76 matches found
CVE-2008-6733
The CVE-2008-6733 entry concerns a cross-site scripting (XSS) flaw in DotNetNuke versions 4.6.2–4.8.3, where the error handling page is vulnerable to script/HTML injection through a querystring parameter. The vulnerability arises on the error handling page and can be exploited remotely to inject ...
CVE-2008-6541
The CVE-2008-6541 entry describes an unrestricted file upload vulnerability in the DotNetNuke file manager module prior to version 4.8.2. Remote administrators could upload arbitrary files and gain server privileges via unspecified vectors. Affected product: DotNetNuke, component: file manager mo...
CVE-2004-2323
DotNetNuke (formerly IBuySpy Workshop) 1.0.6–1.0.10d is affected. A remote attacker can obtain sensitive information, including the SQL server username and password, by performing a GET request for source or configuration files such as Web.config. This vulnerability exposes credentials and arises...
CVE-2008-7100
DotNetNuke 4.4.1 through 4.8.4 is affected by an identity authentication bypass vulnerability described as an authentication bypass in which a flawed handling of a per-user action identifier and improper validation of a user identity can allow remote authenticated users to gain privileges. The Op...
CVE-2025-64095
Summary (CVE-2025-64095) : DNN (DotNetNuke) versions before 10.1.1 are vulnerable to an unrestricted file upload due to the default HTML editor provider, allowing unauthenticated users to upload and overwrite files. This can enable website defacement and, when combined with other issues, potentia...
CVE-2025-52487
CVE-2025-52487 affects DNN.PLATFORM (DotNetNuke) prior to version 10.0.1. Versions 7.0.0 up to before 10.0.1 allow a specially crafted request or proxy to bypass the DNN Login IP Filters, enabling login attempts from IPs outside the allow list. The vulnerability is mitigated by upgrading to versi...
CVE-2026-24838
CVE-2026-24838 affects DotNetNuke (DNN) where the module title’s richtext can execute scripts, enabling a stored XSS condition. Affected versions are prior to 9.13.10 and 10.2.0; versions 9.13.10 and 10.2.0 contain a fix. The issue is triggered via the module title field and could execute in cert...
CVE-2025-52485
CVE-2025-52485 affects DNN Platform (DotNetNuke) before version 10.0.1. Versions 6.0.0 to
CVE-2025-59535
DNN (DotNetNuke) before version 10.1.0 is vulnerable to loading unused themes via query parameters. If an installed theme has a vulnerability, it could be loaded on unsuspecting clients, potentially enabling server-side or client-side arbitrary code execution depending on the vulnerable theme. Th...
CVE-2026-40321
CVE-2026-40321 affects DotNetNuke (DNN). Versions prior to 10.2.2 allow stored cross-site scripting through specially crafted SVG uploads, enabling scripts to run in contexts for both authenticated and unauthenticated users; impact increases if the payload is executed by a power user. The issue i...
CVE-2025-52486
CVE-2025-52486 affects DNN.PLATFORM (DotNetNuke) prior to 10.0.1, where specially crafted URL content could be used with TokenReplace and not be sanitized by certain SkinObjects, enabling a reflected Cross-Site Scripting (XSS). Affected versions are 6.0.0 through before 10.0.1. The issue is fixed...
CVE-2025-59546
CVE-2025-59546 affects DNN (DotNetNuke) prior to version 10.1.0. The vulnerability allows stored XSS via HTML/script in module titles by users with module-editing privileges and with the HTML-in-titles setting enabled. The issue has been patched in version 10.1.0. Affected components are the DNN ...
CVE-2025-59545
CVE-2025-59545 affects DNN (DotNetNuke) prior to version 10.1.0, where the Prompt module can execute commands whose output is treated as HTML. This behavior allows input that is maliciously crafted to bypass normal sanitization and potentially execute scripts in the browser, resulting in stored X...
CVE-2025-59548
DNN (DotNetNuke) is vulnerable to Reflected XSS in the CKEditor/FileBrowser prior to version 10.1.0. Specially crafted URLs to the FileBrowser could cause javascript injection when users click the link. The issue has been addressed in version 10.1.0 (patched). Affected software: DNN platform; vul...
CVE-2025-59821
CVE-2025-59821 : DNN (DotNetNuke) before version 10.1.0 is vulnerable to a reflected Cross‑Site Scripting (XSS) attack via URL/profile rendering. The issue arises from inadequate neutralization/encoding of HTML‑relevant characters in URL/path handling and template rendering, allowing attacker‑con...
CVE-2025-59539
DNN (DotNetNuke) before 10.1.0 is vulnerable to Stored XSS in the Biography field where non‑rich text can inject JavaScript; it's patched in 10.1.0. Upgrade to 10.1.0+ or apply the vendor fix. The issue affects profile views including admins/superusers as described in the CVE details.
CVE-2025-64094
DNN (DotNetNuke) is affected by CVE-2025-64094 due to incomplete SVG sanitization, allowing stored XSS via uploaded SVGs. Affected versions are prior to 10.1.1; the issue stems from an incomplete fix for CVE-2025-48378 and is fixed in 10.1.1. The vulnerability enables execution of arbitrary JavaS...
CVE-2026-40305
DNN (DotNetNuke) is affected by CVE-2026-40305 in versions 6.0.0 through 10.2.1, where a crafted request in the friends feature could force the acceptance of a friend request on another user. The issue is fixed in version 10.2.2 (patch). Affects DotNetNuke Platform’s friend-acceptance flow and is...
CVE-2025-62802
CVE-2025-62802 affects the DNN (DotNetNuke) CKEditor Provider. Prior to version 10.1.1, the out-of-the-box HTML editing experience allows unauthenticated users to upload files, creating a potential vector for further security issues. The vulnerability is fixed in 10.1.1. Affected material indicat...
CVE-2025-59547
DNN (DotNetNuke) before version 10.1.0 has a vulnerability in the CKEditor file upload endpoint where filename sanitization allows Unicode-based path traversal that could expose internal network resources. Affected component: CKEditor file upload handler (/api/v1/upload as per PT security doc). I...
CVE-2020-37103
DotNetNuke 9.5 contains a persistent cross-site scripting (XSS) vulnerability that allows normal users to upload XML files with executable scripts via journal tools. This can cause arbitrary JavaScript to run in users’ browsers, potentially bypassing CSRF protections and enabling more damaging at...
CVE-2026-24784
CVE-2026-24784 affects DotNetNuke/DNN: a stored XSS vulnerability in module headers/footers that could allow script injection run in other users’ contexts. The issue occurs in DNN versions 9.0.0 up to, but not including, 9.13.10 and 10.2.0; 9.13.10 and 10.2.0 contain fixes. Impact is described as...
CVE-2026-24837
DNN (DotNetNuke) prior to version 9.13.10 and 10.2.0 is affected by a Stored XSS in the Module Deletion Confirmation Modal caused by the module friendly name containing scripts. The issue is addressed in 9.13.10 and 10.2.0, which contain the fix. Exploitation context is limited to remote abuse re...
CVE-2026-24833
DotNetNuke (DNN) Platform versions prior to 9.13.10 and 10.2.0 are affected by a stored XSS in the module description (richtext) that can execute scripts in the Persona Bar. Root cause: descriptions in module installation may contain un sanitized scripts. Affected component: DotNetNuke.Core. Reme...
CVE-2026-24836
The CVE-2026-24836 issue affects DotNetNuke (DNN) core: versions 9.0.0 through <9.13.10 and
CVE-2026-40306
DNN Platform (DotNetNuke) CVE-2026-40306 describes a flaw where all new installations of DNN 10.x.x–10.2.1 use the same Host GUID. Red Hat, NVD, CVE listings, and related advisories indicate this shortcoming stems from predictable HostGUID values introduced in releases prior to 10.2.2, which patc...