CVE-2025-48378
published 2025-05-23CVE-2025-48378: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 9.13.9, uploaded SVG files could…
PriorityP425medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.24%
15.5th percentile
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 9.13.9, uploaded SVG files could contain scripts and if rendered inline those scripts could run allowing XSS attacks. Version 9.13.9 fixes the issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dnnsoftware | dnn.platform | < 10.1.1 | 10.1.1 |
| dnnsoftware | dotnetnuke | < 10.1.1 | 10.1.1 |
| dnnsoftware | dotnetnuke | < 9.13.9 | 9.13.9 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv4.06.1MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa6.1MEDIUM
osv6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
DNN vulnerable to stored cross-site-scripting (XSS) via SVG upload
osv·2025-10-29·CVSS 6.1
CVE-2025-64094 [MEDIUM] DNN vulnerable to stored cross-site-scripting (XSS) via SVG upload
DNN vulnerable to stored cross-site-scripting (XSS) via SVG upload
### Summary
Sanitization of the content of uploaded SVG files was not covering all possible XSS scenarios.
### Details
DNN validates the contents of SVG's to ensure they are valid and do not contain any malicious code. These checks were introduced as part of `CVE-2025-48378`.
However, the checks to ensure there are no script elements within the SVG files are not comprehensive and may allow some malicious SVG files to be uploaded.
As this vulnerability allows for the execution of arbitrary JavaScript code within the context of the user's browser, it can lead to a range of attacks, including data exfiltration, session hijacking, and defacement of the web application to name a few.
GHSA
DNN vulnerable to stored cross-site-scripting (XSS) via SVG upload
ghsa·2025-10-29·CVSS 6.1
CVE-2025-64094 [MEDIUM] CWE-79 DNN vulnerable to stored cross-site-scripting (XSS) via SVG upload
DNN vulnerable to stored cross-site-scripting (XSS) via SVG upload
### Summary
Sanitization of the content of uploaded SVG files was not covering all possible XSS scenarios.
### Details
DNN validates the contents of SVG's to ensure they are valid and do not contain any malicious code. These checks were introduced as part of `CVE-2025-48378`.
However, the checks to ensure there are no script elements within the SVG files are not comprehensive and may allow some malicious SVG files to be uploaded.
As this vulnerability allows for the execution of arbitrary JavaScript code within the context of the user's browser, it can lead to a range of attacks, including data exfiltration, session hijacking, and defacement of the web application to name a few.
OSV
DNN allows Stored Cross-Site Scripting (XSS) with svg files rendered inline
osv·2025-05-23
CVE-2025-48378 [MEDIUM] DNN allows Stored Cross-Site Scripting (XSS) with svg files rendered inline
DNN allows Stored Cross-Site Scripting (XSS) with svg files rendered inline
Uploaded SVG files could contain scripts and if rendered inline those scripts could run allowing XSS attacks.
GHSA
DNN allows Stored Cross-Site Scripting (XSS) with svg files rendered inline
ghsa·2025-05-23
CVE-2025-48378 [MEDIUM] CWE-79 DNN allows Stored Cross-Site Scripting (XSS) with svg files rendered inline
DNN allows Stored Cross-Site Scripting (XSS) with svg files rendered inline
Uploaded SVG files could contain scripts and if rendered inline those scripts could run allowing XSS attacks.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-05-23
Published