DotNetNuke, Force Friend Request Acceptance, GHSA-fpj4-9qhx-5m6m (Moderate)

Listen to this Post

The vulnerability resides in DNN’s (formerly DotNetNuke) friends feature. Due to missing ownership validation, an attacker can craft a malicious HTTP request that forces the acceptance of a friend request on another user’s behalf.
Specifically, the `AcceptFriend` API endpoint (e.g., /DesktopModules/MemberDirectory/API/Friends/AcceptFriend) does not verify that the requesting user is the intended recipient of the friend request. A low-privileged, authenticated user can directly invoke this endpoint with the target user’s identifier (e.g., `userId` or friendshipId) and a manipulated friend request token.
Because the endpoint lacks a check to ensure the request originates from the user who received the friend invitation, the server processes the acceptance without requiring any interaction from the victim. This bypasses the normal two-way consent flow, effectively allowing the attacker to establish a one-sided “friendship” with the victim.
The flaw is categorized as Improper Authorization (CWE-285) and has a CVSS score of 4.3 (Moderate). The affected component is `DotNetNuke.Core` in versions 6.0.0 through 10.2.1. An attacker with network access and valid credentials can exploit this remotely with no user interaction, leading to unauthorized access to the victim’s profile data and social interactions.

Platform: DotNetNuke (DNN)
Version: 6.0.0 – 10.2.1
Vulnerability: Forced friend acceptance
Severity: Moderate
Date: April 10, 2026
Prediction: April 10, 2026

What Undercode Say:

Check vulnerable version
curl -k "https://target.com/DesktopModules/MemberDirectory/API/Friends/GetFriends?userId=2" -H "Cookie: .DOTNETNUKE=..."
Exploit snippet (conceptual)
curl -X POST "https://target.com/DesktopModules/MemberDirectory/API/Friends/AcceptFriend" \
-H "Content-Type: application/json" \
-H "Cookie: .DOTNETNUKE=attacker_cookie" \
-d '{"friendId": 5, "requestId": 123}'

Exploit:

An attacker sends a POST request to the `AcceptFriend` endpoint containing the victim’s user ID and the ID of a pending friend request. The server, lacking an ownership check, accepts the request and links the attacker’s account with the victim’s without the victim’s consent.

Protection from this CVE:

  • Upgrade to DotNetNuke.Core version 10.2.2 or later.
  • If immediate upgrade is not possible, temporarily disable the friends feature or implement a custom authorization filter that verifies the requesting user is the intended recipient of the friend request.
  • Apply the official security patch provided by DNN Platform.

Impact:

  • Unauthorized access to private profile information.
  • Ability to view victim’s friend list, activities, and private posts.
  • Facilitates social engineering and targeted attacks.
  • Undermines the trust and security of the platform’s social features.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top