27 matches found
CVE-2017-9822
DotNetNuke (DNN) cookie deserialization RCE (CVE-2017-9822) affects DNN before 9.1.1. The vulnerability arises from deserializing a crafted DNNPersonalization-like cookie, enabling remote code execution. Exploitation details and public proof points are documented in exploit references (e.g., Meta...
CVE-2019-12562
CVE-2019-12562 describes a stored cross-site scripting (XSS) vulnerability in DotNetNuke (DNN) prior to version 9.4.0. The issue affects the admin notification function and can allow an attacker to embed malicious scripts by exploiting the Display Name field on the notification page, with exploit...
CVE-2017-0929
CVE-2017-0929 affects DotNetNuke (DNN) before 9.2.0. A Server-Side Request Forgery (SSRF) vulnerability exists in the DnnImageHandler class, enabling an attacker to access internal network resources. The issue is mitigated by upgrading DNN to version 9.2.0 or above. If exploiting details are prov...
CVE-2022-2922
CVE-2022-2922 describes a Relative Path Traversal in the DotNetNuke/DNN platform (GitHub: dnnsoftware/dnn.platform) up to version 9.11.0 . The vulnerability arises from insufficient sanitization of user-controlled input, enabling an authenticated, remote attacker to craft a URI containing directo...
CVE-2025-48378
Consolidated evidence shows DNN (DotNetNuke) prior to specific versions is vulnerable to stored XSS via SVG uploads due to incomplete sanitization. CVE-2025-48378 (fixed in 9.13.9) describes that uploaded SVGs could contain scripts that execute when rendered inline. The connected advisories also ...
CVE-2025-32372
CVE-2025-32372 : DNN (DotNetNuke) exposes a bypass of CVE-2017-0929 enabling unauthenticated, semi‑blind SSRF via arbitrary GET requests to internal or external URLs. Public sources reference this as a server-side request forgery affecting DNN, with a fixed revision in 9.13.8; Nessus/NVD entries ...
CVE-2025-48376
CVE-2025-48376 affects DNN (DotNetNuke) prior to 9.13.9. A malicious SuperUser (Host) could craft a request to use an external URL for a site export, which could then be imported. The issue is fixed in version 9.13.9. Other related issues (CVE-2025-48377, CVE-2025-48378) are reported by Nessus bu...
CVE-2025-32371
CVE-2025-32371 affects DNN Platform (DotNetNuke) via the ImageHandler, where a URL crafted with a querystring parameter can render text in the resulting image. This could mislead users who trust the domain. The issue is fixed in DNN 9.13.4; apply the 9.13.4 upgrade (or follow vendor guidance) to ...
CVE-2025-48377
CVE-2025-48377 affects DNN (Dnn.Platform) prior to version 9.13.9. A specially crafted URL can inject an XSS payload that is triggered by certain module actions; version 9.13.9 includes a fix. Practical impact is an HTML/script injection via module actions, as described in multiple sources; no ex...
CVE-2025-32035
DNN (DotNetNuke) prior to version 9.13.2 does not verify file contents during uploads; it only checks file extensions, allowing a malicious file renamed to a benign extension (e.g., executable renamed to .jpg) to be uploaded. The issue is addressed in version 9.13.2. The practical implication is ...
CVE-2025-32036
CVE-2025-32036 affects DNN (DotNetNuke) where the captcha generation algorithm has low complexity, enabling OCR-based bypass of CAPTCHA. Multiple connected sources (PT-Security and Red Hat advisories) confirm the issue and identify the fixed version as 9.13.8, with prior versions vulnerable. Prac...
CVE-2025-32374
CVE-2025-32374 affects DNN Platform (DotNetNuke). The public registration form can trigger a denial-of-service condition in affected installations, caused by processing crafted input. Remediation: upgrade to version 9.13.8 or later (as stated by multiple sources and advisories). In practice, Red ...
CVE-2006-3601
The CVE-2006-3601 entry concerns DotNetNuke (.net nuke) via a DotNetNuke add-on (BDPDT) used by DotNetNuke modules. The connected Nessus document describes a specific vulnerability in BDPDT used by multiple DotNetNuke add-ons where an ASP.NET script UploadFilePopUp.aspx allows uploading arbitrary...
CVE-2025-32373
CVE-2025-32373 affects DNN (DotNetNuke) in the Microsoft ecosystem. In limited configurations, registered users may craft a request to enumerate or access portal files they should not have access to. The issue is fixed in version 9.13.8. Remediation: upgrade to 9.13.8 or newer to resolve the vuln...
CVE-2025-64095
Summary (CVE-2025-64095) : DNN (DotNetNuke) versions before 10.1.1 are vulnerable to an unrestricted file upload due to the default HTML editor provider, allowing unauthenticated users to upload and overwrite files. This can enable website defacement and, when combined with other issues, potentia...
CVE-2025-59535
DNN (DotNetNuke) before version 10.1.0 is vulnerable to loading unused themes via query parameters. If an installed theme has a vulnerability, it could be loaded on unsuspecting clients, potentially enabling server-side or client-side arbitrary code execution depending on the vulnerable theme. Th...
CVE-2025-59546
CVE-2025-59546 affects DNN (DotNetNuke) prior to version 10.1.0. The vulnerability allows stored XSS via HTML/script in module titles by users with module-editing privileges and with the HTML-in-titles setting enabled. The issue has been patched in version 10.1.0. Affected components are the DNN ...
CVE-2025-59821
CVE-2025-59821 : DNN (DotNetNuke) before version 10.1.0 is vulnerable to a reflected Cross‑Site Scripting (XSS) attack via URL/profile rendering. The issue arises from inadequate neutralization/encoding of HTML‑relevant characters in URL/path handling and template rendering, allowing attacker‑con...
CVE-2026-24838
CVE-2026-24838 affects DotNetNuke (DNN) where the module title’s richtext can execute scripts, enabling a stored XSS condition. Affected versions are prior to 9.13.10 and 10.2.0; versions 9.13.10 and 10.2.0 contain a fix. The issue is triggered via the module title field and could execute in cert...
CVE-2025-59545
CVE-2025-59545 affects DNN (DotNetNuke) prior to version 10.1.0, where the Prompt module can execute commands whose output is treated as HTML. This behavior allows input that is maliciously crafted to bypass normal sanitization and potentially execute scripts in the browser, resulting in stored X...
CVE-2025-59539
DNN (DotNetNuke) before 10.1.0 is vulnerable to Stored XSS in the Biography field where non‑rich text can inject JavaScript; it's patched in 10.1.0. Upgrade to 10.1.0+ or apply the vendor fix. The issue affects profile views including admins/superusers as described in the CVE details.
CVE-2025-59548
DNN (DotNetNuke) is vulnerable to Reflected XSS in the CKEditor/FileBrowser prior to version 10.1.0. Specially crafted URLs to the FileBrowser could cause javascript injection when users click the link. The issue has been addressed in version 10.1.0 (patched). Affected software: DNN platform; vul...
CVE-2025-59547
DNN (DotNetNuke) before version 10.1.0 has a vulnerability in the CKEditor file upload endpoint where filename sanitization allows Unicode-based path traversal that could expose internal network resources. Affected component: CKEditor file upload handler (/api/v1/upload as per PT security doc). I...
CVE-2025-62802
CVE-2025-62802 affects the DNN (DotNetNuke) CKEditor Provider. Prior to version 10.1.1, the out-of-the-box HTML editing experience allows unauthenticated users to upload files, creating a potential vector for further security issues. The vulnerability is fixed in 10.1.1. Affected material indicat...
CVE-2025-64094
DNN (DotNetNuke) is affected by CVE-2025-64094 due to incomplete SVG sanitization, allowing stored XSS via uploaded SVGs. Affected versions are prior to 10.1.1; the issue stems from an incomplete fix for CVE-2025-48378 and is fixed in 10.1.1. The vulnerability enables execution of arbitrary JavaS...
CVE-2026-24833
DotNetNuke (DNN) Platform versions prior to 9.13.10 and 10.2.0 are affected by a stored XSS in the module description (richtext) that can execute scripts in the Persona Bar. Root cause: descriptions in module installation may contain un sanitized scripts. Affected component: DotNetNuke.Core. Reme...
CVE-2026-40321
CVE-2026-40321 affects DotNetNuke (DNN). Versions prior to 10.2.2 allow stored cross-site scripting through specially crafted SVG uploads, enabling scripts to run in contexts for both authenticated and unauthenticated users; impact increases if the payload is executed by a power user. The issue i...