As you may have already read the article here, DNN announced through a Security Bulletin that the email addresses, display names and usernames of all your users can be uncovered on a typical DNN and Evoq install.
In standard configuration, only the 3 items mentioned above can be revealed, while in Custom “Registration Form Type”, most of the registration properties are vulnerable. However, passwords can NOT be uncovered in any case. This issue is present since DNN 6.2 and has been fixed in DNN 9.0.2. The fix is also available for older versions as a patch.
After careful investigation by our developers, we are proud to announce that this vulnerability is not present in our products. This issue relates only to DNN extensions which define a custom register module. As neither Action Form, nor any other DNN Sharp product implements this type of module, all products are unaffected by this security matter.
DNN recommends to at least apply the patch here, even if you don’t upgrade. According to DNN, the patch updates the registration system to correct the vulnerability. It also creates a test page under Host to verify if you are patched.
As usual, we take these issues very seriously and concentrate our resources to maintain the high quality of our products and services. Should you have any questions or observations regarding this matter, contact us here.