Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2020-5188

CVE-2020-5188:
DNN File Upload Vulnerability

6.5

CVSS Score

Basic Information

CVE ID
CVE-2020-5188
GHSA ID
GHSA-vjcm-j85r-7p68
EPSS Score
-
CWE
CWE-434
Published
5/24/2022
Updated
8/11/2023
KEV Status
No
Technology
TechnologyC#

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
DotNetNuke.Corenuget<= 9.4.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insufficient server-side validation of file extensions for non-superusers. While superuser uploads had server-side checks, regular user uploads only had client-side validation which could be bypassed. The FileManager.SaveFile method in DNN's core file handling service is the logical entry point for upload operations, and its failure to enforce extension validation for non-privileged users aligns with the described vulnerability mechanism. The CWE-434 classification and exploit documentation confirm this pattern of insecure file handling.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*NN (*orm*rly *otN*tNuk*) t*rou** *.*.* **s * *il* uplo** vuln*r**ility vi* *yp*ssin* *li*nt-si** *il* *xt*nsion ****k

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt s*rv*r-si** v*li**tion o* *il* *xt*nsions *or non-sup*rus*rs. W*il* sup*rus*r uplo**s *** s*rv*r-si** ****ks, r**ul*r us*r uplo**s only *** *li*nt-si** v*li**tion w*i** *oul* ** *yp*ss**. T** *il*M*n***r.S*v*