Lucene search
K
DnnsoftwareDotnetnuke

76 matches found

CVE
CVE
added 2009/04/21 6:7 p.m.48 views

CVE-2008-6733

The CVE-2008-6733 entry concerns a cross-site scripting (XSS) flaw in DotNetNuke versions 4.6.2–4.8.3, where the error handling page is vulnerable to script/HTML injection through a querystring parameter. The vulnerability arises on the error handling page and can be exploited remotely to inject ...

4.3CVSS5.9AI score0.01074EPSS
CVE
CVE
added 2009/03/30 1:0 a.m.47 views

CVE-2008-6541

The CVE-2008-6541 entry describes an unrestricted file upload vulnerability in the DotNetNuke file manager module prior to version 4.8.2. Remote administrators could upload arbitrary files and gain server privileges via unspecified vectors. Affected product: DotNetNuke, component: file manager mo...

6.8CVSS7.2AI score0.01006EPSS
CVE
CVE
added 2005/08/16 4:0 a.m.44 views

CVE-2004-2323

DotNetNuke (formerly IBuySpy Workshop) 1.0.6–1.0.10d is affected. A remote attacker can obtain sensitive information, including the SQL server username and password, by performing a GET request for source or configuration files such as Web.config. This vulnerability exposes credentials and arises...

5CVSS7.5AI score0.014EPSS
CVE
CVE
added 2009/08/27 8:0 p.m.44 views

CVE-2008-7100

DotNetNuke 4.4.1 through 4.8.4 is affected by an identity authentication bypass vulnerability described as an authentication bypass in which a flawed handling of a per-user action identifier and improper validation of a user identity can allow remote authenticated users to gain privileges. The Op...

6.5CVSS6.8AI score0.01216EPSS
CVE
CVE
added 2025/10/28 9:46 p.m.40 views

CVE-2025-64095

Summary (CVE-2025-64095) : DNN (DotNetNuke) versions before 10.1.1 are vulnerable to an unrestricted file upload due to the default HTML editor provider, allowing unauthenticated users to upload and overwrite files. This can enable website defacement and, when combined with other issues, potentia...

10CVSS6.2AI score0.44656EPSS
In wildWeb
CVE
CVE
added 2025/06/21 2:44 a.m.35 views

CVE-2025-52487

CVE-2025-52487 affects DNN.PLATFORM (DotNetNuke) prior to version 10.0.1. Versions 7.0.0 up to before 10.0.1 allow a specially crafted request or proxy to bypass the DNN Login IP Filters, enabling login attempts from IPs outside the allow list. The vulnerability is mitigated by upgrading to versi...

8.8CVSS6.4AI score0.00294EPSS
CVE
CVE
added 2026/01/27 11:58 p.m.35 views

CVE-2026-24838

CVE-2026-24838 affects DotNetNuke (DNN) where the module title’s richtext can execute scripts, enabling a stored XSS condition. Affected versions are prior to 9.13.10 and 10.2.0; versions 9.13.10 and 10.2.0 contain a fix. The issue is triggered via the module title field and could execute in cert...

9.1CVSS5.9AI score0.00188EPSS
CVE
CVE
added 2025/06/21 2:40 a.m.32 views

CVE-2025-52485

CVE-2025-52485 affects DNN Platform (DotNetNuke) before version 10.0.1. Versions 6.0.0 to

5.4CVSS6.3AI score0.00178EPSS
CVE
CVE
added 2025/09/22 8:59 p.m.32 views

CVE-2025-59535

DNN (DotNetNuke) before version 10.1.0 is vulnerable to loading unused themes via query parameters. If an installed theme has a vulnerability, it could be loaded on unsuspecting clients, potentially enabling server-side or client-side arbitrary code execution depending on the vulnerable theme. Th...

6.5CVSS6.3AI score0.00322EPSS
CVE
CVE
added 2026/04/17 9:10 p.m.32 views

CVE-2026-40321

CVE-2026-40321 affects DotNetNuke (DNN). Versions prior to 10.2.2 allow stored cross-site scripting through specially crafted SVG uploads, enabling scripts to run in contexts for both authenticated and unauthenticated users; impact increases if the payload is executed by a power user. The issue i...

8CVSS5.7AI score0.07598EPSS
CVE
CVE
added 2025/06/21 2:42 a.m.28 views

CVE-2025-52486

CVE-2025-52486 affects DNN.PLATFORM (DotNetNuke) prior to 10.0.1, where specially crafted URL content could be used with TokenReplace and not be sanitized by certain SkinObjects, enabling a reflected Cross-Site Scripting (XSS). Affected versions are 6.0.0 through before 10.0.1. The issue is fixed...

6.1CVSS6.4AI score0.00203EPSS
CVE
CVE
added 2025/09/23 5:41 p.m.27 views

CVE-2025-59546

CVE-2025-59546 affects DNN (DotNetNuke) prior to version 10.1.0. The vulnerability allows stored XSS via HTML/script in module titles by users with module-editing privileges and with the HTML-in-titles setting enabled. The issue has been patched in version 10.1.0. Affected components are the DNN ...

4.8CVSS5.8AI score0.00171EPSS
CVE
CVE
added 2025/09/23 5:41 p.m.25 views

CVE-2025-59545

CVE-2025-59545 affects DNN (DotNetNuke) prior to version 10.1.0, where the Prompt module can execute commands whose output is treated as HTML. This behavior allows input that is maliciously crafted to bypass normal sanitization and potentially execute scripts in the browser, resulting in stored X...

9CVSS6.7AI score0.0051EPSS
CVE
CVE
added 2025/09/23 5:58 p.m.25 views

CVE-2025-59548

DNN (DotNetNuke) is vulnerable to Reflected XSS in the CKEditor/FileBrowser prior to version 10.1.0. Specially crafted URLs to the FileBrowser could cause javascript injection when users click the link. The issue has been addressed in version 10.1.0 (patched). Affected software: DNN platform; vul...

6.1CVSS6.4AI score0.00175EPSS
CVE
CVE
added 2025/09/23 5:42 p.m.25 views

CVE-2025-59821

CVE-2025-59821 : DNN (DotNetNuke) before version 10.1.0 is vulnerable to a reflected Cross‑Site Scripting (XSS) attack via URL/profile rendering. The issue arises from inadequate neutralization/encoding of HTML‑relevant characters in URL/path handling and template rendering, allowing attacker‑con...

6.5CVSS6.4AI score0.00196EPSS
CVE
CVE
added 2025/09/23 5:41 p.m.24 views

CVE-2025-59539

DNN (DotNetNuke) before 10.1.0 is vulnerable to Stored XSS in the Biography field where non‑rich text can inject JavaScript; it's patched in 10.1.0. Upgrade to 10.1.0+ or apply the vendor fix. The issue affects profile views including admins/superusers as described in the CVE details.

6.3CVSS6.3AI score0.00166EPSS
CVE
CVE
added 2025/10/28 9:44 p.m.22 views

CVE-2025-64094

DNN (DotNetNuke) is affected by CVE-2025-64094 due to incomplete SVG sanitization, allowing stored XSS via uploaded SVGs. Affected versions are prior to 10.1.1; the issue stems from an incomplete fix for CVE-2025-48378 and is fixed in 10.1.1. The vulnerability enables execution of arbitrary JavaS...

6.4CVSS5.7AI score0.00179EPSS
CVE
CVE
added 2026/04/17 9:6 p.m.22 views

CVE-2026-40305

DNN (DotNetNuke) is affected by CVE-2026-40305 in versions 6.0.0 through 10.2.1, where a crafted request in the friends feature could force the acceptance of a friend request on another user. The issue is fixed in version 10.2.2 (patch). Affects DotNetNuke Platform’s friend-acceptance flow and is...

4.3CVSS5.7AI score0.00183EPSS
CVE
CVE
added 2025/10/28 9:42 p.m.21 views

CVE-2025-62802

CVE-2025-62802 affects the DNN (DotNetNuke) CKEditor Provider. Prior to version 10.1.1, the out-of-the-box HTML editing experience allows unauthenticated users to upload files, creating a potential vector for further security issues. The vulnerability is fixed in 10.1.1. Affected material indicat...

4.3CVSS6.6AI score0.00214EPSS
CVE
CVE
added 2025/09/23 5:56 p.m.19 views

CVE-2025-59547

DNN (DotNetNuke) before version 10.1.0 has a vulnerability in the CKEditor file upload endpoint where filename sanitization allows Unicode-based path traversal that could expose internal network resources. Affected component: CKEditor file upload handler (/api/v1/upload as per PT security doc). I...

5.3CVSS6.4AI score0.00246EPSS
CVE
CVE
added 2026/02/03 4:52 p.m.18 views

CVE-2020-37103

DotNetNuke 9.5 contains a persistent cross-site scripting (XSS) vulnerability that allows normal users to upload XML files with executable scripts via journal tools. This can cause arbitrary JavaScript to run in users’ browsers, potentially bypassing CSRF protections and enabling more damaging at...

6.4CVSS5.4AI score0.00291EPSS
CVE
CVE
added 2026/01/27 11:47 p.m.18 views

CVE-2026-24784

CVE-2026-24784 affects DotNetNuke/DNN: a stored XSS vulnerability in module headers/footers that could allow script injection run in other users’ contexts. The issue occurs in DNN versions 9.0.0 up to, but not including, 9.13.10 and 10.2.0; 9.13.10 and 10.2.0 contain fixes. Impact is described as...

6.8CVSS5.9AI score0.0016EPSS
CVE
CVE
added 2026/01/27 11:53 p.m.17 views

CVE-2026-24837

DNN (DotNetNuke) prior to version 9.13.10 and 10.2.0 is affected by a Stored XSS in the Module Deletion Confirmation Modal caused by the module friendly name containing scripts. The issue is addressed in 9.13.10 and 10.2.0, which contain the fix. Exploitation context is limited to remote abuse re...

7.6CVSS5.9AI score0.00249EPSS
CVE
CVE
added 2026/01/27 11:49 p.m.16 views

CVE-2026-24833

DotNetNuke (DNN) Platform versions prior to 9.13.10 and 10.2.0 are affected by a stored XSS in the module description (richtext) that can execute scripts in the Persona Bar. Root cause: descriptions in module installation may contain un sanitized scripts. Affected component: DotNetNuke.Core. Reme...

7.6CVSS5.9AI score0.00174EPSS
CVE
CVE
added 2026/01/27 11:51 p.m.16 views

CVE-2026-24836

The CVE-2026-24836 issue affects DotNetNuke (DNN) core: versions 9.0.0 through <9.13.10 and

7.6CVSS5.9AI score0.00226EPSS
CVE
CVE
added 2026/04/17 9:9 p.m.16 views

CVE-2026-40306

DNN Platform (DotNetNuke) CVE-2026-40306 describes a flaw where all new installations of DNN 10.x.x–10.2.1 use the same Host GUID. Red Hat, NVD, CVE listings, and related advisories indicate this shortcoming stems from predictable HostGUID values introduced in releases prior to 10.2.2, which patc...

6.9CVSS5.8AI score0.00175EPSS
Total number of security vulnerabilities76