76 matches found
CVE-2017-9822
DotNetNuke (DNN) cookie deserialization RCE (CVE-2017-9822) affects DNN before 9.1.1. The vulnerability arises from deserializing a crafted DNNPersonalization-like cookie, enabling remote code execution. Exploitation details and public proof points are documented in exploit references (e.g., Meta...
CVE-2018-15811
CVE-2018-15811 – DNN series (DotNetNuke) vulnerable to weak encryption . The provided sources confirm that DNN platforms running 9.2 through 9.2.2 use a weak encryption algorithm to protect input parameters (notably in cookies), representing a vulnerability in the protection of parameter data. Th...
CVE-2018-18325
Summary: CVE-2018-18325 affects DNN (DotNetNuke) platforms running version 9.2 through 9.2.2. The issue is an inadequate encryption strength for input parameters, arising from an incomplete fix for CVE-2018-15811. The vulnerability is tied to the use of a weak encryption algorithm in protecting i...
CVE-2018-15812
CVE-2018-15812 affects DNN (DotNetNuke) versions 9.2 through 9.2.1. The issue arises from incorrect conversion of encryption key source values, yielding lower than expected entropy in keys. The documents describe related advisories (GHSA, OSV) and OpenVAS entries referencing the same entropy prob...
CVE-2019-12562
CVE-2019-12562 describes a stored cross-site scripting (XSS) vulnerability in DotNetNuke (DNN) prior to version 9.4.0. The issue affects the admin notification function and can allow an attacker to embed malicious scripts by exploiting the Display Name field on the notification page, with exploit...
CVE-2018-18326
Summary: CVE-2018-18326 affects DNN (DotNetNuke) 9.2 through 9.2.2, which incorrectly converts encryption key source values, yielding lower entropy. This issue is noted as stemming from an incomplete fix for CVE-2018-15812. The connected sources identify the vulnerable versions and link to relate...
CVE-2017-0929
CVE-2017-0929 affects DotNetNuke (DNN) before 9.2.0. A Server-Side Request Forgery (SSRF) vulnerability exists in the DnnImageHandler class, enabling an attacker to access internal network resources. The issue is mitigated by upgrading DNN to version 9.2.0 or above. If exploiting details are prov...
CVE-2022-2922
CVE-2022-2922 describes a Relative Path Traversal in the DotNetNuke/DNN platform (GitHub: dnnsoftware/dnn.platform) up to version 9.11.0 . The vulnerability arises from insufficient sanitization of user-controlled input, enabling an authenticated, remote attacker to craft a URI containing directo...
CVE-2015-2794
DotNetNuke (DNN) prior to version 7.4.1 is affected: the installation wizard Install/InstallWizard.aspx can be accessed to reinstall the application and escalate to SuperUser. Root cause: post-installation installation wizard scripts not properly secured, enabling an unauthenticated remote bypass...
CVE-2025-52488
Summary (CVE-2025-52488) Affected: DNN Platform (formerly DotNetNuke), versions 6.0.0 up to before 10.0.1.Root cause: A specially crafted interaction vulnerability allows NTLM hashes to be disclosed to a third‑party SMB server via Unicode path normalization.Impact: Unauthenticated attackers could...
CVE-2022-47053
Summary: CVE-2022-47053 affects DNN (DotNetNuke) Digital Assets Manager, across DotNetNuke v7.0.0 through v9.10.2, enabling arbitrary code execution via a crafted SVG file through an arbitrary file upload vulnerability. The available connected documents consistently describe the vulnerability cla...
CVE-2015-1566
CVE-2015-1566 affects DotNetNuke (DNN) before version 7.4.0, where an XSS flaw could allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. The concrete root cause is not detailed in the provided documents beyond the vendor’s version bound; no exploit vectors are d...
CVE-2020-5188
CVE-2020-5188 affects DNN (DotNetNuke) up to version 9.4.4, where an insecure permissions issue is reported. The root cause is improper/weak permission handling within the DNN platform, enabling a scenario where an attacker could abuse file permissions (as indicated by CVSS details with high inte...
CVE-2025-48378
Consolidated evidence shows DNN (DotNetNuke) prior to specific versions is vulnerable to stored XSS via SVG uploads due to incomplete sanitization. CVE-2025-48378 (fixed in 9.13.9) describes that uploaded SVGs could contain scripts that execute when rendered inline. The connected advisories also ...
CVE-2020-5187
CVE-2020-5187 affects DNN (DotNetNuke) up to version 9.4.4, where path traversal was reported. Multiple connected sources describe a zip-slip/path-traversal issue arising from unsafe handling/validation of file paths during archive extraction, enabling an attacker to access or overwrite files out...
CVE-2021-40186
The OpenVAS entry identifies a DNN CMS (DotNetNuke) SSRF vulnerability affecting DNN versions up to 9.11.2. The flaw enables an attacker to cause the server to perform network requests on its behalf, potentially reaching internal systems and other resources. The vulnerability is described as a se...
CVE-2016-7119
CVE-2016-7119 is a cross-site scripting (XSS) vulnerability in DotNetNuke (DNN) affecting the user-profile biography area prior to version 8.0.1. The issue allows remote authenticated users to inject arbitrary web script or HTML via a crafted onclick attribute in an IMG element, with impact descr...
CVE-2025-32372
CVE-2025-32372 : DNN (DotNetNuke) exposes a bypass of CVE-2017-0929 enabling unauthenticated, semi‑blind SSRF via arbitrary GET requests to internal or external URLs. Public sources reference this as a server-side request forgery affecting DNN, with a fixed revision in 9.13.8; Nessus/NVD entries ...
CVE-2025-48376
CVE-2025-48376 affects DNN (DotNetNuke) prior to 9.13.9. A malicious SuperUser (Host) could craft a request to use an external URL for a site export, which could then be imported. The issue is fixed in version 9.13.9. Other related issues (CVE-2025-48377, CVE-2025-48378) are reported by Nessus bu...
CVE-2025-32371
CVE-2025-32371 affects DNN Platform (DotNetNuke) via the ImageHandler, where a URL crafted with a querystring parameter can render text in the resulting image. This could mislead users who trust the domain. The issue is fixed in DNN 9.13.4; apply the 9.13.4 upgrade (or follow vendor guidance) to ...
CVE-2013-7335
CVE-2013-7335 describes an open redirect vulnerability in DotNetNuke (DNN) prior to 6.2.9 and in 7.x prior to 7.1.1. The issue allows remote attackers to redirect users to arbitrary sites and potentially conduct phishing via unspecified vectors. Affected product is DotNetNuke (DNN); the root caus...
CVE-2025-48377
CVE-2025-48377 affects DNN (Dnn.Platform) prior to version 9.13.9. A specially crafted URL can inject an XSS payload that is triggered by certain module actions; version 9.13.9 includes a fix. Practical impact is an HTML/script injection via module actions, as described in multiple sources; no ex...
CVE-2008-6732
CVE-2008-6732 describes a cross-site scripting (XSS) vulnerability in the Language skin object of DotNetNuke prior to 4.8.4. The issue allows remote attackers to inject arbitrary web script or HTML via newly generated paths. Affected product: DotNetNuke (Skin Language object); vulnerability type:...
CVE-2025-32036
CVE-2025-32036 affects DNN (DotNetNuke) where the captcha generation algorithm has low complexity, enabling OCR-based bypass of CAPTCHA. Multiple connected sources (PT-Security and Red Hat advisories) confirm the issue and identify the fixed version as 9.13.8, with prior versions vulnerable. Prac...
CVE-2009-4110
The CVE-2009-4110 entry applies to DotNetNuke (DNN) 4.8.x through 5.1.4, where the Search functionality in SearchResults.aspx is vulnerable to cross-site scripting (XSS) due to insufficient sanitization of the user-provided search terms before dynamic HTML output. The vulnerability is exploitable...
CVE-2013-4649
DotNetNuke (DNN) is affected by a cross-site scripting (XSS) vulnerability (CVE-2013-4649) in which user input to the __dnnVariable parameter on the default URI is not sanitized. Affected versions are DNN before 6.2.9 and 7.x before 7.1.1, enabling remote attackers to inject arbitrary script/HTML...
CVE-2006-3601
The CVE-2006-3601 entry concerns DotNetNuke (.net nuke) via a DotNetNuke add-on (BDPDT) used by DotNetNuke modules. The connected Nessus document describes a specific vulnerability in BDPDT used by multiple DotNetNuke add-ons where an ASP.NET script UploadFilePopUp.aspx allows uploading arbitrary...
CVE-2025-32035
DNN (DotNetNuke) prior to version 9.13.2 does not verify file contents during uploads; it only checks file extensions, allowing a malicious file renamed to a benign extension (e.g., executable renamed to .jpg) to be uploaded. The issue is addressed in version 9.13.2. The practical implication is ...
CVE-2025-32374
CVE-2025-32374 affects DNN Platform (DotNetNuke). The public registration form can trigger a denial-of-service condition in affected installations, caused by processing crafted input. Remediation: upgrade to version 9.13.8 or later (as stated by multiple sources and advisories). In practice, Red ...
CVE-2020-11585
CVE-2020-11585 affects DNN (DotNetNuke) 9.5 in the built-in Activity-Feed/Messaging/Userid/Message Center module. A registered user can enumerate arbitrary files in the Admin File Manager (excluding secure folders) by sending themselves a message with a file attached, utilizing an arbitrary small...
CVE-2020-5186
CVE-2020-5186 maps to a DNN (DotNetNuke) XSS issue in versions up to 9.4.4. The core description in the initial document states XSS (issue 1 of 2) for DNN 9.4.4. Connected documents corroborate a DNN XSS vulnerability; no explicit exploitation details, impact metrics, or patched version are provi...
CVE-2025-32373
CVE-2025-32373 affects DNN (DotNetNuke) in the Microsoft ecosystem. In limited configurations, registered users may craft a request to enumerate or access portal files they should not have access to. The issue is fixed in version 9.13.8. Remediation: upgrade to 9.13.8 or newer to resolve the vuln...
CVE-2008-7102
DotNetNuke 2.0–4.8.4 is affected by a skin-file security bypass vulnerability that lets remote attackers load .ascx files instead of skin files due to parameter-validation issues. Affected component: skin file handling; root cause: parameter validation weakness. Impact per sources: potential acce...
CVE-2009-4109
Affected software: DotNetNuke 4.0 through 5.1.4. Vulnerability: The install wizard does not prevent anonymous users from accessing upgrade-determination functionality, allowing remote attackers to access version information and possibly other sensitive data. Root cause / mechanism: Information di...
CVE-2010-4514
CVE-2010-4514 is an XSS vulnerability in DotNetNuke 5.05.01 and 5.06.00, affecting Install/InstallWizard.aspx. The underlying issue is improper handling of the __VIEWSTATE parameter, allowing remote attackers to inject arbitrary web script or HTML. Limited by the provided docs, exploitation statu...
CVE-2021-31858
CVE-2021-31858 affects DotNetNuke (DNN) 9.9.1 CMS. The issue is a stored XSS in the user profile biography section that allows remote authenticated users to inject arbitrary code via a crafted payload. CVSSv3.1/base score 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). Exploitation details are not pro...
CVE-2004-2324
DotNetNuke (formerly IBuySpy Workshop) 1.0.6–1.0.10d is affected by an SQL injection vulnerability in LinkClick.aspx, exploitable via the (1) table and (2) field parameters to modify the backend database. The vulnerability allows remote attackers to alter database contents. Documents do not provi...
CVE-2006-4973
DotNetNuke (Perpetual Motion Interactive Systems) has a reflected XSS vulnerability in Default.aspx: versions prior to 3.3.5 and 4.x prior to 4.3.5 allow remote attackers to inject arbitrary HTML via the error parameter. Affected software is DotNetNuke under Perpetual Motion Interactive Systems. ...
CVE-2004-2325
CVE-2004-2325 describes a cross-site scripting (XSS) vulnerability in the EditModule.aspx page of DotNetNuke (formerly IBuySpy Workshop), affecting versions 1.0.6 through 1.0.10d. The flaw allows remote attackers to inject arbitrary web script or HTML. The provided documents identify the affected...
CVE-2005-0040
DotNetNuke (DNN) before 3.0.12 is affected by multiple XSS vulnerabilities (CVE-2005-0040) that allow remote attackers to inject script via (1) the register-a-new-user page, (2) the User-Agent header, and (3) the Username field, due to improper quoting before logging. Affected versions are
CVE-2008-6540
DotNetNuke prior to 4.8.2 stores default ValidationKey and DecryptionKey in web.config during installation or upgrade. This weak configuration allows remote attackers to bypass access restrictions by using the default keys. Impact: potential authentication/authorization bypass. Mitigation: upgrad...
CVE-2008-7101
DotNetNuke versions 4.0–4.8.4 and 5.0 are affected by an information disclosure vulnerability in the Install Wizard, allowing remote attackers to obtain the portal number via access to the wizard page. Root cause is unspecified in the sources, but the issue is categorized as a remote information ...
CVE-2012-1036
CVE-2012-1036 is an XSS vulnerability in DotNetNuke's Telerik HTML editor prior to 5.6.4 and 6.x prior to 6.1.0. The issue, triggered by specially crafted HTML/JavaScript in messages, could allow remote attackers to inject arbitrary script or HTML. Impact is explained as cross-site scripting with...
CVE-2008-6399
CVE-2008-6399 affects DotNetNuke versions 4.5.2 through 4.9, describing an unspecified vulnerability that allows remote attackers to add additional roles to their user account via unknown attack vectors. The available references confirm the vendor advisories but do not reveal the exact attack vec...
CVE-2009-1366
CVE-2009-1366 corresponds to a Cross-site Scripting (XSS) vulnerability in DotNetNuke (DNN) prior to 4.9.3, specifically in Website\admin\Sales\paypalipn.aspx. The issue allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to name/value pairs and PayPal I...
CVE-2012-1030
CVE-2012-1030 concerns a Cross-Site Scripting (XSS) flaw in DotNetNuke 6.x up to 6.0.2. The issue arises from how script information is validated in a specially crafted URL used with a modal popup, allowing a user-assisted remote attacker to inject arbitrary script or HTML into a victim’s browser...
CVE-2008-6644
CVE-2008-6644 is an XSS vulnerability in DotNetNuke’s Default.aspx (affecting 4.8.3 and earlier) that allows remote attackers to inject arbitrary script/HTML via the PATH_INFO. The affected component is DotNetNuke web UI, with the root cause being improper handling of PATH_INFO leading to script ...
CVE-2013-3943
CVE-2013-3943 (DotNetNuke/DNN) — XSS in Display Name field . Affected: DNN versions before 6.2.9 and 7.x before 7.1.1. Description: remote authenticated users can inject arbitrary script/HTML via the Display Name in Manage Profile, indicating a persistent XSS vulnerability. Connection details fro...
CVE-2018-14486
CVE-2018-14486 affects DNN (DotNetNuke) 9.1.1, where XML handling enables Cross-Site Scripting (XSS). The Red Hat and Snyk entries corroborate XSS in DNN 9.1.1 via XML, but the provided documents do not specify a fixed version or explicit remediation. Practical impact is XSS exposure in web appli...
CVE-2008-6542
CVE-2008-6542 affects DotNetNuke’s Skin Manager prior to 4.8.2. The vulnerability allows a remote authenticated administrator to trigger server-side execution of application logic by uploading a static file that is converted into a dynamic script via unknown vectors related to HTM/HTML files. The...