Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-jw1r-pvtw-d3bz
Summary
Insufficient Entropy
DNN (aka DotNetNuke) incorrectly converts encryption key source values, resulting in lower than expected entropy.
Aliases
0
alias CVE-2018-15812
1
alias GHSA-pf46-gqg9-j3v3
Fixed_packages
0
url pkg:nuget/DotNetNuke.Core@9.2.1.533
purl pkg:nuget/DotNetNuke.Core@9.2.1.533
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2dnh-g597-juce
1
vulnerability VCID-3e7c-8uk1-ruch
2
vulnerability VCID-dnf9-9hrt-1qfx
3
vulnerability VCID-m5hg-ajyc-3qf1
4
vulnerability VCID-qscj-d21p-nfby
5
vulnerability VCID-uk5d-ubkt-6fhn
6
vulnerability VCID-y9ym-w5m9-e3bs
resource_url http://public2.vulnerablecode.io/packages/pkg:nuget/DotNetNuke.Core@9.2.1.533
1
url pkg:nuget/DotNetNuke.Core@9.2.2
purl pkg:nuget/DotNetNuke.Core@9.2.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-uk5d-ubkt-6fhn
resource_url http://public2.vulnerablecode.io/packages/pkg:nuget/DotNetNuke.Core@9.2.2
2
url pkg:nuget/DotNetNuke.Core@9.3.0
purl pkg:nuget/DotNetNuke.Core@9.3.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3e7c-8uk1-ruch
1
vulnerability VCID-m5hg-ajyc-3qf1
2
vulnerability VCID-qscj-d21p-nfby
3
vulnerability VCID-y9ym-w5m9-e3bs
resource_url http://public2.vulnerablecode.io/packages/pkg:nuget/DotNetNuke.Core@9.3.0
Affected_packages
0
url pkg:nuget/DotNetNuke.Core@9.2.0
purl pkg:nuget/DotNetNuke.Core@9.2.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-dnf9-9hrt-1qfx
1
vulnerability VCID-jw1r-pvtw-d3bz
2
vulnerability VCID-uk5d-ubkt-6fhn
resource_url http://public2.vulnerablecode.io/packages/pkg:nuget/DotNetNuke.Core@9.2.0
1
url pkg:nuget/DotNetNuke.Core@9.2.0.366
purl pkg:nuget/DotNetNuke.Core@9.2.0.366
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2dnh-g597-juce
1
vulnerability VCID-3e7c-8uk1-ruch
2
vulnerability VCID-dnf9-9hrt-1qfx
3
vulnerability VCID-jw1r-pvtw-d3bz
4
vulnerability VCID-m5hg-ajyc-3qf1
5
vulnerability VCID-qscj-d21p-nfby
6
vulnerability VCID-uk5d-ubkt-6fhn
7
vulnerability VCID-y9ym-w5m9-e3bs
resource_url http://public2.vulnerablecode.io/packages/pkg:nuget/DotNetNuke.Core@9.2.0.366
2
url pkg:nuget/DotNetNuke.Core@9.2.1
purl pkg:nuget/DotNetNuke.Core@9.2.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-jw1r-pvtw-d3bz
resource_url http://public2.vulnerablecode.io/packages/pkg:nuget/DotNetNuke.Core@9.2.1
References
0
reference_url http://packetstormsecurity.com/files/157080/DotNetNuke-Cookie-Deserialization-Remote-Code-Execution.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://packetstormsecurity.com/files/157080/DotNetNuke-Cookie-Deserialization-Remote-Code-Execution.html
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2018-15812
reference_id
reference_type
scores
0
value 0.79178
scoring_system epss
scoring_elements 0.99089
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2018-15812
2
reference_url https://github.com/dnnsoftware/Dnn.Platform/releases
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/dnnsoftware/Dnn.Platform/releases
3
reference_url https://www.dnnsoftware.com/community/security/security-center
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.dnnsoftware.com/community/security/security-center
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2018-15812
reference_id CVE-2018-15812
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2018-15812
Weaknesses
0
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
1
cwe_id 331
name Insufficient Entropy
description The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.
2
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
Exploits
0
date_added null
description 
This module exploits a deserialization vulnerability in DotNetNuke (DNN) versions 5.0.0 to 9.3.0-RC.
          Vulnerable versions store profile information for users in the DNNPersonalization cookie as XML.
          The expected structure includes a "type" attribute to instruct the server which type of object to create on deserialization.
          The cookie is processed by the application whenever it attempts to load the current user's profile data.
          This occurs when DNN is configured to handle 404 errors with its built-in error page (default configuration).
          An attacker can leverage this vulnerability to execute arbitrary code on the system.
required_action null
due_date null
notes 
Stability:
  - crash-safe
Reliability:
  - repeatable-session
SideEffects: []
known_ransomware_campaign_use false
source_date_published 2017-07-20
exploit_type null
platform Windows
source_date_updated null
data_source Metasploit
source_url https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/windows/http/dnn_cookie_deserialization_rce.rb
1
date_added 2020-04-16
description DotNetNuke - Cookie Deserialization Remote Code Execution (Metasploit)
required_action null
due_date null
notes null
known_ransomware_campaign_use true
source_date_published 2020-04-16
exploit_type remote
platform windows
source_date_updated 2020-04-16
data_source Exploit-DB
source_url https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/http/dnn_cookie_deserialization_rce.rb
Severity_range_score7.0 - 8.9
Exploitability0.5
Weighted_severity8.0
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-jw1r-pvtw-d3bz