Listen to this Post
How the CVE Works
The vulnerability in DNN.PLATFORM (CVE-2025-XXXX) arises due to insufficient input sanitization in the Activity Feed Attachments endpoint. An attacker can craft a malicious request containing JavaScript payloads, which are stored and later rendered in the activity feed. When other users view the feed, the script executes in their browser context, leading to stored XSS. This allows session hijacking, defacement, or malware distribution. The flaw is patched in version 10.0.1.
DailyCVE Form
Platform: DNN.PLATFORM
Version: <10.0.1
Vulnerability: Stored XSS
Severity: Moderate
Date: Jun 20, 2025
Prediction: Patch expected by Jul 10, 2025
What Undercode Say
Check DNN version
Get-ChildItem "C:\inetpub\wwwroot\DNN\bin\DotNetNuke.dll" | Select-Object VersionInfo
Exploit PoC (simplified)
curl -X POST -d "<script>alert('XSS')</script>" https://target.com/ActivityFeed/Attachments
How Exploit
- Craft malicious script payload.
- Inject via Activity Feed Attachments.
- Trigger execution when viewed.
Protection from this CVE
- Upgrade to 10.0.1.
- Sanitize user input.
- Implement CSP headers.
Impact
- Session hijacking.
- Malware delivery.
- Data theft.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
