DNNSoftware Security Vulnerabilities

CVE-2020-5188

DNN (formerly DotNetNuke) through 9.4.4 has Insecure...

CVE-2020-5186

DNN (formerly DotNetNuke) through 9.4.4 allows XSS (issue 1 of...

CVE-2020-5187

DNN (formerly DotNetNuke) through 9.4.4 allows Path Traversal (issue 2 of...

CVE-2022-47053

An arbitrary file upload vulnerability in the Digital Assets Manager module of DNN Corp DotNetNuke v7.0.0 to v9.10.2 allows attackers to execute arbitrary code via a crafted SVG...

CVE-2018-18325

DNN (aka DotNetNuke) 9.2 through 9.2.2 uses a weak encryption algorithm to protect input parameters. NOTE: this issue exists because of an incomplete fix for...

CVE-2018-15811

DNN (aka DotNetNuke) 9.2 through 9.2.1 uses a weak encryption algorithm to protect input...

CVE-2018-15812

DNN (aka DotNetNuke) 9.2 through 9.2.1 incorrectly converts encryption key source values, resulting in lower than expected...

CVE-2018-18326

DNN (aka DotNetNuke) 9.2 through 9.2.2 incorrectly converts encryption key source values, resulting in lower than expected entropy. NOTE: this issue exists because of an incomplete fix for...

CVE-2022-2922

Relative Path Traversal in GitHub repository dnnsoftware/dnn.platform prior to...

CVE-2021-31858

DotNetNuke (DNN) 9.9.1 CMS is vulnerable to a Stored Cross-Site Scripting vulnerability in the user profile biography section which allows remote authenticated users to inject arbitrary code via a crafted...

CVE-2021-40186

The AppCheck research team identified a Server-Side Request Forgery (SSRF) vulnerability within the DNN CMS platform, formerly known as DotNetNuke. SSRF vulnerabilities allow the attacker to exploit the target system to make network requests on their behalf, allowing a range of possible attacks....

CVE-2020-11585

There is an information disclosure issue in DNN (formerly DotNetNuke) 9.5 within the built-in Activity-Feed/Messaging/Userid/ Message Center module. A registered user is able to enumerate any file in the Admin File Manager (other than ones contained in a secure folder) by sending themselves a...

CVE-2019-12562

Stored Cross-Site Scripting in DotNetNuke (DNN) Version before 9.4.0 allows remote attackers to store and embed the malicious script into the admin notification page. The exploit could be used to perfom any action with admin privileges such as managing content, adding users, uploading backdoors to....

CVE-2018-14486

DNN (formerly DotNetNuke) 9.1.1 allows cross-site scripting (XSS) via...

CVE-2017-0929

DNN (aka DotNetNuke) before 9.2.0 suffers from a Server-Side Request Forgery (SSRF) vulnerability in the DnnImageHandler class. Attackers may be able to access information about internal network...