DotNetNuke.Core allows loading of unused themes on anonymous clients through...

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Description

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, arbitrary themes can be loaded through query parameters. If an installed theme had a vulnerability, even if it was not used on any page, this could be loaded on unsuspecting clients without knowledge of the site owner. This issue has been patched in version 10.1.0.

Basic Information

ID CVE-2025-59535

Source GitHub_M

Published Sep 22, 2025 at 20:59

Affected Product

Vendor dnnsoftware

Product Dnn.Platform

Version < 10.1.0

Affected Versions dnnsoftware Dnn.Platform < 10.1.0

CWE Classification

CWE-20 CWE-200 CWE-829

References

{
    "lastseen": "",
    "description": "DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, arbitrary themes can be loaded through query parameters. If an installed theme had a vulnerability, even if it was not used on any page, this could be loaded on unsuspecting clients without knowledge of the site owner. This issue has been patched in version 10.1.0.",
    "published": "2025-09-22T20:59:03.801Z",
    "modified": "2025-09-22T20:59:03.801Z",
    "type": "cve",
    "title": "DotNetNuke.Core allows loading of unused themes on anonymous clients through query parameters",
    "source": "GitHub_M",
    "references": "https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-wq2j-w9pm-7x2p\nhttps://github.com/dnnsoftware/Dnn.Platform/commit/72f30f69fd2214d77f6c2577dfcca495a24caf5c\nhttps://github.com/dnnsoftware/Dnn.Platform/blob/develop/DNN%20Platform/Library/UI/Skins/Skin.cs#L305",
    "id": "CVE-2025-59535",
    "bulletinFamily": "",
    "cwe": [
        "CWE-20",
        "CWE-200",
        "CWE-829"
    ],
    "cvelist": null,
    "sourceData": "dnnsoftware Dnn.Platform < 10.1.0",
    "sourceHref": "",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Dnn.Platform",
    "version": "< 10.1.0",
    "vendor": "dnnsoftware",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

DotNetNuke.Core allows loading of unused themes on anonymous clients through query parameters_CVE-2025-59535