Dotnetnuke
CVE-2025-32372
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. A bypass has been identified for the previously known vulnerability CVE-2017-0929, allowing unauthenticated attackers to execute arbitrary GET requests against target systems, including internal or adjacent networks. This vulnerability facilitates a semi-blind SSRF attack, allowing attackers to make the target server send requests to internal or external URLs without viewing the full responses. Potential impacts include internal network reconnaissance, bypassing firewalls. This vulnerability is fixed in 9.13.8.
AnalysisAI
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.
Technical ContextAI
This vulnerability is classified as Server-Side Request Forgery (SSRF) (CWE-918), which allows attackers to make the server perform requests to unintended internal or external resources. DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. A bypass has been identified for the previously known vulnerability CVE-2017-0929, allowing unauthenticated attackers to execute arbitrary GET requests against target systems, including internal or adjacent networks. This vulnerability facilitates a semi-blind SSRF attack, allowing attackers to make the target server send requests to internal or external URLs without viewing the full responses. Potential impacts include internal network reconnaissance, bypassing firewalls. This vulnerability is fixed in 9.13.8. Affected products include: Dnnsoftware Dotnetnuke.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Validate and allowlist destination URLs, block requests to internal networks, use network segmentation.
More in Dotnetnuke
View allDNN (DotNetNuke) CMS versions 6.0.0 through 10.0.0 contain a vulnerability that can expose NTLM hashes to a third-party
DNN (formerly DotNetNuke) through 9.4.4 allows Path Traversal (issue 2 of 2). Rated high severity (CVSS 8.8), this vulne
DNN (formerly DotNetNuke) through 9.4.4 has Insecure Permissions. Rated medium severity (CVSS 6.5), this vulnerability i
DotNetNuke 9.5 contains a persistent cross-site scripting vulnerability that allows normal users to upload malicious XML
Stored Cross-Site Scripting in DotNetNuke (DNN) Version before 9.4.0 allows remote attackers to store and embed the mali
DNN (formerly DotNetNuke) through 9.4.4 allows XSS (issue 1 of 2). Rated medium severity (CVSS 5.4), this vulnerability
DNN (DotNetNuke) CMS has a stored XSS vulnerability (CVSS 9.1) allowing persistent script injection that executes for al
Relative Path Traversal in GitHub repository dnnsoftware/dnn.platform prior to 9.11.0. Rated medium severity (CVSS 4.9),
There is an information disclosure issue in DNN (formerly DotNetNuke) 9.5 within the built-in Activity-Feed/Messaging/Us
DotNetNuke versions prior to 9.13.10 and 10.2.0 allow arbitrary script execution in the Persona Bar administrative inter
Stored cross-site scripting in DNN versions 9.0.0 through 9.13.9 and 10.0.0 through 10.1.x allows high-privileged users
Stored cross-site scripting in DNN versions 9.0.0 through 9.13.9 and 10.0.0 through 10.1.x allows authenticated administ
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today