Maximum Severity Rating: Low
DotNetNuke added support for user messaging in 5.3.0.
The code for the user messaging module was attached to the (now legacy) Mail.Send function, meaning mails were delivered to the message store instead of always being emailed. The user messaging store is keyed off the email address meaning that a potential hacker could impersonate another user and potentially receive their emails.
1. The user messaging module is only available to logged in users. If your site contains a controlled set of users i.e. does not allow public or verifed registration then this issue is greatly mitigated. In cases where a site has a single user the issue obviously is non existant.
2. This mail function delivers to the first result, which may or may not be the correct user. Depending on the user configuration, mails may always go to the correct user.
Affected DotNetNuke versions
5.3.0 - 5.4.2
Fix(s) for issue
To fix this problem, you are recommended to update to the latest version of DotNetNuke (5.4.3 at time of writing).
Click here to read more details on the DotNetNuke Security Policy