MidnightBSD

Advisories for dnnsoftware

CVE-2006-3601 HIGH

** UNVERIFIABLE ** Unspecified vulnerability in an unspecified DNN Modules module for DotNetNuke (.net nuke) allows remote attackers to gain privileges via unspecified vectors, as used in an attack against the Microsoft France web site. NOTE: due to the lack of details and uncertainty about which product is affected, this claim is not independently verifiable.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2008-6399 MEDIUM

Unspecified vulnerability in DotNetNuke 4.5.2 through 4.9 allows remote attackers to "add additional roles to their user account" via unknown attack vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke 4.8.3
dnnsoftware dotnetnuke 4.9
dnnsoftware dotnetnuke 4.8.1
dnnsoftware dotnetnuke 4.8.4
dnnsoftware dotnetnuke 4.5.2
dnnsoftware dotnetnuke 4.8.2
CVE-2008-6540 MEDIUM

DotNetNuke before 4.8.2, during installation or upgrade, does not warn the administrator when the default (1) ValidationKey and (2) DecryptionKey values cannot be modified in the web.config file, which allows remote attackers to bypass intended access restrictions by using the default keys.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke 3.0.8
dnnsoftware dotnetnuke 1.0.7
dnnsoftware dotnetnuke 1.0.6
dnnsoftware dotnetnuke 3.3.5
dnnsoftware dotnetnuke 4.0
dnnsoftware dotnetnuke 1.0.10d
dnnsoftware dotnetnuke 2.1.1
dnnsoftware dotnetnuke 3.0.7
dnnsoftware dotnetnuke 1.0.10e
dnnsoftware dotnetnuke 1.0.9
dnnsoftware dotnetnuke 3.1.0
dnnsoftware dotnetnuke 1.0.8
dnnsoftware dotnetnuke 4.5.2
dnnsoftware dotnetnuke 3.0.11
dnnsoftware dotnetnuke 4.3.5
dnnsoftware dotnetnuke 2.1.2
dnnsoftware dotnetnuke *
CVE-2008-6541 MEDIUM

Unrestricted file upload vulnerability in the file manager module in DotNetNuke before 4.8.2 allows remote administrators to upload arbitrary files and gain privileges to the server via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke 3.0.8
dnnsoftware dotnetnuke 1.0.7
dnnsoftware dotnetnuke 1.0.6
dnnsoftware dotnetnuke 3.3.5
dnnsoftware dotnetnuke 4.0
dnnsoftware dotnetnuke 1.0.10d
dnnsoftware dotnetnuke 2.1.1
dnnsoftware dotnetnuke 3.0.7
dnnsoftware dotnetnuke 1.0.10e
dnnsoftware dotnetnuke 1.0.9
dnnsoftware dotnetnuke 3.1.0
dnnsoftware dotnetnuke 1.0.8
dnnsoftware dotnetnuke 4.5.2
dnnsoftware dotnetnuke 3.0.11
dnnsoftware dotnetnuke 4.3.5
dnnsoftware dotnetnuke 2.1.2
dnnsoftware dotnetnuke *
CVE-2008-6542 MEDIUM

Unspecified vulnerability in the Skin Manager in DotNetNuke before 4.8.2 allows remote authenticated administrators to perform "server-side execution of application logic" by uploading a static file that is converted into a dynamic script via unknown vectors related to HTM or HTML files.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke 3.0.8
dnnsoftware dotnetnuke 1.0.7
dnnsoftware dotnetnuke 1.0.6
dnnsoftware dotnetnuke 4.0
dnnsoftware dotnetnuke 1.0.10d
dnnsoftware dotnetnuke 2.1.1
dnnsoftware dotnetnuke 3.0.7
dnnsoftware dotnetnuke 1.0.10e
dnnsoftware dotnetnuke 1.0.9
dnnsoftware dotnetnuke 3.1.0
dnnsoftware dotnetnuke 1.0.8
dnnsoftware dotnetnuke 4.5.2
dnnsoftware dotnetnuke 3.0.11
dnnsoftware dotnetnuke 2.1.2
dnnsoftware dotnetnuke *
CVE-2008-6644 MEDIUM

Cross-site scripting (XSS) vulnerability in Default.aspx in DotNetNuke 4.8.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke 3.0.8
dnnsoftware dotnetnuke 4.8.1
dnnsoftware dotnetnuke 1.0.7
dnnsoftware dotnetnuke 1.0.6
dnnsoftware dotnetnuke 3.3.5
dnnsoftware dotnetnuke 4.0
dnnsoftware dotnetnuke 1.0.10d
dnnsoftware dotnetnuke 2.1.1
dnnsoftware dotnetnuke 4.8.2
dnnsoftware dotnetnuke 3.0.7
dnnsoftware dotnetnuke 1.0.10e
dnnsoftware dotnetnuke 1.0.9
dnnsoftware dotnetnuke 3.1.0
dnnsoftware dotnetnuke 1.0.8
dnnsoftware dotnetnuke 4.5.2
dnnsoftware dotnetnuke 3.0.11
dnnsoftware dotnetnuke 4.3.5
dnnsoftware dotnetnuke 2.1.2
dnnsoftware dotnetnuke *
CVE-2008-6732 MEDIUM

Cross-site scripting (XSS) vulnerability in the Language skin object in DotNetNuke before 4.8.4 allows remote attackers to inject arbitrary web script or HTML via "newly generated paths."

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke 3.0.8
dnnsoftware dotnetnuke 4.8.1
dnnsoftware dotnetnuke 4.6.2
dnnsoftware dotnetnuke 4.8.0
dnnsoftware dotnetnuke 3.3.5
dnnsoftware dotnetnuke 1.0.10d
dnnsoftware dotnetnuke 2.1.1
dnnsoftware dotnetnuke 1.0.10e
dnnsoftware dotnetnuke 1.0.9
dnnsoftware dotnetnuke 3.1.0
dnnsoftware dotnetnuke 4.6.0
dnnsoftware dotnetnuke 4.5.2
dnnsoftware dotnetnuke 2.1.2
dnnsoftware dotnetnuke 4.6.1
dnnsoftware dotnetnuke 4.5.4
dnnsoftware dotnetnuke 1.0.7
dnnsoftware dotnetnuke 1.0.6
dnnsoftware dotnetnuke 4.0
dnnsoftware dotnetnuke 4.8.2
dnnsoftware dotnetnuke 4.5.5
dnnsoftware dotnetnuke 3.0.7
dnnsoftware dotnetnuke 4.7.0
dnnsoftware dotnetnuke 1.0.8
dnnsoftware dotnetnuke 3.0.11
dnnsoftware dotnetnuke 4.3.5
dnnsoftware dotnetnuke *
CVE-2008-6733 MEDIUM

Cross-site scripting (XSS) vulnerability in the error handling page in DotNetNuke 4.6.2 through 4.8.3 allows remote attackers to inject arbitrary web script or HTML via the querystring parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke 4.8.3
dnnsoftware dotnetnuke 4.8.1
dnnsoftware dotnetnuke 4.6.2
dnnsoftware dotnetnuke 4.8.2
CVE-2008-7100 MEDIUM

Unspecified vulnerability in DotNetNuke 4.4.1 through 4.8.4 allows remote authenticated users to bypass authentication and gain privileges via unknown vectors related to a "unique id" for user actions and improper validation of a "user identity."

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke 4.8.3
dnnsoftware dotnetnuke 4.8.1
dnnsoftware dotnetnuke 4.6.2
dnnsoftware dotnetnuke 4.8.0
dnnsoftware dotnetnuke 4.8.2
dnnsoftware dotnetnuke 4.5.5
dnnsoftware dotnetnuke 4.7.0
dnnsoftware dotnetnuke 4.8.4
dnnsoftware dotnetnuke 4.6.0
dnnsoftware dotnetnuke 4.5.2
dnnsoftware dotnetnuke 4.4.1
dnnsoftware dotnetnuke 4.6.1
dnnsoftware dotnetnuke 4.5.4
CVE-2008-7101 MEDIUM

Unspecified vulnerability in DotNetNuke 4.0 through 4.8.4 and 5.0 allows remote attackers to obtain sensitive information (portal number) by accessing the install wizard page via unknown vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke 5.0
dnnsoftware dotnetnuke 4.8.3
dnnsoftware dotnetnuke 4.8.1
dnnsoftware dotnetnuke 4.6.2
dnnsoftware dotnetnuke 4.8.0
dnnsoftware dotnetnuke 4.0
dnnsoftware dotnetnuke 4.8.2
dnnsoftware dotnetnuke 4.5.5
dnnsoftware dotnetnuke 4.7.0
dnnsoftware dotnetnuke 4.8.4
dnnsoftware dotnetnuke 4.6.0
dnnsoftware dotnetnuke 4.5.2
dnnsoftware dotnetnuke 4.3.5
dnnsoftware dotnetnuke 4.4.1
dnnsoftware dotnetnuke 4.6.1
dnnsoftware dotnetnuke 4.5.4
CVE-2008-7102 HIGH

DotNetNuke 2.0 through 4.8.4 allows remote attackers to load .ascx files instead of skin files, and possibly access privileged functionality, via unknown vectors related to parameter validation.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke 3.0.8
dnnsoftware dotnetnuke 4.8.3
dnnsoftware dotnetnuke 4.8.1
dnnsoftware dotnetnuke 4.6.2
dnnsoftware dotnetnuke 4.8.0
dnnsoftware dotnetnuke 3.3.5
dnnsoftware dotnetnuke 4.0
dnnsoftware dotnetnuke 2.1.1
dnnsoftware dotnetnuke 4.8.2
dnnsoftware dotnetnuke 4.5.5
dnnsoftware dotnetnuke 3.0.7
dnnsoftware dotnetnuke 4.7.0
dnnsoftware dotnetnuke 3.1.0
dnnsoftware dotnetnuke 4.8.4
dnnsoftware dotnetnuke 4.6.0
dnnsoftware dotnetnuke 4.5.2
dnnsoftware dotnetnuke 3.0.11
dnnsoftware dotnetnuke 4.3.5
dnnsoftware dotnetnuke 2.1.2
dnnsoftware dotnetnuke 4.4.1
dnnsoftware dotnetnuke 4.6.1
dnnsoftware dotnetnuke 4.5.4
CVE-2009-1366 MEDIUM

Cross-site scripting (XSS) vulnerability in Website\admin\Sales\paypalipn.aspx in DotNetNuke (DNN) before 4.9.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "name/value pairs" and "paypal IPN functionality."

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke 3.0.8
dnnsoftware dotnetnuke 4.8.1
dnnsoftware dotnetnuke 4.6.2
dnnsoftware dotnetnuke 4.8.0
dnnsoftware dotnetnuke 3.3.5
dnnsoftware dotnetnuke 1.0.10d
dnnsoftware dotnetnuke 2.1.1
dnnsoftware dotnetnuke 1.0.10e
dnnsoftware dotnetnuke 1.0.9
dnnsoftware dotnetnuke 4.9.1
dnnsoftware dotnetnuke 3.1.0
dnnsoftware dotnetnuke 4.8.4
dnnsoftware dotnetnuke 4.6.0
dnnsoftware dotnetnuke 4.5.2
dnnsoftware dotnetnuke 2.1.2
dnnsoftware dotnetnuke 4.6.1
dnnsoftware dotnetnuke 4.5.4
dnnsoftware dotnetnuke 4.8.3
dnnsoftware dotnetnuke 1.0.7
dnnsoftware dotnetnuke 1.0.6
dnnsoftware dotnetnuke 4.0
dnnsoftware dotnetnuke 4.8.2
dnnsoftware dotnetnuke 4.5.5
dnnsoftware dotnetnuke 3.0.7
dnnsoftware dotnetnuke 4.9
dnnsoftware dotnetnuke 4.7.0
dnnsoftware dotnetnuke 1.0.8
dnnsoftware dotnetnuke 3.0.11
dnnsoftware dotnetnuke 4.3.5
dnnsoftware dotnetnuke *
CVE-2009-4109 MEDIUM

The install wizard in DotNetNuke 4.0 through 5.1.4 does not prevent anonymous users from accessing functionality related to determination of the need for an upgrade, which allows remote attackers to access version information and possibly other sensitive information.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke 5.0
dnnsoftware dotnetnuke 4.8.1
dnnsoftware dotnetnuke 4.6.2
dnnsoftware dotnetnuke 4.8.0
dnnsoftware dotnetnuke 5.1.2
dnnsoftware dotnetnuke 5.1.4
dnnsoftware dotnetnuke 4.9.1
dnnsoftware dotnetnuke 4.8.4
dnnsoftware dotnetnuke 4.6.0
dnnsoftware dotnetnuke 4.5.2
dnnsoftware dotnetnuke 4.9.2
dnnsoftware dotnetnuke 4.4.1
dnnsoftware dotnetnuke 4.6.1
dnnsoftware dotnetnuke 4.5.4
dnnsoftware dotnetnuke 4.8.3
dnnsoftware dotnetnuke 5.1.1
dnnsoftware dotnetnuke 4.0
dnnsoftware dotnetnuke 4.8.2
dnnsoftware dotnetnuke 4.5.5
dnnsoftware dotnetnuke 4.9
dnnsoftware dotnetnuke 4.7.0
dnnsoftware dotnetnuke 5.1.3
dnnsoftware dotnetnuke 4.3.5
dnnsoftware dotnetnuke 5.1
CVE-2009-4110 MEDIUM

Cross-site scripting (XSS) vulnerability in the search functionality in DotNetNuke 4.8 through 5.1.4 allows remote attackers to inject arbitrary web script or HTML via search terms that are not properly filtered before display in a custom results page.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke 5.0
dnnsoftware dotnetnuke 4.8.3
dnnsoftware dotnetnuke 4.8.1
dnnsoftware dotnetnuke 5.1.1
dnnsoftware dotnetnuke 4.8.0
dnnsoftware dotnetnuke 5.1.2
dnnsoftware dotnetnuke 4.8.2
dnnsoftware dotnetnuke 4.9
dnnsoftware dotnetnuke 5.1.4
dnnsoftware dotnetnuke 4.9.1
dnnsoftware dotnetnuke 5.1.3
dnnsoftware dotnetnuke 4.8.4
dnnsoftware dotnetnuke 4.9.2
dnnsoftware dotnetnuke 5.1
CVE-2010-4514 MEDIUM

Cross-site scripting (XSS) vulnerability in Install/InstallWizard.aspx in DotNetNuke 5.05.01 and 5.06.00 allows remote attackers to inject arbitrary web script or HTML via the __VIEWSTATE parameter. NOTE: some of these details are obtained from third party information.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke 5.05.01
dnnsoftware dotnetnuke 5.06.00
CVE-2012-1030 MEDIUM

Cross-site scripting (XSS) vulnerability in DotNetNuke 6.x through 6.0.2 allows user-assisted remote attackers to inject arbitrary web script or HTML via a crafted URL containing text that is used within a modal popup.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke 6.0.2
dnnsoftware dotnetnuke 6.0.0
dnnsoftware dotnetnuke 6.0.1
CVE-2012-1036 MEDIUM

Cross-site scripting (XSS) vulnerability in the telerik HTML editor in DotNetNuke before 5.6.4 and 6.x before 6.1.0 allows remote attackers to inject arbitrary web script or HTML via a message.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
dotnetnuke dotnetnuke 4.9.5
dotnetnuke dotnetnuke 5.4.1
dotnetnuke dotnetnuke 5.2.0
dnnsoftware dotnetnuke 5.1.2
dotnetnuke dotnetnuke 4.9.3
dnnsoftware dotnetnuke 6.0.2
dotnetnuke dotnetnuke 5.4.2
dnnsoftware dotnetnuke 5.1.4
dnnsoftware dotnetnuke 4.9.1
dnnsoftware dotnetnuke 4.9.2
dotnetnuke dotnetnuke 5.3.0
dotnetnuke dotnetnuke 5.4.0
dnnsoftware dotnetnuke 6.0.1
dotnetnuke dotnetnuke 5.0.0
dotnetnuke dotnetnuke 4.9.0
dotnetnuke dotnetnuke 5.2.3
dotnetnuke dotnetnuke 4.9.4
dnnsoftware dotnetnuke 6.0.0
dotnetnuke dotnetnuke 5.5.1
dnnsoftware dotnetnuke 5.1.1
dotnetnuke dotnetnuke 5.3.1
dotnetnuke dotnetnuke 5.6.0
dotnetnuke dotnetnuke 5.4.4
dotnetnuke dotnetnuke 5.6.1
dnnsoftware dotnetnuke 5.1.3
dotnetnuke dotnetnuke 5.0.1
dotnetnuke dotnetnuke 5.6.2
dotnetnuke dotnetnuke 5.1.0
dnnsoftware dotnetnuke *
dotnetnuke dotnetnuke 5.2.2
dotnetnuke dotnetnuke 5.2.1
dotnetnuke dotnetnuke 5.4.3
dotnetnuke dotnetnuke 5.5.0
CVE-2017-0929 MEDIUM

DNN (aka DotNetNuke) before 9.2.0 suffers from a Server-Side Request Forgery (SSRF) vulnerability in the DnnImageHandler class. Attackers may be able to access information about internal network resources.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-918,

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2017-9822 MEDIUM

DNN (aka DotNetNuke) before 9.1.1 has Remote Code Execution via a cookie, aka "2017-08 (Critical) Possible remote code execution on DNN sites."

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-94,CWE-94,

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2018-14486 MEDIUM

DNN (formerly DotNetNuke) 9.1.1 allows cross-site scripting (XSS) via XML.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke 9.1.1
CVE-2018-15811 MEDIUM

DNN (aka DotNetNuke) 9.2 through 9.2.1 uses a weak encryption algorithm to protect input parameters.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-326,CWE-326,

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2018-15812 MEDIUM

DNN (aka DotNetNuke) 9.2 through 9.2.1 incorrectly converts encryption key source values, resulting in lower than expected entropy.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-331,

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2018-18325 MEDIUM

DNN (aka DotNetNuke) 9.2 through 9.2.2 uses a weak encryption algorithm to protect input parameters. NOTE: this issue exists because of an incomplete fix for CVE-2018-15811.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-326,CWE-326,

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2018-18326 MEDIUM

DNN (aka DotNetNuke) 9.2 through 9.2.2 incorrectly converts encryption key source values, resulting in lower than expected entropy. NOTE: this issue exists because of an incomplete fix for CVE-2018-15812.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-331,

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2019-12562 MEDIUM

Stored Cross-Site Scripting in DotNetNuke (DNN) Version before 9.4.0 allows remote attackers to store and embed the malicious script into the admin notification page. The exploit could be used to perfom any action with admin privileges such as managing content, adding users, uploading backdoors to the server, etc. Successful exploitation occurs when an admin user visits a notification page with stored cross-site scripting.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2020-11585 MEDIUM

There is an information disclosure issue in DNN (formerly DotNetNuke) 9.5 within the built-in Activity-Feed/Messaging/Userid/ Message Center module. A registered user is able to enumerate any file in the Admin File Manager (other than ones contained in a secure folder) by sending themselves a message with the file attached, e.g., by using an arbitrary small integer value in the fileIds parameter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-330,CWE-639,

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke 9.5.0
CVE-2020-37103

DotNetNuke 9.5 contains a persistent cross-site scripting vulnerability that allows normal users to upload malicious XML files with executable scripts through journal tools. Attackers can upload XML files with XHTML namespace scripts to execute arbitrary JavaScript in users' browsers, potentially bypassing CSRF protections and performing more damaging attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
disclosure@vulncheck.com 6.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N 3.1 2.7

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2020-5186 LOW

DNN (formerly DotNetNuke) through 9.4.4 allows XSS (issue 1 of 2).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2020-5187 MEDIUM

DNN (formerly DotNetNuke) through 9.4.4 allows Path Traversal (issue 2 of 2).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2020-5188 MEDIUM

DNN (formerly DotNetNuke) through 9.4.4 has Insecure Permissions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-434,CWE-669,

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2021-31858

DotNetNuke (DNN) 9.9.1 CMS is vulnerable to a Stored Cross-Site Scripting vulnerability in the user profile biography section which allows remote authenticated users to inject arbitrary code via a crafted payload.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2021-40186 MEDIUM

The AppCheck research team identified a Server-Side Request Forgery (SSRF) vulnerability within the DNN CMS platform, formerly known as DotNetNuke. SSRF vulnerabilities allow the attacker to exploit the target system to make network requests on their behalf, allowing a range of possible attacks. In the most common scenario, the attacker exploits SSRF vulnerabilities to attack systems behind the firewall and access sensitive information from Cloud Provider metadata services.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
info@appcheck-ng.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-918,CWE-918,

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2022-2922

Relative Path Traversal in GitHub repository dnnsoftware/dnn.platform prior to 9.11.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 1.2 3.6

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2022-47053

An arbitrary file upload vulnerability in the Digital Assets Manager module of DNN Corp DotNetNuke v7.0.0 to v9.10.2 allows attackers to execute arbitrary code via a crafted SVG file.

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2025-32035

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to 9.13.2, when uploading files (e.g. when uploading assets), the file extension is checked to see if it's an allowed file type but the actual contents of the file aren't checked. This means that it's possible to e.g. upload an executable file renamed to be a .jpg. This file could then be executed by another security vulnerability. This vulnerability is fixed in 9.13.2.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 2.6 LOW CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N 1.2 1.4
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2025-32036

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. The algorithm used to generate the captcha image shows the least complexity of the desired image. For this reason, the created image can be easily read by OCR tools, and the intruder can send automatic requests by building a robot and using this tool. This vulnerability is fixed in 9.13.8.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 3.9 2.5
security-advisories@github.com 4.2 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N 1.6 2.5

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2025-32371

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. A url could be crafted to the DNN ImageHandler to render text from a querystring parameter. This text would display in the resulting image and a user that trusts the domain might think that the information is legitimate. This vulnerability is fixed in 9.13.4.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N 2.8 1.4

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2025-32372

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. A bypass has been identified for the previously known vulnerability CVE-2017-0929, allowing unauthenticated attackers to execute arbitrary GET requests against target systems, including internal or adjacent networks. This vulnerability facilitates a semi-blind SSRF attack, allowing attackers to make the target server send requests to internal or external URLs without viewing the full responses. Potential impacts include internal network reconnaissance, bypassing firewalls. This vulnerability is fixed in 9.13.8.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 2.8 3.6
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2025-32373

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In limited configurations, registered users may be able to craft a request to enumerate/access some portal files they should not have access to. This vulnerability is fixed in 9.13.8.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2025-32374

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Possible denial of service with specially crafted information in the public registration form. This vulnerability is fixed in 9.13.8.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2025-48376

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 9.13.9, a malicious SuperUser (Host) could craft a request to use an external url for a site export to then be imported. Version 9.13.9 fixes the issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 3.5 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:L 0.9 2.5

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2025-48377

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 9.13.9, a specially crafted URL may be constructed which can inject an XSS payload that is triggered by using some module actions. Version 9.13.9 fixes the issue.

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2025-48378

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 9.13.9, uploaded SVG files could contain scripts and if rendered inline those scripts could run allowing XSS attacks. Version 9.13.9 fixes the issue.

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2025-52485

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In versions 6.0.0 to before 10.0.1, DNN.PLATFORM allows a specially crafted request to inject scripts in the Activity Feed Attachments endpoint which will then render in the feed. This issue has been patched in version 10.0.1.

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2025-52486

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In versions 6.0.0 to before 10.0.1, DNN.PLATFORM allows specially crafted content in URLs to be used with TokenReplace and not be properly sanitized by some SkinObjects. This issue has been patched in version 10.0.1.

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2025-52487

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In versions 7.0.0 to before 10.0.1, DNN.PLATFORM allows a specially crafted request or proxy to be created that could bypass the design of DNN Login IP Filters allowing login attempts from IP Addresses not in the allow list. This issue has been patched in version 10.0.1.

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2025-52488

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In versions 6.0.0 to before 10.0.1, DNN.PLATFORM allows a specially crafted series of malicious interaction to potentially expose NTLM hashes to a third party SMB server. This issue has been patched in version 10.0.1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 8.6 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N 3.9 4.0

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2025-59535

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, arbitrary themes can be loaded through query parameters. If an installed theme had a vulnerability, even if it was not used on any page, this could be loaded on unsuspecting clients without knowledge of the site owner. This issue has been patched in version 10.1.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L 3.9 2.5

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2025-59539

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, when embedding information in the Biography field, even if that field is not rich-text, users could inject javascript code that would run in the context of the website and to any other user that can view the profile including administrators and/or superusers. This issue has been patched in version 10.1.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 6.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L 2.8 3.4
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke 10.1.0
dnnsoftware dotnetnuke *
CVE-2025-59545

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, the Prompt module allows execution of commands that can return raw HTML. Malicious input, even if sanitized for display elsewhere, can be executed when processed through certain commands, leading to potential script execution (XSS). This issue has been patched in version 10.1.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 9.0 CRITICAL CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H 2.3 6.0

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2025-59546

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, administrators and content editors can set html in module titles that could include javascript which could be used for XSS based attacks. This issue has been patched in version 10.1.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 2.4 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N 0.9 1.4
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2025-59547

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, the CKEditor file upload endpoint has insufficient sanitization for filenames allowing probing network endpoints. A specially crafted request can be made to upload a file with Unicode characters, which would be translated into a path that could expose resources in the internal network of the hosted site. This issue has been patched in version 10.1.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4
security-advisories@github.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2025-59548

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, specially crafted URLs to the FileBrowser are vulnerable to javascript injection, affecting any unsuspecting user clicking such link. This issue has been patched in version 10.1.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2025-59821

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, DNN’s URL/path handling and template rendering can allow specially crafted input to be reflected into a user profile that is returned to the browser. In these cases, the application does not sufficiently neutralize or encode characters that are meaningful in HTML, so an attacker can cause a victim’s browser to interpret attacker-controlled content as part of the page’s HTML. This issue has been patched in version 10.1.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7
security-advisories@github.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2025-62802

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to 10.1.1, the out-of-box experience for HTML editing allows unauthenticated users to upload files. This opens a potential vector to other security issues and is not needed on most implementations. This vulnerability is fixed in 10.1.1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N 2.8 1.4

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2025-64094

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to 10.1.1, sanitization of the content of uploaded SVG files was not covering all possible XSS scenarios. This vulnerability exists because of an incomplete fix for CVE-2025-48378. This vulnerability is fixed in 10.1.1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 6.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N 3.1 2.7

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2025-64095

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to 10.1.1, the default HTML editor provider allows unauthenticated file uploads and images can overwrite existing files. An unauthenticated user can upload and replace existing files allowing defacing a website and combined with other issue, injection XSS payloads. This vulnerability is fixed in 10.1.1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 10.0 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 3.9 6.0

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2026-24784

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, a content editor could inject scripts in module headers/footers that would run for other users. Versions 9.13.10 and 10.2.0 contain a fix for the issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 6.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N 2.3 4.0

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2026-24833

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to versions 9.13.10 and 10.2.0, a module could install with richtext in its description field which could contain scripts that will run for user in the Persona Bar. Versions 9.13.10 and 10.2.0 contain a fix for the issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.6 HIGH CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H 1.0 6.0

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2026-24836

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, extensions could write richtext in log notes which can include scripts that would run in the PersonaBar when displayed. Versions 9.13.10 and 10.2.0 contain a fix for the issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.6 HIGH CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H 1.0 6.0

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2026-24837

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, a module friendly name could include scripts that will run during some module operations in the Persona Bar. Versions 9.13.10 and 10.2.0 contain a fix for the issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.6 HIGH CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H 1.0 6.0

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2026-24838

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to versions 9.13.10 and 10.2.0, module title supports richtext which could include scripts that would execute in certain scenarios. Versions 9.13.10 and 10.2.0 contain a fix for the issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 2.3 6.0

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2026-40305

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 6.0.0 and prior to version 10.2.2, in the friends feature, a user could craft a request that would force the acceptance of a friend request on another user. Version 10.2.2 patches the issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2026-40306

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. All new installations of DNN 10.x.x - 10.2.1 have the same Host GUID. This does not affect upgrades from 9.x.x. Version 10.2.2 patches the issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 3.9 2.5

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *
CVE-2026-40321

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.2.2, a user could upload a specially crafted SVG file that could include scripts that can target both authenticated and unauthenticated DNN users. The impact is increased if the scripts are run by a power user. Version 10.2.2 patches the issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 8.0 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H 1.3 6.0

Products Affected

Vendor Product Version
dnnsoftware dotnetnuke *