CVE-2025-48377
published 2025-05-23CVE-2025-48377: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 9.13.9, a specially crafted URL…
PriorityP426medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.20%
9.7th percentile
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 9.13.9, a specially crafted URL may be constructed which can inject an XSS payload that is triggered by using some module actions. Version 9.13.9 fixes the issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dnnsoftware | dnn.platform | < 9.13.9 | 9.13.9 |
| dnnsoftware | dotnetnuke | < 9.13.9 | 9.13.9 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv4.06.0MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Reflected Cross-Site Scripting (XSS) in module actions in edit mode
osv·2025-05-23
CVE-2025-48377 [MEDIUM] Reflected Cross-Site Scripting (XSS) in module actions in edit mode
Reflected Cross-Site Scripting (XSS) in module actions in edit mode
A specially crafted URL may be constructed which can inject an XSS payload that is triggered by using some module actions.
GHSA
Reflected Cross-Site Scripting (XSS) in module actions in edit mode
ghsa·2025-05-23
CVE-2025-48377 [MEDIUM] CWE-79 Reflected Cross-Site Scripting (XSS) in module actions in edit mode
Reflected Cross-Site Scripting (XSS) in module actions in edit mode
A specially crafted URL may be constructed which can inject an XSS payload that is triggered by using some module actions.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-05-23
Published