Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/41144?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/41144?format=api", "vulnerability_id": "VCID-jw1r-pvtw-d3bz", "summary": "Insufficient Entropy\nDNN (aka DotNetNuke) incorrectly converts encryption key source values, resulting in lower than expected entropy.", "aliases": [ { "alias": "CVE-2018-15812" }, { "alias": "GHSA-pf46-gqg9-j3v3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/238555?format=api", "purl": "pkg:nuget/DotNetNuke.Core@9.2.1.533", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2dnh-g597-juce" }, { "vulnerability": "VCID-3e7c-8uk1-ruch" }, { "vulnerability": "VCID-dnf9-9hrt-1qfx" }, { "vulnerability": "VCID-m5hg-ajyc-3qf1" }, { "vulnerability": "VCID-qscj-d21p-nfby" }, { "vulnerability": "VCID-uk5d-ubkt-6fhn" }, { "vulnerability": "VCID-y9ym-w5m9-e3bs" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:nuget/DotNetNuke.Core@9.2.1.533" }, { "url": "http://public2.vulnerablecode.io/api/packages/58277?format=api", "purl": "pkg:nuget/DotNetNuke.Core@9.2.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-uk5d-ubkt-6fhn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:nuget/DotNetNuke.Core@9.2.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/58274?format=api", "purl": "pkg:nuget/DotNetNuke.Core@9.3.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3e7c-8uk1-ruch" }, { "vulnerability": "VCID-m5hg-ajyc-3qf1" }, { "vulnerability": "VCID-qscj-d21p-nfby" }, { "vulnerability": "VCID-y9ym-w5m9-e3bs" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:nuget/DotNetNuke.Core@9.3.0" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/57623?format=api", "purl": "pkg:nuget/DotNetNuke.Core@9.2.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dnf9-9hrt-1qfx" }, { "vulnerability": "VCID-jw1r-pvtw-d3bz" }, { "vulnerability": "VCID-uk5d-ubkt-6fhn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:nuget/DotNetNuke.Core@9.2.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/56012?format=api", "purl": "pkg:nuget/DotNetNuke.Core@9.2.0.366", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2dnh-g597-juce" }, { "vulnerability": "VCID-3e7c-8uk1-ruch" }, { "vulnerability": "VCID-dnf9-9hrt-1qfx" }, { "vulnerability": "VCID-jw1r-pvtw-d3bz" }, { "vulnerability": "VCID-m5hg-ajyc-3qf1" }, { "vulnerability": "VCID-qscj-d21p-nfby" }, { "vulnerability": "VCID-uk5d-ubkt-6fhn" }, { "vulnerability": "VCID-y9ym-w5m9-e3bs" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:nuget/DotNetNuke.Core@9.2.0.366" }, { "url": "http://public2.vulnerablecode.io/api/packages/58273?format=api", "purl": "pkg:nuget/DotNetNuke.Core@9.2.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-jw1r-pvtw-d3bz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:nuget/DotNetNuke.Core@9.2.1" } ], "references": [ { "reference_url": "http://packetstormsecurity.com/files/157080/DotNetNuke-Cookie-Deserialization-Remote-Code-Execution.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://packetstormsecurity.com/files/157080/DotNetNuke-Cookie-Deserialization-Remote-Code-Execution.html" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2018-15812", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.79178", "scoring_system": "epss", "scoring_elements": "0.99089", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-15812" }, { "reference_url": "https://github.com/dnnsoftware/Dnn.Platform/releases", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/dnnsoftware/Dnn.Platform/releases" }, { "reference_url": "https://www.dnnsoftware.com/community/security/security-center", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.dnnsoftware.com/community/security/security-center" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15812", "reference_id": "CVE-2018-15812", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15812" } ], "weaknesses": [ { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." }, { "cwe_id": 331, "name": "Insufficient Entropy", "description": "The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." } ], "exploits": [ { "date_added": null, "description": "This module exploits a deserialization vulnerability in DotNetNuke (DNN) versions 5.0.0 to 9.3.0-RC.\n Vulnerable versions store profile information for users in the DNNPersonalization cookie as XML.\n The expected structure includes a \"type\" attribute to instruct the server which type of object to create on deserialization.\n The cookie is processed by the application whenever it attempts to load the current user's profile data.\n This occurs when DNN is configured to handle 404 errors with its built-in error page (default configuration).\n An attacker can leverage this vulnerability to execute arbitrary code on the system.", "required_action": null, "due_date": null, "notes": "Stability:\n - crash-safe\nReliability:\n - repeatable-session\nSideEffects: []\n", "known_ransomware_campaign_use": false, "source_date_published": "2017-07-20", "exploit_type": null, "platform": "Windows", "source_date_updated": null, "data_source": "Metasploit", "source_url": "https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/windows/http/dnn_cookie_deserialization_rce.rb" }, { "date_added": "2020-04-16", "description": "DotNetNuke - Cookie Deserialization Remote Code Execution (Metasploit)", "required_action": null, "due_date": null, "notes": null, "known_ransomware_campaign_use": true, "source_date_published": "2020-04-16", "exploit_type": "remote", "platform": "windows", "source_date_updated": "2020-04-16", "data_source": "Exploit-DB", "source_url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/http/dnn_cookie_deserialization_rce.rb" } ], "severity_range_score": "7.0 - 8.9", "exploitability": "0.5", "weighted_severity": "8.0", "risk_score": 4.0, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jw1r-pvtw-d3bz" }