DNN / DotNetNuke / Evoq — Secure and Latest Versions

As a courtesy to our customers, we maintain a list of recent versions and the important security updates for DNN / DotNetNuke. Generally, the most current version of your CMS is the most secure, but if you have an older version of your CMS, it can be hard to find information on whether your version is secure or not.
Bookmark this KB, and we will continue to update it with the most current secure version information. For an official list of releases and their notes, please visit DNN Software's website.

What is the latest secure version of DNN?

DNN 9.5.0 — Feature Update
DNN 9.5.0 is a major feature update that fixes numerous bugs in the DNN platform
  • Added support for SSL offloading values in headers
  • Added a new banned icon to indicate unauthorized users
  • Added glob pattern support to manifest file cleanup component
  • Ensures just setting the timezone prop in settings does not save to the database until a save is requested
  • Improved display of journal links and comments (word wrapping)
  • Improves display of missing language flags
  • Moved email and display name above username and password in registration form
  • Made form messages 100% width for better responsive alignment in modules
  • Updated several localization texts to better represent current Dnn UI
  • Bumped jQuery and jQuery related plugins versions
  • Improved progress bar on translation progress
  • Fixed a typo FreindlyName => FriendlyName
  • Ensures that a user is read from data store before we use it in mail
  • Improved display of import progress
  • Fixed a typo in Azure folder settings Syhchronization => Synchronization
  • Updated Blueimp uploader to the latest version
  • Enhanced robots.txt to better support modern development practices
  • Removed Dnn Copyright injection
  • Changed cache-busting URLs to use a hash
  • Improved performance in the pages treeview
  • Improved performance of core messaging
  • Fixed an issue when logging 404 errors with invalid UrlReferrer
  • Fixed an issue where the login page would go into an infinite loop in SSL offloaded environments
  • Fixed an issue where in some cases it was impossible to edit module settings after moving a module to another page
  • Fixed an issue where PageTags where created in the wrong vocabulary scope
  • Fixed an issue where module settings would not save under some conditions
  • Fixed multiple issues with wrong mapping of Canonical and None mapping types
  • Fixed an issue that would show an error when trying to delete a localized version of the home page
  • Fixed an issue where the wrong CDN protocol was used under SSL Offloading environments
  • Fixed an issue where opening page settings would sometimes show the settings for another page
  • Fixed a display issue of Enabled and Priority in sitemap settings
  • Fixed an issue where it was not possible to get the module ID properly when redirect mixed case URLs was enabled
  • Changed the update service URL to a new service
  • Fixed an issue where the wrong portal alias was used when adding new languages
  • Fixed an issue where the wrong alias would show when editing portal URLs
  • Restored a resource key that was accidentally deleted as part of GDPR
  • Fixed an issue where connectors would change name upon disconnection or when adding multiple connectors
  • Fixed an issue where pages in redirect mode would not work under SSL Offloaded environments
  • Fixed module find logic in module attribute to not return deleted modules
  • Fixed an issue with using dependency injection in MVC modules
  • Fixed an issue where the Console and Module Creator modules would not install
  • Fixed an issue where page tags where not kept when exporting a site and importing it on another instance
DNN 9.4.4 — Minor Feature Update
DNN 9.4.4 is a minor feature update that fixes a bug in the DNN platform
  • Fixed a regression issue where MVC modules could have a memory leak issue
DNN 9.4.3 — Minor Feature Update
DNN 9.4.3 is a minor feature update that fixes several bugs in the DNN platform
  • Allows changing from email while testing SMTP configurations
  • Fixed a regression issue where modules that use friendly Urls stopped working in 9.4.2
  • Moved country above region in user profile so the region dropdown populates with correct value for the selected country
  • Fixed an issue where it was impossible to delete a social role if the group folder was not empty
  • Fixed an issue where Select All was not working in site assets
  • Fixed an issue where the scheduler would fail when trying to delete removed objects
  • Fixed a work breaking issue in the journal
  • Fixed an issue in the Servers Persona Bar module where the underlaying page would not reload when requested to
  • Fixed an issue where auto-generated child portal urls would include invalid alphanumeric characters
  • Fixed an issue where the google analytics connecor would incorrectly lowercase the trackingId value
Known Issues
  • There is currently a possible memory leak issue with MVC modules
DNN 9.4.2 — Minor Feature Update
DNN 9.4.2 is a minor feature update that adds functionality to the DNN platform
  • Usernames are no longer changed to the emails when the settings required the email as username
  • Added a warning during install/upgrades that .Net Framework 4.7.2 is required if not present
  • Added a tooltip to indicate to use about 60 characters for best SEO on site descriptions
  • Remove Thread Cancellation from OAuthClientBase Implementation
  • Created INavigationManager to replace Globals.NavigateURL to use Dependency Injection
  • Improvements with module permissions when copying modules
  • Whitespace is now properly visible in the log viewer
  • Removed "No Search Results" display before any search is performed
  • Improved install process to use managedPackage for library dependencies
  • Made navigation stays on same page after creating a new group instead of redirecting to the group page
  • Updated default portal template so it provides default permissions on portal folders
  • Fixed an issue where site settings where not working after setting up "PRIVACY" section on multi language sites
  • Fixed an issue where sending multiple emails with attachments would fail
  • Fixed an issue where the validation of alphanumeric characters for password requirements was wrong
  • Fixed an issue where it was impossible to remove a site logo
  • Fixed issue where vocabularies would cause an infinite loop
  • Fixed an issue where users could not verify their account if they lost their original account verification email by adding a resend verification link to the unverified account message
  • Prevents creation of blank role group names
  • Fixed a memory leak issue with web api modules
  • Fixed an issue where module settings dialog could not be opened if urls where converted to lower case
Known Issues
  • It appears we might have an unwanted breaking change in DotNetNuke.Services.Url.FriendlyUrl.FriendlyUrlProvider.FriendlyUrl. If you have modules that use this API you may need to recompile them adding a reference to DotNetNuke.Abstractions.dll or wait for a resolution on this issue.
DNN 9.4.1 — Minor Feature Update
DNN 9.4.1 is a minor update to the platform that focuses heavily on bug fixes
  • Added missing html encoding to exceptions in the Admin Log
  • Added a warning when installing or upgrading if the environment does not have .Net Framework 4.7.2 available
  • Added a confirmation message after localization is saved
  • Fixed an issue where the assets manager activity wheel would constantly spin
  • Fixed a potential xml namespace bug in web.config
  • Fixed invalid binding redirects when upgrading to Dnn 9.4.0
  • Corrected the DotNetNuke.Core NuGet package
  • Fixed a null reference exception when calling Globals.LinkClick method
  • Fixed an issue opening module settings due to selectize.js duplicate versions
  • Fixed an issue with DDRMenu Razor templates and Dependency Injection
  • Fixed an issue with jQuery browser detection
  • Fixed several bugs around import/export
  • Fixed an issue where the standalone version of selectize.js was not used when obtained by CDN
  • Fixed an issue that prevented importing portal languages correctly
  • Fixed an issue with import/export of deleted modules
  • Fixed an issue where the upgrade to 9.4.0 would not save the new version in the database and would redirect to the upgrade wizard
  • Fixed an issue where the print container action would not work
  • Fixed an issue where the data consent last changed date would not read/save consistently in some cultures
  • Fixed an issue where the smtp server tab would always show a separator line
  • Fixed an issue with tab sorting before serialization during export
  • Fixed an issue where the web server dropdown was failing in the scheduler
  • Fixed an issue where the admin log would not include line breaks properly
  • Fixed an issue where it was impossible to set email address as username to ON
  • Fixed an issue with IP filters settings display
  • Fixed an issue where the wrong portal would should in portal settings
  • Fixed an issue where modules would get duplicated when localized
  • Fixed an issue where the wrong overflow was applied to the body after closing the persona bar
  • Fixed an issue where () characters where not replaced in URLs and improved the error message about the situation
  • Fixed an issue that prevented the Persona Bar to upgrade correctly to 9.4.0
  • Fixed an issue where the CkEditor provider would have the dll twice in the install package
DNN 9.4.0 — Feature Update
DNN 9.4.0 is a feature update that adds functionality to the DNN platform
  • Minimum required .NET framework changed to 4.7.2
  • Added GDPR data consent functionality
  • Added Dependency Injection and Removed Circular Dependencies in all Module Pipelines
  • Updated all C# projects in the platform to compile under C# 7.0
  • Replaced JRE based YUI Compressor with MSBuild version
  • Made the Default Module Action Menu configurable
  • Removed GetAzureCompactScript from SqlDataProvider
  • Added setting to display search result for users in specific roles
  • Added functionality to force user logout after password changed in other place
  • Updated "About" information for DNN Platform to be more relevant and current
  • Corrected file access issues
  • Dependencies will now load during startup even if one fails
  • Fixed an issue where deleted pages would show in parent page selector
DNN 9.3.2 — Minor Feature Update
DNN 9.3.2 is a minor feature update to the platform that adds functionality to the DNN platform
  • Added a placeholder to avoid the delayed slide effect when loading the PersonaBar
  • Secuirty Analyzed now displays the full path to make it easier to find suspicious files identified
  • Azure folders in Digital Assets open faster
  • Uses source-map for webpack config
  • Fixed an installation issue on lower performance database servers
Known Issues
  • The ability to localize the default site into various languages at initial installation is currently non-functional. This is due to issues in the remote data-service provided by Dnn Corp.
DNN 9.3.1 — Feature Update
DNN 9.3.1 is a feature update to the platform that adds functionality to the DNN platform
  • NuGet Package improved
  • Enhanced the common tooltip component for accessibility
  • Updated all React.Common packages to React 16
  • Enabled Greenkeeper
  • Group Privacy Settings moved in Site Settings to a new tab
  • Added Cookie consent and configuration settings for Terms and Privacy pages
  • Added UI connector to manage Google Analytic tracking
  • Added UI for Host Email setting under SMTP Configuration
  • Performance fix for CoreMessaging and Journal procedures
  • Performance & stability fix for Azure & other environments
  • Hover now shows the pane name again when in edit mode
  • Added UI for Small and Large Page Icons back into Page Settings
  • Resolved issue with viewing/editing user profiles on certain pages with http/https differences
DNN 9.2.2 — Minor Feature Update
DNN 9.2.2 is a minor feature update to the platform that adds functionality to the DNN platform
  • Two security fixes issued
  • Performance increased
  • Increased feedback during module install/upgrade cleanup
  • Reduced the scope of cache keys cleared after a user registers for an account
  • Improved MVC support with RedirectToAction
  • Enabled VSTS CI
  • Various undisclosed minor improvements
  • Bug that occurs when registering with email address
DNN 9.2.0 — Feature Update/Maintenance Update
DNN 9.2.0 is a feature update to the platform that adds functionality to the DNN platform
New Features
  • Prompt - New command line Administrative Interface
  • Pages - New Page Management
  • Connectors - New Connector Management via Persona Bar
  • Azure Storage Connector - Migrated from Evoq to Platform
  • Themes - Filtering based on site vs. global
Performance Updates
  • User Search - Faster and more reliable user search in Persona Bar
  • Security Analyzer - Faster initial scan
Framework Updates
  • Libraries updated to - jQuery 3.2.1, NewtonSoft 10.0.3, Sharpzlib
  • Upgraded ClientDependency.Core to 1.9.3
  • Replaced 51 Degrees with local provider
  • Removed ~500 APIs deprecated prior to 7.0
  • New Integration Testing framework
  • Site Settings, Installation & Upgrade, Journal, Localization
  • Messaging, MVC, SEO, Search, User Profile, Login & Registration
  • Client Depdendency, CK Editor, DDR Menu, Host SQL, Image Handler
  • Member Directory, Redirect updates, Display module on all pages
DNN 9.1.1 — Minor Feature Update
DNN 9.1.1 is a feature update to the platform that adds additional functionality to the DNN platform
  • The user verification algorithm updated to be FIPS compliant
  • Menu and button interactions show additional validation and user feedback
  • In-app navigation and breadcrumbs have been added and improved, where applicable, to increase usability
  • Made minor UI enhancements in the following menus: Security, Servers, Sites, Scheduler
  • Returned option to select parent page in Page Management when creating a new web page
  • Returned option to stay in edit mode in the Edit Mode toggle
  • New Security Analyzer module added to files list
  • Resource cache now auto-clears after new Persona Bar extension installed
  • Fixed several translation issues in the default language packs
  • Fixed avatar image not displaying correctly in IE11
  • Fixed CSS issue which resets pane width in Edit Mode
  • Fixed incorrect page count in Export summary
  • Fixed user ability to remove system-generated URL's through Page Settings UI
  • Fixed /user Profile Property list showing empty
  • Fixed an admin authorization issue when deploying SPA/MVC modules to child sites
DNN 9.1.0 — Feature Update/Maintenance Update
DNN 9.1.0 is a feature update to the platform that add functionality to the DNN platform
  • DNN now ships with a module that exports/imports entire websites, as well as more granular components, such as individual site pages, the user database, or the content database
  • DNN now complies with accessibility requirements as defined by the Americans with Disabilities Act (ADA)
  • Added back Extension usage information
  • Enhanced User Management capabilities
  • Additional changes for the ongoing process of phasing out Telerik from DNN
  • Fixed an issue related to importing pages to replace existing pages
  • Fixed performance issue with stored procedures
  • Fixed HTTP offloading issue when CDN is enabled
  • Fixed a page header tag issue where the header tags were being added to the body instead
  • Localized module copy is now working properly
  • Using Captcha no longer throws exceptions
  • Fixed several translation issues for localized menus
  • Added persona bar stability improvements
DNN 9.0.2 — Security Update
For more information on this important DNN security update, read our article on the DNN hotfix:
DNN 9.0.2 is a security update to the platform that patches a vulnerability where, if exploited, would allow for the pulling of user data. At the minimum, this exploit could be used to pull user email addresses. In some cases it could then be used to further pull a site user's display name and user name.
If you only use the base DNN platform, this may not be a huge issue. However, someone could potentially scrub a DNN site with this exploit to put together email lists. If you have created custom registration forms, though, this exploit could potentially disclose more important user information. Essentially any information that is asked for in a custom registration form could be pulled through this exploit. Consider your individual site, what type of information you ask visitors on your registration forms, and realize that if this exploit is not patched someone could potentially gain access to that data.
Third party registration modules may also be vulnerable, depending on how the module handles registration. In those cases DNN Software's hotfix cannot be applied, and you will need to contact the module vendor / developer for an updated version.
DNN's hotfix can be found below, and should be added to the end of the existing /DesktopModules/Admin/Security/Register.ascx file:
<script runat="server">
    protected override void OnLoad(EventArgs e)
        if (Request.QueryString["userid"] != null)
            Response.Redirect(DotNetNuke.Common.Globals.AddHTTP(PortalSettings.PortalAlias.HTTPAlias), true);
This causes a redirect to the portal’s home page if the userid parameter is provided when requesting the registration page. 
To see DNN's blog post on the security issue, check out the 9.0.2 Release and Security Patch. You can also checkout the DNN GitHub documentation release here.

Note that the installable hotfix is included under the DNN 9.0.2 release, which will make the above change for you. However, a site running DNN version 9.0.1 or below will need to have the above hotfix applied.
DNN 9.0.1 — Security Update
DNN 9.0.1 is a security update that addresses several security vulnerabilities ranked from "low" to "medium" by the DNN Software team. According to the security bulletin, these vulnerabilities include:
  • 2017-01 (Medium) Antiforgery checks on Web APIs can be ignored in certain situations
  • 2017-02 (Low) Authorization can be bypassed for few Web APIs
  • 2017-03 (Low) Socially engineered link can trick users into some unwanted actions
  • 2017-04 (Low) Unauthorized file-copies can cause disk space issues
More information can be found in the DNN 9.0.1 security bulletin here, and if you want in-depth information on these security vulnerabilities, you can read a detailed breakdown of each of them in the DNN Security Center here. Want to see the full release notes? Check out the DNN Platform update documentation here.
DNN 9.0.0 — Major Features Update
DNN 9.0 is a huge push forward for the platform. Similar to how Windows skipped numbering for "Windows 9" and jumped right to Windows 10, DNN 9 is full of so many new features that making it DNN 8.1 seemed like a disservice. While in early release status, DNN 9 gives a good indication of the direction the platform is going, with a heavier focus on the Content in "Content Management System," as well as stronger pushes for marketing integrations throughout the platform.
The official GitHub release for DNN 9.0.0 can be found here. And if you haven't seen it yet, we recommend checking out the DNN 9 launch video for more information on the direction of the platform: Why Marketing and IT Will Love the New DNN.
DNN 8.0.4 — Security Update
DNN version 8.0.4 is a security update for the DNN / DotNetNuke 8.x series that addresses several security vulnerabilities ranked from "low" to "medium" by the DNN Software team. According to the security bulletin, these vulnerabilities include:
  • 2016-07 (Low) Image files may be copied from DNN's folder to anywhere on server
  • 2016-08 (Low) Certain keywords in search may give an error page
  • 2016-09 (Medium) Non-Admin users with edit permissions may change site containers
  • 2016-10 (Low) Registration link may be used to redirect users to external links
More information can be found in the DNN 8.0.4 security bulletin here, and if you want in-depth information on these security vulnerabilities, you can read a detailed breakdown of each of them in the DNN Security Center here. If you'd like to do a deep dive into the full release notes, check out the DNN Platform 8.0.4 update documentation here.
DNN 8.0.3 — Security Update
DNN version 8.0.3 is an important security update that addresses — once again — the issue with the InstallWizard.aspx file(s) which was first identified and classified as "critical" in May, 2015. We first reported on this issue more than a year ago; however, recently the issue has cropped up again and is affecting several people in the DNN community and their DNN sites.
Whether a full recursion or not, it is important to note that this is still an issue. If you have not updated your site and followed the recommended best practices we have outlined, please do so to help close this critical vulnerability on your sites. You can read our original article on the issue here, which our team has updated to include the latest information on how to combat this problem.
This is an active issue. For more information, we have written an article on how to address this issue here: DNN install wizard vulnerability resurfaces, users encouraged to address immediately.
DNN 8.0.2 — Security Update
DNN version 8.0.2 is an important security update that addresses a recently identified vulnerability in the DNN 8 core. With a severity classified as "Critical" by DNN Software, this exploit could allow unapproved file uploads by unauthenticated users. This vulnerability affects the following versions: DNN Platform 8.0, DNN Platform 8.0.1, Evoq 8.3, Evoq 8.4 — if you use any of those versions, it is strongly recommended that you update immediately to mitigate the possibility of malicious attacks. Updating to the latest versions — DNN Platform 8.0.2 or Evoq 8.4.1 — will patch this vulnerability. For more information, read the official security release announcement here.
DNN 8.0.1 — Security Update
DNN 8.0.1 is a security release to the DNN 8x series. This minor update addresses three identified vulnerabilities classified as "Low" on the potential threat scale, and one classified as "Critical." The critical vulnerability involves a "Potential CSRF issue on WebAPI POST requests." More information on the 8.0.1 release can be found on the official security bulletin here.
DNN 8.0 — Major Update*
DNN 8 is a full-version upgrade to the popular DNN / DotNetNuke platform. Described as "a major leap forward for DNN" by DNN Software, this version takes a step away from the past while working toward the future. As part of that cleanup, the decision was made to remove many old features of DNN that are no longer used, to that end, the following have been removed from DNN core in the 8x series: SiteLog, UsersOnline, Newsletter Module, Vendors/Banners Modules, ASP2MenuNavigationProvider, DNNMenuNavigation Provider, DNNTreeNavigationProvider, RequestFilter, Widget Framework, and Users Online. Some of the removed features will be moved to GitHub for use by the community.
DNN 8 has a strong focus on improving the overall performance of the platform. Bottlenecks were addressed, static files are now handled differently, and load has been addressed to improve performance; particularly with changes implemented to ensure the best handling of ASP.Net code vs. static code.
For more information on DNN 8, read the official release announcement here, or consult the CodePlex release here.
*NOTE: While the DNN 8x series is the most current major release of the DotNetNuke platform, the Managed.com and PowerDNN team — along with the DNN community — has noted several issues in DNN 8 that should give someone pause before a full update is considered. Yes, our team can help you with your DNN upgrades; however, before making the jump into DNN 8, we recommend you read our knowledge base article: DNN 8 - Features and Breaking Changes. For more information, see the note in our 7.4.2 version log below.
DNN 7.4.2 — Maintenance Update*
DNN 7.4.2 picks up where 7.4.1 left off in stabilizing the 7.4.x series. Version 7.4.2 fixes multiple issues, including: lists in custom registration forms, ignore words in Italian and French, multi-language site rules, malformed URL return parameters, corrections to SSL offload environments, and an issue where site settings could be duplicated. More information on the 7.4.2 release can be found here.
*NOTE: The DNN 7.4.2 release is regarded as the most stable version of the DNN / DotNetNuke platform. Our team can certainly perform an upgrade to DNN 8 for you; however, there are several major changes within the platform that you should consider before deciding to update your site. Due to the multiple issues identified in the DNN 8x series, we recommend you familiarize yourself with the changes our team has outlined in our knowledge base article: DNN 8 - Features and Breaking Changes.
If, however, you are a professional developer or seasoned DNN / DotNetNuke pro, and you feel comfortable with it, then go for it — knowing full well you may have some complications to overcome. If you are unsure or hesitant about what affects DNN 8 may have on your existing site, we recommend updating no further than 7.4.2 at this time. All Managed.com and PowerDNN customers may, of course, open a ticket to speak with our support team about updates.
If you are building a new site from the ground up, however, you are fine to use the most current, secure version of the DNN 8x series. Many of the breaking complications come up through updating a site, and do not seem to be present if building a new DNN 8 site from scratch.
DNN 7.4.1 — Maintenance Update
DNN 7.4.1 is intended to be solely a stabilization update that is intended to address the bulk of the issues found in 7.4. More info about 7.4.1 can be found here.
DNN 7.4 — Features Update
While DNN 7.4 has been released, our engineers are not actively recommending it at this time. Due to several errors and technical issues discovered since it's release, we are still maintaining DNN users stick with version 7.3.3 for stability and usability reasons. If you are an experienced DNN developer, you may feel perfectly comfortable upgrading to 7.4. More information on DNN 7.4 can be found here and here.
DNN 7.3.3 — Maintenance Update
DNN version 7.3.3 is a maintenance release that addresses several fixes in the DNN / DotNetNuke core. Items addressed include: an issue where notifications were not updating properly, issues with upgrades failing, a minor security issue, and several other tweaks and enhancements. For more information on the 7.3.3 release, view the highlight notes here.
DNN 7.3.2 — Maintenance Update
DNN version 7.3.2 includes several new features, such as fixing several skin issues, CDN settings for JavaScript libraries, and the tricky runaway thread issue that caused high CPU usage. We fully support this version and have cleared it for use by our team of DNN / DotNetNuke experts. For more information on the 7.3.2 release, view the highlight notes here.
DNN 7.3 — Insecure
While DNN 7.3 includes many new features, our team of engineers — and the DNN / DotNetNuke Community — has found numerous issues with this update. While these errors are not "full regressions," they do potentially pose a problem to your DNN site. Our recommendation is to wait for DNN 7.3.2. You can find out more about our reasons here.
DNN 7.2.2 — Security Update
DNN 7.2.1 is a significant upgrade and includes a number of excellent new features for DotNetNuke. We recommend existing DotNetNuke websites upgrade immediately for new features, performance enhancements, bug fixes, and additional security protections. DNN 7.2 includes an updated SQL module, JavaScript Library Management, enhanced search, and many other improvements. For a full list of changes, see the 7.2 release notes here.

DNN 7.2.1 — Security Update
This version of DNN was released only six weeks after 7.2, and includes "significant value in the areas of security, performance, and user experience." Full details for the 7.2.1 update can be found in the release notes here. DNN 7.2.2 includes maintenance tweaks and new features for users. More information can be found here.

DotNetNuke 6.2.8
DotNetNuke 6.2.8 makes your website social. You can build social communities using new features such as Facebook Login, Social Groups, Member Directories, Activity Feeds, and much more.  DotNetNuke 6.2.8 has been thoroughly tested and is recommended for production.
DotNetNuke 6.x
If you are running a DotNetNuke 6.x release prior to version 6.2.8, we recommend upgrading to patch security issues.

DotNetNuke 5.6.8
While DotNetNuke 5.6.8 is a stable and secure version, DotNetNuke Corporation no longer actively enhances it. Customers who run DotNetNuke 5.6.8 should consider upgrading in the near future.

Don't See Your Version Here? You Need To Upgrade
If you do not see your version of DNN / DotNetNuke here, you should upgrade immediately for the latest security and performance benefits. Certain older versions of DotNetNuke may contain critical security vulnerabilities.

Add Feedback