DNN / DotNetNuke / Evoq — Secure and Latest Versions

As a courtesy to our customers, we maintain a list of recent versions and the important security updates for DNN / DotNetNuke. Generally, the most current version of your CMS is the most secure, but if you have an older version of your CMS, it can be hard to find information on whether your version is secure or not.
Bookmark this KB, and we will continue to update it with the most current secure version information. For an official list of releases and their notes, please visit DNN Software's website.

What is the latest secure version of DNN?

DNN 9.10.2 — Minor Feature Update
DNN 9.10.2 is an update to the minor version of the platform.
  • Corrects some styling issues with IE11
  • Corrects a typo in CKEditor for dnnpages plugin in french
  • Allows multiple DesktopModules per PackageID
  • Removes module specific styling for a default DNN Button
  • Removes of "Dummy" from code
  • Fixes a serialization issue with authentication config
  • Fixes an issue that prevented inserting links using the default HTML Editor Provider
  • Adds back alternate views for core mail provider
  • Fixes an issue where custom Analyzer types generate System.MissingMethodException
  • Fixes an issue where it was impossible to edit html on child portals
  • Fixes an issue where the wrong RedirectAfter tabs were showing for localized sites
DNN 9.10.1 — Minor Feature Update
DNN 9.10.1 is an update to the minor version of the platform and includes a fix for a known, undisclosed security issue.
  • Fixes an issue where deleting the parent page while the child page was open didn't redirect
  • Fixes an issue where dnn.js was not requested for cookie consent
  • Fixes an issue where the wrong PortalId was getting set when there were multiple sites existing
  • Fixes an issue where some field values were missing in messaging
DNN 9.10.0 — Minor Feature Update
DNN 9.10.0 is an update to the minor version of the platform.
  • Adds support for Azure folder provider cache-control
  • Improves base styling of PersonaBar & EditBar and allows for customization
  • Brings back update notification
  • Adds Web.config schema validation to the Configuration Manager
  • Adds support for absolute and relative URLs for pages
  • Adds email to password sent message for error tracing
  • Improves wording on Site Groups localization
  • Clarifies text on module anchor feature
  • Improves validation of IP address for login
  • Removes the logo from the Under Construction page
  • Enhances styling for server summary in persona bar
  • Fixes an issue where disabling password strength meter did not disable it in the password reset form
  • Fixes an issue where MailKitMailProvider used an incorrect mail priority
  • Fixes an issue where FolderManager would sometimes throw a null reference exception
  • Fixes an issue where some tool-tips were not visible in SiteGroups
  • Fixes an issue where the HTML Editor Manager would fail to load
  • Fixes an issue with RedirectAfter settings being overwritten
  • Fixes an issue the prevented uploading files into assets on Turkish localization
  • Fixes an issue where Breadcrumbs had invalid metadata for disabled pages
  • Fixes some typos in Prompt localization
  • Fixes an issue where exporting a page after changing a module's order within the same pane didn't reflect in imported site
  • Fixes an issue where Cache-Setting 'NoCaching' was not saved
  • Fixes an issue where UserInfo.UserName was wrong with "Use email as username" setting turned on
  • Fixes an issue where SQL Console raised an error for variable declarations with "@" character
  • Fixes an issue where the profile picture was not shown to anonymous users
  • Fixes an issue that prevented RC1 from installing or upgrading
DNN 9.9.1 — Minor Feature Update
DNN 9.9.1 is a minor update to fix existing bugs and add two new features.
  • Adds support for Page Stylesheets stored in AzureFolderProvider
  • Adds capability to add existing modules from other sites in site group
  • Fixes an issue where AzureFolderProvider was uploading the same file with different case
  • Fixes an issue where the PersonaBar would not load if in an iframe
  • Removes the extra hard-coded spaces from UserAndLogin Theme Object
  • Ensures the content is decoded before being passed to tokenization providers
  • Fixes an issue where checksums where not generated in CI builds
  • Fixes an issue where CK-Editor provider did not include image files in install package
  • Fixes redirect to primary alias when PortalAliasMapping is set to redirect
  • Fixes upgrade issue involving MailKit by including it in a package
  • Fixes an issue that prevented MailKit configuration upon some upgrades
DNN 9.9.0 — Minor Feature Update
DNN 9.9.0 is an update to the minor version of the platform and, importantly, adds the ability to remove all Telerik references from the framework.
  • Adds optional Telerik removal
  • Adds support for additional mail providers
  • Adds new Quick Add Module option from the edit bar
  • Adds optional EasyImage upload in CK Editor plugins
  • Adds new Web Servers tab in Servers persona bar module
  • Updates CK Editor to version 4.15.1
  • Updates Azure connector logo to current logo
  • Fixes an issue where it was impossible to create a page of type "file"
  • Fixes an issue where page redirect always returned 301 (permanent) regardless of setting
  • Restores Mail.ConvertToText method that was accidentally removed
  • Fixes an issue with PortalInfo.PortalId by removing a member that varied only by case and caused issues with case insensitive languages
  • Properly show errors as an error and not a success in log settings
  • Resolves an issue where new sites could not be created due to missing sitemap settings in the sites templates
  • Fixes a caching issue in TermsController
  • Resolves issue with lowercase URL's and account verification
  • Fixes an issue with DnnImageHandler when the file-path had mixed casing
  • Fixes an issue with the link popup in the new CK Editor version
  • Fixes an issue where users where unable to upload files when there was an unexpected line break at allowable file extensions
  • Fixes an issue where sitemap priority was incorrectly defaulting to 0 for new pages instead of 0.5
  • Fixes an issue where MailKit was missing BouncyCastle.Crypto reference
  • Fixes an issue that prevented Google Tag Manager to create scripts and delete connections
  • Fixes an issue where BCC and CC where not applied on emails
  • Adjusts mailkit provider to automatically handle TLS negotiation
  • Optimizes images compression
  • Addresses a potential email parsing error
  • Removes the samples folder from CKEditor
DNN 9.8.1 — Minor Feature Update
DNN 9.8.1 is a minor update to fix existing bugs and add several new features.
  • Adds Page ID to the Page Management UI
  • Adds google tagmanager connector
  • Implements EnablePopups switch in portal settings PB module
  • Adds InjectModuleHyperlink and InlineEditorEnabled to the SiteSettings module
  • Ensures comments are only inserted when necessary in web.config
  • Changes WebConfigurationManager for ConfigurationManager allowing users to implement the connection string is AppService and remove it from the web.config
  • Improves error message when uploading an invalid extension
  • Prevents caching pages that are redirected
  • Removes dragover state from element when dragged between pages
  • Updates the monaco font so it uses a monospace font
  • Removes "Running Default" check from Default.aspx
  • Avoids checking user permissions if there is no user
  • Fixes an issue where redirect after login would not work if the login page had a different name than "login"
  • Fixes an issue where the country/region lists would show the id instead of the name when used by keyboard
  • Fixes an issue where creating multiple pages would not properly validate for a valid parent page
  • Corrects a wrong tooltip about SEO page priorities
  • Resolves all build warnings in Google Analytics Connector
  • Removes an impractical rule about merging pull requests
  • Resolves an InvalidData exception in DFS environments when exporting sites
  • Fixes an issue where the registration module would use the incorrect language
  • Fixes an issue with SCAYT getting the wrong language code
  • Fixes an issue where the data reader would not get disposed
  • Fixes an issue where the validation lines where incorrect for the new password field
  • Fixes DataProvider failures
  • Ensures properties in DTO objects use backing fields. This cause localization issues with serialization
  • Fixes AddContentItem Audit Trail for CreatedByUserId & LastModifiedByUserId
  • Fixes an issue where Umlaut characters in URL caused module setting error
  • Fixes a wrong sitemap configuration on portal creation
  • Reverts a commit that caused issues with language cookies
  • Fixes an issue where the AssemblyInstaller would fail removing a dll if it was already missing from disk
  • Fixes an issue where denying the ADD permission for a role on an asset would make it invisible to users on CKE Editor
DNN 9.8.0 — Feature Update
DNN 9.8.0 is a major feature update that features a large number of bug patches, a new optional file manager called Resource Manager, the ability to edit the robots.txt file in the user interface, and allows a developer to remove Telerik dependencies from the DNN framework entirely if desired.
  • Implements a new optional file manager called Resource Manager
  • Adds host setting option and ability to use settings outside module context
  • Adds support for editing the robots.txt on a website
  • Implements Email Provider support
  • Adds support for C# Async Constructs During Page Rendering
  • Replaces momentjs with dayjs in Servers.Web
  • Replaces momentjs with dayjs in Users.Web
  • Removes all unused code from Upgrade/Installer Code
  • Removes the Improvement Program
  • Adds a scheduled task to purge Expired JWT tokens
  • Adds portal name to SMTP test email for better identification
  • Swapps CodeMirror for Monaco Editor
  • Removes Telerik references
  • Adds personaBarContainer css class together with incorrect personalBarContainer
  • Lowercases the meta tag names in rendered html
  • Updates DDR Menu to be System Package and prevent accidental uninstallation
  • Refactors JWT provider code
  • Upgrades optional packages when they've already been installed
  • Fixes an issue where modules without a minifest would not follow Dnn versioning
  • Fixes a UI alignment issue with Search Results
  • Fixes an issue where all emails where missing the body
  • Fixes an issue where new users would have no preferred locale
  • Fixes an issue where newly created sub-folder was not shown if the parent folder name starts with 0
  • Fixes an issue where the module friendly name was not updated as part of module extension update
  • Fixes an issue where is was not possible to set page permissions for "unauthentication users" role
  • Fixes a styling issue for checked Accept License checkbox in Extension installer
  • Fixes an issue where the React common components would interfere with container CSS class
  • Fixes an issue where module dialog added new module to wrong pane
  • Fixes an issue where the incorrect icon would show for errors in the Pages module
  • Fixes an issue where Dnn would not install due to a missing config file
  • Fixes an issue where some Visual Basic modules would fail due to members that differed only by case
  • Removes beacon setting on upgrade
  • Fixes an issue with module pane placement after export/import
  • Fixes an issue where 09.07.03.config was not included in the project
  • Fixes an issue that would cause an infinite redirect loop on mobile
  • Fixes an issue where some dates where not parsed with invariant culture which caused issues for non-Gregorian calendars
  • Fixes an issue where the Event Log would fail silently during application startup
  • Fixes an issue where page title and description would get saved with site values unintentionnally
  • Fixes an issue with profile image visibility
  • Fixes an issue where line breaks and year tokens would not be properly formatted in Social Messaging
  • Ensures new Localization HTTP module is running soon enough
  • Removes Localization HTTP module from config
  • Fixes Localization Issues in WebAPI
  • Fixes the web.config errors for the new Localization module
DNN 9.7.2 — Minor Feature Update
DNN 9.7.2 is a minor update to fix existing bugs.
  • Creates IPortalAliasService for Dependency Injection
  • Moves pencil icon to the right ... menu in pages module
  • Implements sorting in column headers on the users table
  • Uses request scope in PortalModuleBase
  • Changes 'DNN Error' to 'Application Error'
  • Adds the ability to set mobile view cookie name in root web.config
  • Warns admins about running search indexer on wrong server
  • Fixes an issue where page went into wrong workflow state after import
  • Fixes an issue with user management in portal groups
  • Fixes bug with hierarchical vocabularies
  • Fixes an issue where a new page was created by "Add page", the "Advanced/More/Secure Connection" property was always stored as "Off", regardless of the setting in the UI
  • Fixes an issue in creating multiple pages validation passed with same page name on same hierarchy
  • Fixes an issue that prevents 9.7.0 to 9.7.1 upgrades
DNN 9.5.0 — Feature Update
DNN 9.5.0 is a major feature update that fixes numerous bugs in the DNN platform
  • Added support for SSL offloading values in headers
  • Added a new banned icon to indicate unauthorized users
  • Added glob pattern support to manifest file cleanup component
  • Ensures just setting the timezone prop in settings does not save to the database until a save is requested
  • Improved display of journal links and comments (word wrapping)
  • Improves display of missing language flags
  • Moved email and display name above username and password in registration form
  • Made form messages 100% width for better responsive alignment in modules
  • Updated several localization texts to better represent current Dnn UI
  • Bumped jQuery and jQuery related plugins versions
  • Improved progress bar on translation progress
  • Fixed a typo FreindlyName => FriendlyName
  • Ensures that a user is read from data store before we use it in mail
  • Improved display of import progress
  • Fixed a typo in Azure folder settings Syhchronization => Synchronization
  • Updated Blueimp uploader to the latest version
  • Enhanced robots.txt to better support modern development practices
  • Removed Dnn Copyright injection
  • Changed cache-busting URLs to use a hash
  • Improved performance in the pages treeview
  • Improved performance of core messaging
  • Fixed an issue when logging 404 errors with invalid UrlReferrer
  • Fixed an issue where the login page would go into an infinite loop in SSL offloaded environments
  • Fixed an issue where in some cases it was impossible to edit module settings after moving a module to another page
  • Fixed an issue where PageTags where created in the wrong vocabulary scope
  • Fixed an issue where module settings would not save under some conditions
  • Fixed multiple issues with wrong mapping of Canonical and None mapping types
  • Fixed an issue that would show an error when trying to delete a localized version of the home page
  • Fixed an issue where the wrong CDN protocol was used under SSL Offloading environments
  • Fixed an issue where opening page settings would sometimes show the settings for another page
  • Fixed a display issue of Enabled and Priority in sitemap settings
  • Fixed an issue where it was not possible to get the module ID properly when redirect mixed case URLs was enabled
  • Changed the update service URL to a new service
  • Fixed an issue where the wrong portal alias was used when adding new languages
  • Fixed an issue where the wrong alias would show when editing portal URLs
  • Restored a resource key that was accidentally deleted as part of GDPR
  • Fixed an issue where connectors would change name upon disconnection or when adding multiple connectors
  • Fixed an issue where pages in redirect mode would not work under SSL Offloaded environments
  • Fixed module find logic in module attribute to not return deleted modules
  • Fixed an issue with using dependency injection in MVC modules
  • Fixed an issue where the Console and Module Creator modules would not install
  • Fixed an issue where page tags where not kept when exporting a site and importing it on another instance
DNN 9.4.4 — Minor Feature Update
DNN 9.4.4 is a minor feature update that fixes a bug in the DNN platform
  • Fixed a regression issue where MVC modules could have a memory leak issue
DNN 9.4.3 — Minor Feature Update
DNN 9.4.3 is a minor feature update that fixes several bugs in the DNN platform
  • Allows changing from email while testing SMTP configurations
  • Fixed a regression issue where modules that use friendly Urls stopped working in 9.4.2
  • Moved country above region in user profile so the region dropdown populates with correct value for the selected country
  • Fixed an issue where it was impossible to delete a social role if the group folder was not empty
  • Fixed an issue where Select All was not working in site assets
  • Fixed an issue where the scheduler would fail when trying to delete removed objects
  • Fixed a work breaking issue in the journal
  • Fixed an issue in the Servers Persona Bar module where the underlaying page would not reload when requested to
  • Fixed an issue where auto-generated child portal urls would include invalid alphanumeric characters
  • Fixed an issue where the google analytics connecor would incorrectly lowercase the trackingId value
Known Issues
  • There is currently a possible memory leak issue with MVC modules
DNN 9.4.2 — Minor Feature Update
DNN 9.4.2 is a minor feature update that adds functionality to the DNN platform
  • Usernames are no longer changed to the emails when the settings required the email as username
  • Added a warning during install/upgrades that .Net Framework 4.7.2 is required if not present
  • Added a tooltip to indicate to use about 60 characters for best SEO on site descriptions
  • Remove Thread Cancellation from OAuthClientBase Implementation
  • Created INavigationManager to replace Globals.NavigateURL to use Dependency Injection
  • Improvements with module permissions when copying modules
  • Whitespace is now properly visible in the log viewer
  • Removed "No Search Results" display before any search is performed
  • Improved install process to use managedPackage for library dependencies
  • Made navigation stays on same page after creating a new group instead of redirecting to the group page
  • Updated default portal template so it provides default permissions on portal folders
  • Fixed an issue where site settings where not working after setting up "PRIVACY" section on multi language sites
  • Fixed an issue where sending multiple emails with attachments would fail
  • Fixed an issue where the validation of alphanumeric characters for password requirements was wrong
  • Fixed an issue where it was impossible to remove a site logo
  • Fixed issue where vocabularies would cause an infinite loop
  • Fixed an issue where users could not verify their account if they lost their original account verification email by adding a resend verification link to the unverified account message
  • Prevents creation of blank role group names
  • Fixed a memory leak issue with web api modules
  • Fixed an issue where module settings dialog could not be opened if urls where converted to lower case
Known Issues
  • It appears we might have an unwanted breaking change in DotNetNuke.Services.Url.FriendlyUrl.FriendlyUrlProvider.FriendlyUrl. If you have modules that use this API you may need to recompile them adding a reference to DotNetNuke.Abstractions.dll or wait for a resolution on this issue.
DNN 9.4.1 — Minor Feature Update
DNN 9.4.1 is a minor update to the platform that focuses heavily on bug fixes
  • Added missing html encoding to exceptions in the Admin Log
  • Added a warning when installing or upgrading if the environment does not have .Net Framework 4.7.2 available
  • Added a confirmation message after localization is saved
  • Fixed an issue where the assets manager activity wheel would constantly spin
  • Fixed a potential xml namespace bug in web.config
  • Fixed invalid binding redirects when upgrading to Dnn 9.4.0
  • Corrected the DotNetNuke.Core NuGet package
  • Fixed a null reference exception when calling Globals.LinkClick method
  • Fixed an issue opening module settings due to selectize.js duplicate versions
  • Fixed an issue with DDRMenu Razor templates and Dependency Injection
  • Fixed an issue with jQuery browser detection
  • Fixed several bugs around import/export
  • Fixed an issue where the standalone version of selectize.js was not used when obtained by CDN
  • Fixed an issue that prevented importing portal languages correctly
  • Fixed an issue with import/export of deleted modules
  • Fixed an issue where the upgrade to 9.4.0 would not save the new version in the database and would redirect to the upgrade wizard
  • Fixed an issue where the print container action would not work
  • Fixed an issue where the data consent last changed date would not read/save consistently in some cultures
  • Fixed an issue where the smtp server tab would always show a separator line
  • Fixed an issue with tab sorting before serialization during export
  • Fixed an issue where the web server dropdown was failing in the scheduler
  • Fixed an issue where the admin log would not include line breaks properly
  • Fixed an issue where it was impossible to set email address as username to ON
  • Fixed an issue with IP filters settings display
  • Fixed an issue where the wrong portal would should in portal settings
  • Fixed an issue where modules would get duplicated when localized
  • Fixed an issue where the wrong overflow was applied to the body after closing the persona bar
  • Fixed an issue where () characters where not replaced in URLs and improved the error message about the situation
  • Fixed an issue that prevented the Persona Bar to upgrade correctly to 9.4.0
  • Fixed an issue where the CkEditor provider would have the dll twice in the install package
DNN 9.4.0 — Feature Update
DNN 9.4.0 is a feature update that adds functionality to the DNN platform
  • Minimum required .NET framework changed to 4.7.2
  • Added GDPR data consent functionality
  • Added Dependency Injection and Removed Circular Dependencies in all Module Pipelines
  • Updated all C# projects in the platform to compile under C# 7.0
  • Replaced JRE based YUI Compressor with MSBuild version
  • Made the Default Module Action Menu configurable
  • Removed GetAzureCompactScript from SqlDataProvider
  • Added setting to display search result for users in specific roles
  • Added functionality to force user logout after password changed in other place
  • Updated "About" information for DNN Platform to be more relevant and current
  • Corrected file access issues
  • Dependencies will now load during startup even if one fails
  • Fixed an issue where deleted pages would show in parent page selector
DNN 9.3.2 — Minor Feature Update
DNN 9.3.2 is a minor feature update to the platform that adds functionality to the DNN platform
  • Added a placeholder to avoid the delayed slide effect when loading the PersonaBar
  • Secuirty Analyzed now displays the full path to make it easier to find suspicious files identified
  • Azure folders in Digital Assets open faster
  • Uses source-map for webpack config
  • Fixed an installation issue on lower performance database servers
Known Issues
  • The ability to localize the default site into various languages at initial installation is currently non-functional. This is due to issues in the remote data-service provided by Dnn Corp.
DNN 9.3.1 — Feature Update
DNN 9.3.1 is a feature update to the platform that adds functionality to the DNN platform
  • NuGet Package improved
  • Enhanced the common tooltip component for accessibility
  • Updated all React.Common packages to React 16
  • Enabled Greenkeeper
  • Group Privacy Settings moved in Site Settings to a new tab
  • Added Cookie consent and configuration settings for Terms and Privacy pages
  • Added UI connector to manage Google Analytic tracking
  • Added UI for Host Email setting under SMTP Configuration
  • Performance fix for CoreMessaging and Journal procedures
  • Performance & stability fix for Azure & other environments
  • Hover now shows the pane name again when in edit mode
  • Added UI for Small and Large Page Icons back into Page Settings
  • Resolved issue with viewing/editing user profiles on certain pages with http/https differences
DNN 9.2.2 — Minor Feature Update
DNN 9.2.2 is a minor feature update to the platform that adds functionality to the DNN platform
  • Two security fixes issued
  • Performance increased
  • Increased feedback during module install/upgrade cleanup
  • Reduced the scope of cache keys cleared after a user registers for an account
  • Improved MVC support with RedirectToAction
  • Enabled VSTS CI
  • Various undisclosed minor improvements
  • Bug that occurs when registering with email address
DNN 9.2.0 — Feature Update/Maintenance Update
DNN 9.2.0 is a feature update to the platform that adds functionality to the DNN platform
New Features
  • Prompt - New command line Administrative Interface
  • Pages - New Page Management
  • Connectors - New Connector Management via Persona Bar
  • Azure Storage Connector - Migrated from Evoq to Platform
  • Themes - Filtering based on site vs. global
Performance Updates
  • User Search - Faster and more reliable user search in Persona Bar
  • Security Analyzer - Faster initial scan
Framework Updates
  • Libraries updated to - jQuery 3.2.1, NewtonSoft 10.0.3, Sharpzlib
  • Upgraded ClientDependency.Core to 1.9.3
  • Replaced 51 Degrees with local provider
  • Removed ~500 APIs deprecated prior to 7.0
  • New Integration Testing framework
  • Site Settings, Installation & Upgrade, Journal, Localization
  • Messaging, MVC, SEO, Search, User Profile, Login & Registration
  • Client Depdendency, CK Editor, DDR Menu, Host SQL, Image Handler
  • Member Directory, Redirect updates, Display module on all pages
DNN 9.1.1 — Minor Feature Update
DNN 9.1.1 is a feature update to the platform that adds additional functionality to the DNN platform
  • The user verification algorithm updated to be FIPS compliant
  • Menu and button interactions show additional validation and user feedback
  • In-app navigation and breadcrumbs have been added and improved, where applicable, to increase usability
  • Made minor UI enhancements in the following menus: Security, Servers, Sites, Scheduler
  • Returned option to select parent page in Page Management when creating a new web page
  • Returned option to stay in edit mode in the Edit Mode toggle
  • New Security Analyzer module added to files list
  • Resource cache now auto-clears after new Persona Bar extension installed
  • Fixed several translation issues in the default language packs
  • Fixed avatar image not displaying correctly in IE11
  • Fixed CSS issue which resets pane width in Edit Mode
  • Fixed incorrect page count in Export summary
  • Fixed user ability to remove system-generated URL's through Page Settings UI
  • Fixed /user Profile Property list showing empty
  • Fixed an admin authorization issue when deploying SPA/MVC modules to child sites
DNN 9.1.0 — Feature Update/Maintenance Update
DNN 9.1.0 is a feature update to the platform that add functionality to the DNN platform
  • DNN now ships with a module that exports/imports entire websites, as well as more granular components, such as individual site pages, the user database, or the content database
  • DNN now complies with accessibility requirements as defined by the Americans with Disabilities Act (ADA)
  • Added back Extension usage information
  • Enhanced User Management capabilities
  • Additional changes for the ongoing process of phasing out Telerik from DNN
  • Fixed an issue related to importing pages to replace existing pages
  • Fixed performance issue with stored procedures
  • Fixed HTTP offloading issue when CDN is enabled
  • Fixed a page header tag issue where the header tags were being added to the body instead
  • Localized module copy is now working properly
  • Using Captcha no longer throws exceptions
  • Fixed several translation issues for localized menus
  • Added persona bar stability improvements
DNN 9.0.2 — Security Update
For more information on this important DNN security update, read our article on the DNN hotfix:
DNN 9.0.2 is a security update to the platform that patches a vulnerability where, if exploited, would allow for the pulling of user data. At the minimum, this exploit could be used to pull user email addresses. In some cases it could then be used to further pull a site user's display name and user name.
If you only use the base DNN platform, this may not be a huge issue. However, someone could potentially scrub a DNN site with this exploit to put together email lists. If you have created custom registration forms, though, this exploit could potentially disclose more important user information. Essentially any information that is asked for in a custom registration form could be pulled through this exploit. Consider your individual site, what type of information you ask visitors on your registration forms, and realize that if this exploit is not patched someone could potentially gain access to that data.
Third party registration modules may also be vulnerable, depending on how the module handles registration. In those cases DNN Software's hotfix cannot be applied, and you will need to contact the module vendor / developer for an updated version.
DNN's hotfix can be found below, and should be added to the end of the existing /DesktopModules/Admin/Security/Register.ascx file:
<script runat="server">
    protected override void OnLoad(EventArgs e)
        if (Request.QueryString["userid"] != null)
            Response.Redirect(DotNetNuke.Common.Globals.AddHTTP(PortalSettings.PortalAlias.HTTPAlias), true);
This causes a redirect to the portal’s home page if the userid parameter is provided when requesting the registration page. 
To see DNN's blog post on the security issue, check out the 9.0.2 Release and Security Patch. You can also checkout the DNN GitHub documentation release here.

Note that the installable hotfix is included under the DNN 9.0.2 release, which will make the above change for you. However, a site running DNN version 9.0.1 or below will need to have the above hotfix applied.
DNN 9.0.1 — Security Update
DNN 9.0.1 is a security update that addresses several security vulnerabilities ranked from "low" to "medium" by the DNN Software team. According to the security bulletin, these vulnerabilities include:
  • 2017-01 (Medium) Antiforgery checks on Web APIs can be ignored in certain situations
  • 2017-02 (Low) Authorization can be bypassed for few Web APIs
  • 2017-03 (Low) Socially engineered link can trick users into some unwanted actions
  • 2017-04 (Low) Unauthorized file-copies can cause disk space issues
More information can be found in the DNN 9.0.1 security bulletin here, and if you want in-depth information on these security vulnerabilities, you can read a detailed breakdown of each of them in the DNN Security Center here. Want to see the full release notes? Check out the DNN Platform update documentation here.
DNN 9.0.0 — Major Features Update
DNN 9.0 is a huge push forward for the platform. Similar to how Windows skipped numbering for "Windows 9" and jumped right to Windows 10, DNN 9 is full of so many new features that making it DNN 8.1 seemed like a disservice. While in early release status, DNN 9 gives a good indication of the direction the platform is going, with a heavier focus on the Content in "Content Management System," as well as stronger pushes for marketing integrations throughout the platform.
The official GitHub release for DNN 9.0.0 can be found here. And if you haven't seen it yet, we recommend checking out the DNN 9 launch video for more information on the direction of the platform: Why Marketing and IT Will Love the New DNN.
DNN 8.0.4 — Security Update
DNN version 8.0.4 is a security update for the DNN / DotNetNuke 8.x series that addresses several security vulnerabilities ranked from "low" to "medium" by the DNN Software team. According to the security bulletin, these vulnerabilities include:
  • 2016-07 (Low) Image files may be copied from DNN's folder to anywhere on server
  • 2016-08 (Low) Certain keywords in search may give an error page
  • 2016-09 (Medium) Non-Admin users with edit permissions may change site containers
  • 2016-10 (Low) Registration link may be used to redirect users to external links
More information can be found in the DNN 8.0.4 security bulletin here, and if you want in-depth information on these security vulnerabilities, you can read a detailed breakdown of each of them in the DNN Security Center here. If you'd like to do a deep dive into the full release notes, check out the DNN Platform 8.0.4 update documentation here.
DNN 8.0.3 — Security Update
DNN version 8.0.3 is an important security update that addresses — once again — the issue with the InstallWizard.aspx file(s) which was first identified and classified as "critical" in May, 2015. We first reported on this issue more than a year ago; however, recently the issue has cropped up again and is affecting several people in the DNN community and their DNN sites.
Whether a full recursion or not, it is important to note that this is still an issue. If you have not updated your site and followed the recommended best practices we have outlined, please do so to help close this critical vulnerability on your sites. You can read our original article on the issue here, which our team has updated to include the latest information on how to combat this problem.
This is an active issue. For more information, we have written an article on how to address this issue here: DNN install wizard vulnerability resurfaces, users encouraged to address immediately.
DNN 8.0.2 — Security Update
DNN version 8.0.2 is an important security update that addresses a recently identified vulnerability in the DNN 8 core. With a severity classified as "Critical" by DNN Software, this exploit could allow unapproved file uploads by unauthenticated users. This vulnerability affects the following versions: DNN Platform 8.0, DNN Platform 8.0.1, Evoq 8.3, Evoq 8.4 — if you use any of those versions, it is strongly recommended that you update immediately to mitigate the possibility of malicious attacks. Updating to the latest versions — DNN Platform 8.0.2 or Evoq 8.4.1 — will patch this vulnerability. For more information, read the official security release announcement here.
DNN 8.0.1 — Security Update
DNN 8.0.1 is a security release to the DNN 8x series. This minor update addresses three identified vulnerabilities classified as "Low" on the potential threat scale, and one classified as "Critical." The critical vulnerability involves a "Potential CSRF issue on WebAPI POST requests." More information on the 8.0.1 release can be found on the official security bulletin here.
DNN 8.0 — Major Update*
DNN 8 is a full-version upgrade to the popular DNN / DotNetNuke platform. Described as "a major leap forward for DNN" by DNN Software, this version takes a step away from the past while working toward the future. As part of that cleanup, the decision was made to remove many old features of DNN that are no longer used, to that end, the following have been removed from DNN core in the 8x series: SiteLog, UsersOnline, Newsletter Module, Vendors/Banners Modules, ASP2MenuNavigationProvider, DNNMenuNavigation Provider, DNNTreeNavigationProvider, RequestFilter, Widget Framework, and Users Online. Some of the removed features will be moved to GitHub for use by the community.
DNN 8 has a strong focus on improving the overall performance of the platform. Bottlenecks were addressed, static files are now handled differently, and load has been addressed to improve performance; particularly with changes implemented to ensure the best handling of ASP.Net code vs. static code.
For more information on DNN 8, read the official release announcement here, or consult the CodePlex release here.
*NOTE: While the DNN 8x series is the most current major release of the DotNetNuke platform, the Managed.com and PowerDNN team — along with the DNN community — has noted several issues in DNN 8 that should give someone pause before a full update is considered. Yes, our team can help you with your DNN upgrades; however, before making the jump into DNN 8, we recommend you read our knowledge base article: DNN 8 - Features and Breaking Changes. For more information, see the note in our 7.4.2 version log below.
DNN 7.4.2 — Maintenance Update*
DNN 7.4.2 picks up where 7.4.1 left off in stabilizing the 7.4.x series. Version 7.4.2 fixes multiple issues, including: lists in custom registration forms, ignore words in Italian and French, multi-language site rules, malformed URL return parameters, corrections to SSL offload environments, and an issue where site settings could be duplicated. More information on the 7.4.2 release can be found here.
*NOTE: The DNN 7.4.2 release is regarded as the most stable version of the DNN / DotNetNuke platform. Our team can certainly perform an upgrade to DNN 8 for you; however, there are several major changes within the platform that you should consider before deciding to update your site. Due to the multiple issues identified in the DNN 8x series, we recommend you familiarize yourself with the changes our team has outlined in our knowledge base article: DNN 8 - Features and Breaking Changes.
If, however, you are a professional developer or seasoned DNN / DotNetNuke pro, and you feel comfortable with it, then go for it — knowing full well you may have some complications to overcome. If you are unsure or hesitant about what affects DNN 8 may have on your existing site, we recommend updating no further than 7.4.2 at this time. All Managed.com and PowerDNN customers may, of course, open a ticket to speak with our support team about updates.
If you are building a new site from the ground up, however, you are fine to use the most current, secure version of the DNN 8x series. Many of the breaking complications come up through updating a site, and do not seem to be present if building a new DNN 8 site from scratch.
DNN 7.4.1 — Maintenance Update
DNN 7.4.1 is intended to be solely a stabilization update that is intended to address the bulk of the issues found in 7.4. More info about 7.4.1 can be found here.
DNN 7.4 — Features Update
While DNN 7.4 has been released, our engineers are not actively recommending it at this time. Due to several errors and technical issues discovered since it's release, we are still maintaining DNN users stick with version 7.3.3 for stability and usability reasons. If you are an experienced DNN developer, you may feel perfectly comfortable upgrading to 7.4. More information on DNN 7.4 can be found here and here.
DNN 7.3.3 — Maintenance Update
DNN version 7.3.3 is a maintenance release that addresses several fixes in the DNN / DotNetNuke core. Items addressed include: an issue where notifications were not updating properly, issues with upgrades failing, a minor security issue, and several other tweaks and enhancements. For more information on the 7.3.3 release, view the highlight notes here.
DNN 7.3.2 — Maintenance Update
DNN version 7.3.2 includes several new features, such as fixing several skin issues, CDN settings for JavaScript libraries, and the tricky runaway thread issue that caused high CPU usage. We fully support this version and have cleared it for use by our team of DNN / DotNetNuke experts. For more information on the 7.3.2 release, view the highlight notes here.
DNN 7.3 — Insecure
While DNN 7.3 includes many new features, our team of engineers — and the DNN / DotNetNuke Community — has found numerous issues with this update. While these errors are not "full regressions," they do potentially pose a problem to your DNN site. Our recommendation is to wait for DNN 7.3.2. You can find out more about our reasons here.
DNN 7.2.2 — Security Update
DNN 7.2.1 is a significant upgrade and includes a number of excellent new features for DotNetNuke. We recommend existing DotNetNuke websites upgrade immediately for new features, performance enhancements, bug fixes, and additional security protections. DNN 7.2 includes an updated SQL module, JavaScript Library Management, enhanced search, and many other improvements. For a full list of changes, see the 7.2 release notes here.

DNN 7.2.1 — Security Update
This version of DNN was released only six weeks after 7.2, and includes "significant value in the areas of security, performance, and user experience." Full details for the 7.2.1 update can be found in the release notes here. DNN 7.2.2 includes maintenance tweaks and new features for users. More information can be found here.

DotNetNuke 6.2.8
DotNetNuke 6.2.8 makes your website social. You can build social communities using new features such as Facebook Login, Social Groups, Member Directories, Activity Feeds, and much more.  DotNetNuke 6.2.8 has been thoroughly tested and is recommended for production.
DotNetNuke 6.x
If you are running a DotNetNuke 6.x release prior to version 6.2.8, we recommend upgrading to patch security issues.

DotNetNuke 5.6.8
While DotNetNuke 5.6.8 is a stable and secure version, DotNetNuke Corporation no longer actively enhances it. Customers who run DotNetNuke 5.6.8 should consider upgrading in the near future.

Don't See Your Version Here? You Need To Upgrade
If you do not see your version of DNN / DotNetNuke here, you should upgrade immediately for the latest security and performance benefits. Certain older versions of DotNetNuke may contain critical security vulnerabilities.

Add Feedback