DNN vulnerable to stored cross-site-scripting (XSS) via SVG upload

6.4 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Description

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to 10.1.1, sanitization of the content of uploaded SVG files was not covering all possible XSS scenarios. This vulnerability exists because of an incomplete fix for CVE-2025-48378. This vulnerability is fixed in 10.1.1.

Basic Information

ID CVE-2025-64094

Source GitHub_M

Published Oct 28, 2025 at 21:44

Affected Product

Vendor dnnsoftware

Product Dnn.Platform

Version < 10.1.1

Affected Versions dnnsoftware Dnn.Platform < 10.1.1

CWE Classification

CWE-79

References

github.com /dnnsoftware/Dnn.Platform/security/advisories/GHSA-hmvq-8p83-cq52

{
    "lastseen": "",
    "description": "DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to 10.1.1,  sanitization of the content of uploaded SVG files was not covering all possible XSS scenarios. This vulnerability exists because of an incomplete fix for CVE-2025-48378. This vulnerability is fixed in 10.1.1.",
    "published": "2025-10-28T21:44:31.408Z",
    "modified": "2025-10-28T21:44:31.408Z",
    "type": "cve",
    "title": "DNN vulnerable to stored cross-site-scripting (XSS) via SVG upload",
    "source": "GitHub_M",
    "references": "https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-hmvq-8p83-cq52",
    "id": "CVE-2025-64094",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "dnnsoftware Dnn.Platform < 10.1.1",
    "sourceHref": "",
    "cvss": {
        "score": 6.4,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Dnn.Platform",
    "version": "< 10.1.1",
    "vendor": "dnnsoftware",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

DNN vulnerable to stored cross-site-scripting (XSS) via SVG upload_CVE-2025-64094