Published: Jan 19, 2011
Maximum Severity Rating: Critical
DotNetNuke supports a system of granular permissions which allows administrators the ability to designate capabilities such as edit, view, administrate to pages and modules.
A logical error was introduced which meant that a user who had "edit" access, also was able to access module settings. Once module settings were accessed, the user could grant themselves additional granular permissions.
This only affects sites where users are granted "edit" permissions i.e. sites where single users administrate all the content are not affected.
Affected DotNetNuke versions
Fix(s) for issue
To fix this problem, you are recommended to update to the latest version of DotNetNuke (5.6.1 at time of writing)
Community members David Lee & Roger Selwyn independantly reported the issue.
Click here to read more details on the DotNetnuke Security Policy