CVE-2020-5188: 
C# vulnerability analysis and mitigation

DNN (formerly DotNetNuke) through version 9.4.4 contains an insecure permissions vulnerability identified as CVE-2020-5188. The vulnerability was discovered in early 2020 and affects the file upload functionality of the CMS platform. This security issue allows normal users to bypass client-side file extension validation controls that are meant to restrict certain file types to superusers only (Medium Blog).

The vulnerability exists in the file upload module where the extension validation for normal users is only performed on the client side, while superuser validation is properly implemented server-side. Normal users are intended to be restricted to uploading files with extensions like 'bmp,gif,ico,jpeg,jpg,jpe,png,svg', while superusers have access to additional extensions. Due to the client-side-only validation for normal users, the restriction can be bypassed, allowing unauthorized users to upload file types that should be restricted to superusers (Medium Blog).

The vulnerability allows low-privileged users to upload file types that should be restricted to superusers only. This could potentially lead to unauthorized file uploads and could be leveraged as part of a larger attack chain to compromise the system (Medium Blog).

The vulnerability was reported to DNN Security Team, but according to the researcher's disclosure, it remained unpatched through multiple versions. Organizations running affected versions should implement additional server-side validation for file uploads and consider restricting file upload permissions (Medium Blog).