Skip to main content

Dotnetnuke CVE-2025-48378

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-05-23 security-advisories@github.com
6.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

3
Analysis Generated
Mar 28, 2026 - 18:43 vuln.today
Patch released
Mar 28, 2026 - 18:43 nvd
Patch available
CVE Published
May 23, 2025 - 16:15 nvd
MEDIUM 6.1

DescriptionGitHub Advisory

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 9.13.9, uploaded SVG files could contain scripts and if rendered inline those scripts could run allowing XSS attacks. Version 9.13.9 fixes the issue.

AnalysisAI

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 9.13.9, uploaded SVG files could contain scripts and if rendered inline those scripts could run allowing XSS attacks. Version 9.13.9 fixes the issue. Affected products include: Dnnsoftware Dotnetnuke. Version information: version 9.13.9.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2025-52488 HIGH POC
8.6 Jun 21

DNN (DotNetNuke) CMS versions 6.0.0 through 10.0.0 contain a vulnerability that can expose NTLM hashes to a third-party

CVE-2020-5187 HIGH POC
8.8 Feb 24

DNN (formerly DotNetNuke) through 9.4.4 allows Path Traversal (issue 2 of 2). Rated high severity (CVSS 8.8), this vulne

CVE-2020-5188 MEDIUM POC
6.5 Feb 24

DNN (formerly DotNetNuke) through 9.4.4 has Insecure Permissions. Rated medium severity (CVSS 6.5), this vulnerability i

CVE-2020-37103 MEDIUM POC
6.4 Feb 03

DotNetNuke 9.5 contains a persistent cross-site scripting vulnerability that allows normal users to upload malicious XML

CVE-2019-12562 MEDIUM POC
6.1 Sep 26

Stored Cross-Site Scripting in DotNetNuke (DNN) Version before 9.4.0 allows remote attackers to store and embed the mali

CVE-2020-5186 MEDIUM POC
5.4 Feb 24

DNN (formerly DotNetNuke) through 9.4.4 allows XSS (issue 1 of 2). Rated medium severity (CVSS 5.4), this vulnerability

CVE-2026-24838 CRITICAL
9.1 Jan 28

DNN (DotNetNuke) CMS has a stored XSS vulnerability (CVSS 9.1) allowing persistent script injection that executes for al

CVE-2022-2922 MEDIUM POC
4.9 Sep 30

Relative Path Traversal in GitHub repository dnnsoftware/dnn.platform prior to 9.11.0. Rated medium severity (CVSS 4.9),

CVE-2020-11585 MEDIUM POC
4.3 Apr 06

There is an information disclosure issue in DNN (formerly DotNetNuke) 9.5 within the built-in Activity-Feed/Messaging/Us

CVE-2026-24833 HIGH
7.6 Jan 28

DotNetNuke versions prior to 9.13.10 and 10.2.0 allow arbitrary script execution in the Persona Bar administrative inter

CVE-2026-24837 HIGH
7.6 Jan 28

Stored cross-site scripting in DNN versions 9.0.0 through 9.13.9 and 10.0.0 through 10.1.x allows high-privileged users

CVE-2026-24836 HIGH
7.6 Jan 28

Stored cross-site scripting in DNN versions 9.0.0 through 9.13.9 and 10.0.0 through 10.1.x allows authenticated administ

Share

CVE-2025-48378 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy