Listen to this Post
How the CVE Works
The vulnerability arises when DNN.PLATFORM processes user-supplied input via `TokenReplace` in certain `SkinObjects` without proper sanitization. Attackers can craft malicious URLs containing JavaScript payloads, which are then reflected in the output. When victims click the manipulated link, the script executes in their browser context, potentially leading to session hijacking, defacement, or data theft. The issue stems from insufficient input validation during token parsing, allowing arbitrary script injection.
DailyCVE Form
Platform: DNN.PLATFORM
Version: <10.0.1
Vulnerability: Reflected XSS
Severity: Moderate
Date: Jun 20, 2025
Prediction: Patch expected by Jul 10, 2025
What Undercode Say
Analytics:
curl -X GET "http://vulnerable-dnn/api/tokenreplace?input=<script>alert(1)</script>" grep -r "TokenReplace" /DNN.Modules/
How Exploit:
http://target-dnn/page?malicious=<script>document.cookie</script>
Protection from this CVE:
- Upgrade to v10.0.1
- Sanitize `TokenReplace` inputs
- Enable CSP headers
Impact:
- Session hijacking
- Data leakage
- UI manipulation
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
