 0.053300000 probability, percentile 0.900820000 (date 2026-04-26)
Problem Types: CWE-264 | n/a
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
HighAuthentication
NoneConfidentiality
PartialIntegrity
PartialAvailability
PartialAV:N/AC:H/Au:N/C:P/I:P/A:P
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Dnnsoftware | Dotnetnuke | 1.0.10d | All | All | All |
| Application | Dnnsoftware | Dotnetnuke | 1.0.10e | All | All | All |
| Application | Dnnsoftware | Dotnetnuke | 1.0.6 | All | All | All |
| Application | Dnnsoftware | Dotnetnuke | 1.0.7 | All | All | All |
| Application | Dnnsoftware | Dotnetnuke | 1.0.8 | All | All | All |
| Application | Dnnsoftware | Dotnetnuke | 1.0.9 | All | All | All |
| Application | Dnnsoftware | Dotnetnuke | 2.1.1 | All | All | All |
| Application | Dnnsoftware | Dotnetnuke | 2.1.2 | All | All | All |
| Application | Dnnsoftware | Dotnetnuke | 3.0.11 | All | All | All |
| Application | Dnnsoftware | Dotnetnuke | 3.0.7 | All | All | All |
| Application | Dnnsoftware | Dotnetnuke | 3.0.8 | All | All | All |
| Application | Dnnsoftware | Dotnetnuke | 3.1.0 | All | All | All |
| Application | Dnnsoftware | Dotnetnuke | 3.3.5 | All | All | All |
| Application | Dnnsoftware | Dotnetnuke | 4.0 | All | All | All |
| Application | Dnnsoftware | Dotnetnuke | 4.3.5 | All | All | All |
| Application | Dnnsoftware | Dotnetnuke | 4.5.2 | All | All | All |
| Application | Dnnsoftware | Dotnetnuke | All | All | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| osvdb.org/43720 | af854a3a-2127-422b-91ae-364da2661108 | osvdb.org | |
| DotNetNuke Multiple Vulnerabilities - Secunia Advisories - Vulnerability Intelligence - Secunia.com | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Vendor Advisory |
| Security Bulletin no.12 | af854a3a-2127-422b-91ae-364da2661108 | www.dotnetnuke.com | Vendor Advisory |
| DotNetNuke Default 'ValidationKey' and 'DecriptionKey' Weak Encryption Vulnerability | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | Exploit |
| SecurityFocus | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | |
| IBM X-Force Exchange | af854a3a-2127-422b-91ae-364da2661108 | exchange.xforce.ibmcloud.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 995395 DotNet (Nuget) Security Update for DotNetNuke.Core (GHSA-grw3-hjjm-5cjm)