CVE-2018-18325

CVE Published	2019-07-03
Related CWE(s)	CWE-326: Inadequate Encryption Strength
Related Vendor(s)	dnnsoftware
Related Product(s)	dotnetnuke
Exploitation Reported (CISA KEV)	2021-11-03
CVSS 3 Base Score	7.5 (HIGH)
CVSS 3 Attack Complexity	LOW
CVSS 3 Attack Vector	NETWORK

DNN (aka DotNetNuke) 9.2 through 9.2.2 uses a weak encryption algorithm to protect input parameters. NOTE: this issue exists because of an incomplete fix for CVE-2018-15811.

Cyber Threat Graph Context

Explore how this CVE relates to the wider threat graph

Associated CAPEC Patterns

Brute Force (CAPEC-112)

In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.

Protocol Analysis (CAPEC-192)

An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.

Encryption Brute Forcing (CAPEC-20)

An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.

References

CVE.org

View more information about CVE-2018-18325 on the official MITRE CVE website.

NIST National Vulnerability Database

CVE-2018-18325 on the NIST NVD.

CISA Known Exploited Vulnerabilities