Version: 1.0

Maximum Severity Rating: Low

Background

DotNetNuke added support for user messaging in 5.3.0.

Issue Summary

The code for the user messaging module was attached to the (now legacy) Mail.Send function, meaning mails were delivered to the message store instead of always being emailed. The user messaging store is keyed off the email address meaning that a potential hacker could impersonate another user and potentially receive their emails.

Mitigating factors

1. The user messaging module is only available to logged in users. If your site contains a controlled set of users i.e. does not allow public or verifed registration then this issue is greatly mitigated. In cases where a site has a single user the issue obviously is non existant.

2. This mail function delivers to the first result, which may or may not be the correct user. Depending on the user configuration, mails may always go to the correct user.

Affected DotNetNuke versions

5.3.0 - 5.4.2

Non-Affected Versions:

All others

Fix(s) for issue

To fix this problem, you are recommended to update to the latest version of DotNetNuke (5.4.3 at time of writing).

Acknowledgments

Roger Selwyn

Security Policy

Click here to read more details on the DotNetNuke Security Policy