Search for packages
| purl | pkg:nuget/DotNetNuke.Core@7.3.1.20 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-17y1-2fdf-57b1
Aliases: CVE-2015-2794 GHSA-x8f7-h444-97w4 |
Insecure Default Initialization of Resource The installation wizard in DotNetNuke (DNN) allows remote attackers to reinstall the application and gain SuperUser access via a direct request to Install/InstallWizard.aspx. |
Affected by 26 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 25 other vulnerabilities. |
|
VCID-2dnh-g597-juce
Aliases: CVE-2018-18325 GHSA-j3g9-6fx5-gjv7 |
Inadequate Encryption Strength in DotNetNuke DNN (aka DotNetNuke) 9.2 through 9.2.2 uses a weak encryption algorithm to protect input parameters. NOTE: this issue exists because of an incomplete fix for CVE-2018-15811. |
Affected by 24 other vulnerabilities. |
|
VCID-38yt-swkk-nfbm
Aliases: CVE-2015-1566 GHSA-v76m-f5cx-8rg4 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in DotNetNuke (DNN) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
Affected by 1 other vulnerability. Affected by 26 other vulnerabilities. |
|
VCID-3b3m-76g5-5kfm
Aliases: CVE-2022-2922 GHSA-9w72-2f23-57gm |
DNN vulnerable to Relative Path Traversal DNN (GitHub repository dnnsoftware/dnn.platform) prior to 9.11.0 is vulnerable to Relative Path Traversal. Version 9.11.0 contains a patch for this issue. |
Affected by 16 other vulnerabilities. |
|
VCID-3e7c-8uk1-ruch
Aliases: CVE-2019-12562 GHSA-5whq-j5qg-wjvp |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Stored Cross-Site Scripting in DotNetNuke (DNN) allows remote attackers to store and embed the malicious script into the admin notification page. The exploit could be used to perfom any action with admin privileges such as managing content, adding users, uploading backdoors to the server, etc. Successful exploitation occurs when an admin user visits a notification page with stored cross-site scripting. |
Affected by 23 other vulnerabilities. |
|
VCID-7u59-m3nn-q3gj
Aliases: CVE-2026-40321 GHSA-ffq7-898w-9jc4 |
DotNetNuke.Core has stored cross-site-scripting (XSS) via SVG upload DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.2.2, a user could upload a specially crafted SVG file that could include scripts that can target both authenticated and unauthenticated DNN users. The impact is increased if the scripts are run by a power user. Version 10.2.2 patches the issue. |
Affected by 0 other vulnerabilities. |
|
VCID-e5pw-7tpb-qyb8
Aliases: CVE-2025-64094 GHSA-hmvq-8p83-cq52 |
DNN vulnerable to stored cross-site-scripting (XSS) via SVG upload Sanitization of the content of uploaded SVG files was not covering all possible XSS scenarios. |
Affected by 8 other vulnerabilities. |
|
VCID-erck-k36n-2yd2
Aliases: CVE-2025-59535 GHSA-wq2j-w9pm-7x2p |
DNN allows loading unused themes on anonymous clients through query parameters Arbitrary themes can be loaded through query parameters. If an installed theme had a vulnerability, even if it was not used on any page, this could be loaded on unsuspecting clients without knowledge of the site owner. |
Affected by 9 other vulnerabilities. |
|
VCID-f79t-dgkp-f3cy
Aliases: CVE-2017-9822 GHSA-x2rg-fmcv-crq5 |
Improper Input Validation DNN (aka DotNetNuke) has Remote Code Execution via a cookie, aka "2017-08 (Critical) Possible remote code execution on DNN sites." |
Affected by 1 other vulnerability. Affected by 26 other vulnerabilities. |
|
VCID-hdn9-z9eh-abfx
Aliases: CVE-2025-32372 GHSA-3f7v-qx94-666m |
DotNetNuke.Core Vulnerable to Server-Side Request Forgery (SSRF) A bypass has been identified for the previously known vulnerability CVE-2017-0929, allowing unauthenticated attackers to execute arbitrary GET requests against target systems, including internal or adjacent networks. |
Affected by 15 other vulnerabilities. |
|
VCID-jqs5-zkws-43bu
Aliases: CVE-2016-7119 GHSA-5c66-x4wm-rjfx |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting (XSS) vulnerability in the user-profile biography section in DotNetNuke (DNN) allows remote authenticated users to inject arbitrary web script or HTML via a crafted onclick attribute in an IMG element. |
Affected by 0 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-k8b8-4muv-gye5
Aliases: CVE-2026-40305 GHSA-fpj4-9qhx-5m6m |
DNN: Force Friend Request Acceptance DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 6.0.0 and prior to version 10.2.2, in the friends feature, a user could craft a request that would force the acceptance of a friend request on another user. Version 10.2.2 patches the issue. |
Affected by 0 other vulnerabilities. |
|
VCID-ky3u-4syg-3yat
Aliases: CVE-2022-47053 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') An arbitrary file upload vulnerability in the Digital Assets Manager module of DNN Corp DotNetNuke v7.0.0 to v9.10.2 allows attackers to execute arbitrary code via a crafted SVG file. |
Affected by 16 other vulnerabilities. |
|
VCID-m5hg-ajyc-3qf1
Aliases: CVE-2020-5187 GHSA-4qf5-7xc2-wqpg |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') DNN (formerly DotNetNuke) allows Path Traversal. |
Affected by 21 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-m9cg-wd76-zqcy
Aliases: CVE-2025-59539 GHSA-7rcc-q6rq-jpcm |
Duplicate This advisory duplicates another. |
Affected by 9 other vulnerabilities. |
|
VCID-msru-ycnu-zuhe
Aliases: CVE-2025-59545 GHSA-2qxc-mf4x-wr29 |
DNN Vulnerable to Stored Cross-Site Scripting (XSS) in the Prompt module The Prompt module allows execution of commands that can return raw HTML. Malicious input, even if sanitized for display elsewhere, can be executed when processed through certain commands, leading to potential script execution (XSS). |
Affected by 9 other vulnerabilities. |
|
VCID-nn2y-9sk9-kugc
Aliases: CVE-2025-48378 GHSA-m4hf-fxcg-cp34 |
DNN allows Stored Cross-Site Scripting (XSS) with svg files rendered inline Uploaded SVG files could contain scripts and if rendered inline those scripts could run allowing XSS attacks. |
Affected by 13 other vulnerabilities. |
|
VCID-pnw1-8knr-7qhc
Aliases: CVE-2021-40186 |
Affected by 16 other vulnerabilities. |
|
|
VCID-qscj-d21p-nfby
Aliases: CVE-2020-5186 GHSA-9phr-h5mx-4fp6 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') DNN (formerly DotNetNuke) allows XSS. |
Affected by 21 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-r799-28wr-23bu
Aliases: CVE-2026-24838 GHSA-w9pf-h6m6-v89h |
DotNetNuke.Core Vulnerable to Stored XSS via Module Title Module title supports richtext which could include scripts that would execute in certain scenarios. |
Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-s3s5-gwjg-rqgv
Aliases: GHSA-fcpv-w245-r2q7 |
DotNetNuke.Core security code analysis rules triggered The codebase raises code analysis warnings related to security, including CA3075, CA5366, CA5371, CA5368, CA5369, CA5372, CA5379, CA5350, and CA5351. Most of these deal with disabling DTD processing in XML documents, but also includes cryptographic algorithm choices. |
Affected by 0 other vulnerabilities. |
|
VCID-uc59-7c8z-6kbd
Aliases: CVE-2021-31858 |
Affected by 16 other vulnerabilities. |
|
|
VCID-v7s2-8wh8-kydw
Aliases: CVE-2025-48377 GHSA-79m3-rvx2-3qq9 |
Reflected Cross-Site Scripting (XSS) in module actions in edit mode A specially crafted URL may be constructed which can inject an XSS payload that is triggered by using some module actions. |
Affected by 13 other vulnerabilities. |
|
VCID-xn9v-vadd-zyd1
Aliases: CVE-2017-0929 GHSA-g8j6-m4p7-5rfq |
DNN (aka DotNetNuke) suffers from a Server-Side Request Forgery (SSRF) vulnerability in the DnnImageHandler class. Attackers may be able to access information about internal network resources. |
Affected by 3 other vulnerabilities. Affected by 28 other vulnerabilities. |
|
VCID-y61z-d6sj-qucc
Aliases: CVE-2025-59821 GHSA-jc4g-c8ww-5738 |
DNN vulnerable to Reflected Cross-Site Scripting (XSS) using url to profile A reflected cross-site scripting (XSS) vulnerability exists under certain conditions, using a specially crafter url to view a user profile |
Affected by 9 other vulnerabilities. |
|
VCID-y9ym-w5m9-e3bs
Aliases: CVE-2020-5188 GHSA-vjcm-j85r-7p68 |
Incorrect Resource Transfer Between Spheres DNN (formerly DotNetNuke) has Insecure Permissions. |
Affected by 21 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-zfex-gefk-byfa
Aliases: CVE-2025-59546 GHSA-gj8m-5492-q98h |
DNN Vulnerable to Stored XSS Using Backend Admin Credentials Users that can edit modules could set a title that includes scripts. |
Affected by 9 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||