Security Response Team


cathal connolly
Brandon Haynes
Scott S

Security Bulletins Policy

DotNetNuke takes the issue of security very seriously. We make every effort to ensure speedy analysis of reported issues and, where required, provide workarounds and updated application releases to fix them.

Reporting Security Issues

Please report suspected issues/security scan results using either of the two methods below:

Email: security@dotnetnuke.com

Form: Report Security Issue

All information submitted is viewed only by members of the DotNetNuke Security Task Force, and will not be discussed outside the Task Force without the permission of the person/company who reported the issue.

Severity Levels

Each confirmed issue is first assigned a severity level (Critical, Moderate, or Low) corresponding to its potential impact on the security of DotNetNuke installations.

Critical—A security issue is rated critical if it can be exploited by a remote attacker to gain access to DotNetNuke data or functionality. All critical issue security bulletins include a recommended workaround or fix that should be applied as soon as possible.
Moderate—A security issue is rated moderate if it can compromise data or functionality on a portal/website only if some other condition is met (e.g. a particular module or a user within a particular role is required). Moderate issue security bulletins typically include recommended actions to resolve the issue.
Low—A security issue is rated low if it is very difficult to exploit or has a limited potential impact.

The Security Task Force then issues a security bulletin via the DotNetNuke security blog, forum posts and, where judged necessary, email. The bulletin provides details about the issue, the DotNetNuke versions impacted, and suggested fixes or workarounds.

Sunsetted releases

When DotNetNuke issues a new major release (e.g. moving from 5.x to 6.x) we "sunset" the previous release. This means that all future bug fix and enhancement work is only done on the latest release, i.e. the sunsetted release is effectively code frozen. However, we recognise that not everyone can move rapidly to a new major release, so if security issues are discovered that affect the sunsetted release we will create a maintenance release to address those specific security vulnerabilities. We will continue to provide this level of support for 1 year from the date of the latest major release. In the case of DotNetNuke 5.x and 6.0, the latter having been released on July 20th 2011, it means that 5.x releases will continue to be supported for security reasons until July 20th 2012.

Security Blog

The DotNetNuke security blog provides information on general security matters, as well as details on new issues, releases, and documentation. We recommend that you visit the blog regularly to keep up to date on the latest DotNetNuke security information.

Issues

DNN 2006-1-M (02 August 06)

DNN 2006-2-C (02 August 06)

DNN 2006-3-L (17 September 06)

DNN 2006-4-C (16 November 06)

DNN 2006-5-L (16 November 06)

DNN 2006-6-M (30 November 06)

DNN 2007-1-M (05 April 07)

DNN 2007-2-M (20 July 07)

DNN 2007-3-L (6 November 07)

DNN 2007-4-C (6 November 07)

DNN 2008-1-C (19 March 08)

DNN 2008-2-C (19 March 08)

DNN 2008-3-C (19 March 08)

DNN 2008-4-L (27 May 08)

DNN 2008-5-C (27 May 08)

DNN 2008-6-C (27 May 08)

DNN 2008-7-C (27 May 08)

DNN 2008-8-L (11 Jun 08)

DNN 2008-9-L (11 Jun 08)

DNN 2008-10-L (11 Jun 08)

DNN 2008-11-C (10 September 08)

DNN 2008-12-L (10 September 08)

DNN 2008-13-C (10 September 08)

DNN 2008-14-C (24 December 08)

DNN 2009-01-L (7 April 09)

DNN 2009-02-L (20 May 09)

DNN 2009-03-L (20 May 09)

DNN 2009-04-L (2 Sep 09)

DNN 2009-05-C (20 May 09)

DNN 2009-06-L (26 Nov 09)

DNN 2009-07-L (26 Nov 09)

DNN 2010-01-L (17 Feb 10)

DNN 2010-02-L (16 Mar 10)

DNN 2010-03-C (19 Apr 10)

DNN 2010-04-L (19 May 10)

DNN 2010-05-L (19 May 10)

DNN 2010-06-L (17 June 10)

DNN 2010-07-M (17 June 10)

DNN 2010-08-L (17 June 10)

DNN 2010-09-L (17 June 10)

DNN 2010-10-L (17 June 10)

DNN 2010-11-L (17 June 10)

DNN 2010-12-M (18 August 10)

DNN 2010-13-L (17 November 10)

DNN 2011-1-C (19 January 11)

DNN 2011-2-C (19 January 11)

DNN 2011-3-L (19 January 11)

DNN 2011-4-L (19 January 11)

DNN 2011-5-L (19 January 11)

DNN 2011-6-L (19 January 11)

DNN 2011-7-L (19 January 11)

DNN 2011-8-L (5 July 11)

DNN 2011-9-C (5 July 11)

DNN 2011-10-L (5 July 11)

DNN 2011-11-M (5 July 11)

DNN 2011-12-M (5 July 11)

DNN 2011-13-L (24 August 11)

DNN 2011-14-L (1 November 11)

DNN 2011-15-M (1 November 11)

DNN 2011-16-L (14 December 11)

DNN 2011-17-L (14 December 11)

DNN 2012-1-L (1 February 12)

DNN 2012-2-C (1 February 12)

DNN 2012-3-L (1 February 12)

Security Documentation

Title	Owner	Size
Secure Module Development	Shaun Walker	267.98 KB	Download
Hardening DotNetNuke Installations	Shaun Walker	268.02 KB	Download

Advertisers

DotNetNuke Corporation

DotNetNuke Corp. is the steward of the DotNetNuke open source project, the most widely adopted Web Content Management Platform for building web sites and web applications on Microsoft .NET. Organizations use DotNetNuke to quickly develop and deploy interactive and dynamic web sites, intranets, extranets and web applications. The DotNetNuke platform is available in a free Community and subscription-based Professional and Enterprise Editions with an Elite Support option. DotNetNuke Corp. also operates Snowcovered.com where users purchase third party apps for the platform.

Community
- Get Involved
- Extension Forge
- Forum
- Blog
- Teams
- Recognition
Resources & Support
Partners
News Room
App Gallery
What is DNN
Get Started
- Downloads
- Video Instruction
In Action
About Us
sales@dnncorp.com (650) 288 - 3150 (650) 288 - 3191

Hosted by MaximumASP