GHSA-FPJ4-9QHX-5M6M: Improper Authorization in DNN Platform Friend Request Flow
Vulnerability ID: GHSA-FPJ4-9QHX-5M6M
CVSS Score: 5.3
Published: 2026-04-10
DNN Platform (formerly DotNetNuke) versions 6.0.0 through prior to 10.2.2 contain an Improper Authorization and Insecure Direct Object Reference (IDOR) vulnerability. The flaw exists within the internal API endpoint responsible for processing friend request acceptances, allowing an attacker to force a target user to accept a friend request without interaction or consent.
TL;DR
An IDOR vulnerability in DNN Platform's messaging API allows attackers to bypass authorization checks and force targeted users to accept friend requests. This exposes restricted profile data and facilitates social engineering attacks. Administrators must upgrade to version 10.2.2 to apply the necessary authorization patch.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-285, CWE-639
- Attack Vector: Network
- Authentication: Required (Low Privilege)
- Severity: Moderate
- Exploit Status: Proof of Concept Known
- CISA KEV: Not Listed
Affected Systems
- DNN Platform (DotNetNuke)
-
DNN Platform: >= 6.0.0, < 10.2.2 (Fixed in:
10.2.2)
Mitigation Strategies
- Upgrade DNN Platform to version 10.2.2.
- Implement strict authorization checks matching authenticated session IDs against object owner IDs.
- Deploy WAF rules to monitor anomalous POST requests to the
AcceptFriendRequestAPI.
Remediation Steps:
- Identify the current version of the DNN Platform running in the environment.
- If the version is between 6.0.0 and 10.2.1, schedule an immediate maintenance window.
- Download the DNN Platform 10.2.2 update from the official repository.
- Apply the patch following the vendor's standard upgrade procedures.
- Verify the integrity of the messaging API by attempting to reproduce the exploit with a test account.
References
Read the full report for GHSA-FPJ4-9QHX-5M6M on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)