Recently DNN Platform 9.1.1
has been released. This release resolves the following security issues:
·
2017-06 (Low) Vulnerable ASP.NET MVC
library (assembly) in Platform 8.0.0 and Evoq 8.3.0
·
Affected Versions: All versions from 8.0.0
up to 9.0.2
·
2017-07 (Low) SWF files can be vulnerable
to XSS attacks
·
Affected Versions: All versions from 3.0.0
up to 9.0.2
·
2017-08 (Critical) Possible remote code
execution on DNN sites
·
Affected Versions: All versions from 5.0.0
up to 9.1.0
·
2017-09 (Low) HTML5: overly permissive
message posting policy on DNN sites
·
Affected Versions: All versions from 8.0.0
up to 9.1.0
·
2017-10 (Critical) Possibility of
uploading malicious files to DNN sites
·
Affected Versions: All versions from 5.2.0
up to 9.1.0
·
2017-11 (Low) Possibility of URL redirection
abuse in DNN sites
·
Affected Versions: All versions from 7.0.0
up to 9.1.0
Full
details of all the above issues can be read at https://www.dnnsoftware.com/community/security/security-center
As always, we recommend you upgrade as soon as possible,
particularly when the release contains any “critical” fix.
Also,
we recommend users check the Security Analyzer page in the PersonaBar to help
them audit their sites’ security settings.
Acknowledgements
We would like to thank
the following for responsibly disclosing issues to our security team, and
allowing us the time to resolve them:
- Daniel Kalinowski
- Alvaro Muñoz (@pwntester) and Oleksandr Mirosh from Hewlett-Packard Enterprise Security
- Thanh Van Tien Nguyen