Dotnetnuke < 10.1.1 Stored cross-site-scripting (XSS) via SVG upload (CVE-2025-64094)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(271923);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/02/24");

  script_cve_id("CVE-2025-64094");
  script_xref(name:"IAVB", value:"2025-B-0181-S");

  script_name(english:"Dotnetnuke < 10.1.1 Stored cross-site-scripting (XSS) via SVG upload (CVE-2025-64094)");

  script_set_attribute(attribute:"synopsis", value:
"An ASP.NET application running on the remote web server is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, the instance of Dotnetnuke running on the remote web server is prior to 10.1.1.
It is, therefore, affected by a vulnerability.

  - DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft
    ecosystem. Prior to 10.1.1, sanitization of the content of uploaded SVG files was not covering all
    possible XSS scenarios. This vulnerability exists because of an incomplete fix for CVE-2025-48378. This
    vulnerability is fixed in 10.1.1. (CVE-2025-64094)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://www.dnnsoftware.com/community/security/security-center/GHSA-hmvq-8p83-cq52
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?53a96641");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Dotnetnuke version 10.1.1 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-64094");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(79);

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/10/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/10/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/10/28");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:dotnetnuke:dotnetnuke");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:dnnsoftware:dotnetnuke");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2025-2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("dotnetnuke_detect.nasl");
  script_require_keys("installed_sw/DNN");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}

include('vcf.inc');
include('http.inc');

var app = 'DNN';

get_install_count(app_name:app, exit_if_zero:TRUE);

var port = get_http_port(default:80, asp:TRUE);

var app_info = vcf::get_app_info(app:app, port:port, webapp:TRUE);
vcf::check_granularity(app_info:app_info, sig_segments:3);

var constraints = [
  { 'fixed_version' : '10.1.1' }
];

vcf::check_version_and_report(
    app_info:app_info,
    constraints:constraints,
    severity:SECURITY_WARNING,
    flags:{'xss':TRUE}
);