dnnsoftware CVE Vulnerabilities & Metrics

Focus on dnnsoftware vulnerabilities and metrics.

Last updated: 13 Jul 2026, 22:25 UTC

About dnnsoftware Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with dnnsoftware. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total dnnsoftware CVEs: 50
Earliest CVE date: 31 Dec 2004, 05:00 UTC
Latest CVE date: 17 Apr 2026, 22:16 UTC

Latest CVE reference: CVE-2026-40321

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 19

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 46.15%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 46.15%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical dnnsoftware CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 2.73

Max CVSS: 10.0

Critical CVEs (≥9): 1

CVSS Range vs. Count

Range Count
0.0-3.9 38
4.0-6.9 34
7.0-8.9 3
9.0-10.0 1

CVSS Distribution Chart

Top 5 Highest CVSS dnnsoftware CVEs

These are the five CVEs with the highest CVSS scores for dnnsoftware, sorted by severity first and recency.

All CVEs for dnnsoftware

CVE-2026-40321 dnnsoftware vulnerability CVSS: 0 17 Apr 2026, 22:16 UTC

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.2.2, a user could upload a specially crafted SVG file that could include scripts that can target both authenticated and unauthenticated DNN users. The impact is increased if the scripts are run by a power user. Version 10.2.2 patches the issue.

CVE-2026-40306 dnnsoftware vulnerability CVSS: 0 17 Apr 2026, 22:16 UTC

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. All new installations of DNN 10.x.x - 10.2.1 have the same Host GUID. This does not affect upgrades from 9.x.x. Version 10.2.2 patches the issue.

CVE-2026-40305 dnnsoftware vulnerability CVSS: 0 17 Apr 2026, 22:16 UTC

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 6.0.0 and prior to version 10.2.2, in the friends feature, a user could craft a request that would force the acceptance of a friend request on another user. Version 10.2.2 patches the issue.

CVE-2020-37103 dnnsoftware vulnerability CVSS: 0 03 Feb 2026, 18:16 UTC

DotNetNuke 9.5 contains a persistent cross-site scripting vulnerability that allows normal users to upload malicious XML files with executable scripts through journal tools. Attackers can upload XML files with XHTML namespace scripts to execute arbitrary JavaScript in users' browsers, potentially bypassing CSRF protections and performing more damaging attacks.

CVE-2026-24838 dnnsoftware vulnerability CVSS: 0 28 Jan 2026, 01:16 UTC

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to versions 9.13.10 and 10.2.0, module title supports richtext which could include scripts that would execute in certain scenarios. Versions 9.13.10 and 10.2.0 contain a fix for the issue.

CVE-2026-24837 dnnsoftware vulnerability CVSS: 0 28 Jan 2026, 00:15 UTC

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, a module friendly name could include scripts that will run during some module operations in the Persona Bar. Versions 9.13.10 and 10.2.0 contain a fix for the issue.

CVE-2026-24836 dnnsoftware vulnerability CVSS: 0 28 Jan 2026, 00:15 UTC

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, extensions could write richtext in log notes which can include scripts that would run in the PersonaBar when displayed. Versions 9.13.10 and 10.2.0 contain a fix for the issue.

CVE-2026-24833 dnnsoftware vulnerability CVSS: 0 28 Jan 2026, 00:15 UTC

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to versions 9.13.10 and 10.2.0, a module could install with richtext in its description field which could contain scripts that will run for user in the Persona Bar. Versions 9.13.10 and 10.2.0 contain a fix for the issue.

CVE-2026-24784 dnnsoftware vulnerability CVSS: 0 28 Jan 2026, 00:15 UTC

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, a content editor could inject scripts in module headers/footers that would run for other users. Versions 9.13.10 and 10.2.0 contain a fix for the issue.

CVE-2025-64095 dnnsoftware vulnerability CVSS: 0 28 Oct 2025, 22:15 UTC

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to 10.1.1, the default HTML editor provider allows unauthenticated file uploads and images can overwrite existing files. An unauthenticated user can upload and replace existing files allowing defacing a website and combined with other issue, injection XSS payloads. This vulnerability is fixed in 10.1.1.

CVE-2025-64094 dnnsoftware vulnerability CVSS: 0 28 Oct 2025, 22:15 UTC

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to 10.1.1, sanitization of the content of uploaded SVG files was not covering all possible XSS scenarios. This vulnerability exists because of an incomplete fix for CVE-2025-48378. This vulnerability is fixed in 10.1.1.

CVE-2025-62802 dnnsoftware vulnerability CVSS: 0 28 Oct 2025, 22:15 UTC

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to 10.1.1, the out-of-box experience for HTML editing allows unauthenticated users to upload files. This opens a potential vector to other security issues and is not needed on most implementations. This vulnerability is fixed in 10.1.1.

CVE-2025-59821 dnnsoftware vulnerability CVSS: 0 23 Sep 2025, 18:15 UTC

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, DNN’s URL/path handling and template rendering can allow specially crafted input to be reflected into a user profile that is returned to the browser. In these cases, the application does not sufficiently neutralize or encode characters that are meaningful in HTML, so an attacker can cause a victim’s browser to interpret attacker-controlled content as part of the page’s HTML. This issue has been patched in version 10.1.0.

CVE-2025-59548 dnnsoftware vulnerability CVSS: 0 23 Sep 2025, 18:15 UTC

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, specially crafted URLs to the FileBrowser are vulnerable to javascript injection, affecting any unsuspecting user clicking such link. This issue has been patched in version 10.1.0.

CVE-2025-59547 dnnsoftware vulnerability CVSS: 0 23 Sep 2025, 18:15 UTC

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, the CKEditor file upload endpoint has insufficient sanitization for filenames allowing probing network endpoints. A specially crafted request can be made to upload a file with Unicode characters, which would be translated into a path that could expose resources in the internal network of the hosted site. This issue has been patched in version 10.1.0.

CVE-2025-59546 dnnsoftware vulnerability CVSS: 0 23 Sep 2025, 18:15 UTC

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, administrators and content editors can set html in module titles that could include javascript which could be used for XSS based attacks. This issue has been patched in version 10.1.0.

CVE-2025-59545 dnnsoftware vulnerability CVSS: 0 23 Sep 2025, 18:15 UTC

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, the Prompt module allows execution of commands that can return raw HTML. Malicious input, even if sanitized for display elsewhere, can be executed when processed through certain commands, leading to potential script execution (XSS). This issue has been patched in version 10.1.0.

CVE-2025-59539 dnnsoftware vulnerability CVSS: 0 23 Sep 2025, 18:15 UTC

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, when embedding information in the Biography field, even if that field is not rich-text, users could inject javascript code that would run in the context of the website and to any other user that can view the profile including administrators and/or superusers. This issue has been patched in version 10.1.0.

CVE-2025-59535 dnnsoftware vulnerability CVSS: 0 22 Sep 2025, 21:16 UTC

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, arbitrary themes can be loaded through query parameters. If an installed theme had a vulnerability, even if it was not used on any page, this could be loaded on unsuspecting clients without knowledge of the site owner. This issue has been patched in version 10.1.0.

CVE-2025-52488 dnnsoftware vulnerability CVSS: 0 21 Jun 2025, 03:15 UTC

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In versions 6.0.0 to before 10.0.1, DNN.PLATFORM allows a specially crafted series of malicious interaction to potentially expose NTLM hashes to a third party SMB server. This issue has been patched in version 10.0.1.

CVE-2025-52487 dnnsoftware vulnerability CVSS: 0 21 Jun 2025, 03:15 UTC

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In versions 7.0.0 to before 10.0.1, DNN.PLATFORM allows a specially crafted request or proxy to be created that could bypass the design of DNN Login IP Filters allowing login attempts from IP Addresses not in the allow list. This issue has been patched in version 10.0.1.

CVE-2025-52486 dnnsoftware vulnerability CVSS: 0 21 Jun 2025, 03:15 UTC

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In versions 6.0.0 to before 10.0.1, DNN.PLATFORM allows specially crafted content in URLs to be used with TokenReplace and not be properly sanitized by some SkinObjects. This issue has been patched in version 10.0.1.

CVE-2025-52485 dnnsoftware vulnerability CVSS: 0 21 Jun 2025, 03:15 UTC

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In versions 6.0.0 to before 10.0.1, DNN.PLATFORM allows a specially crafted request to inject scripts in the Activity Feed Attachments endpoint which will then render in the feed. This issue has been patched in version 10.0.1.

CVE-2025-48378 dnnsoftware vulnerability CVSS: 0 23 May 2025, 16:15 UTC

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 9.13.9, uploaded SVG files could contain scripts and if rendered inline those scripts could run allowing XSS attacks. Version 9.13.9 fixes the issue.

CVE-2025-48377 dnnsoftware vulnerability CVSS: 0 23 May 2025, 16:15 UTC

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 9.13.9, a specially crafted URL may be constructed which can inject an XSS payload that is triggered by using some module actions. Version 9.13.9 fixes the issue.

CVE-2025-48376 dnnsoftware vulnerability CVSS: 0 23 May 2025, 16:15 UTC

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 9.13.9, a malicious SuperUser (Host) could craft a request to use an external url for a site export to then be imported. Version 9.13.9 fixes the issue.

CVE-2025-32374 dnnsoftware vulnerability CVSS: 0 09 Apr 2025, 16:15 UTC

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Possible denial of service with specially crafted information in the public registration form. This vulnerability is fixed in 9.13.8.

CVE-2025-32373 dnnsoftware vulnerability CVSS: 0 09 Apr 2025, 16:15 UTC

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In limited configurations, registered users may be able to craft a request to enumerate/access some portal files they should not have access to. This vulnerability is fixed in 9.13.8.

CVE-2025-32372 dnnsoftware vulnerability CVSS: 0 09 Apr 2025, 16:15 UTC

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. A bypass has been identified for the previously known vulnerability CVE-2017-0929, allowing unauthenticated attackers to execute arbitrary GET requests against target systems, including internal or adjacent networks. This vulnerability facilitates a semi-blind SSRF attack, allowing attackers to make the target server send requests to internal or external URLs without viewing the full responses. Potential impacts include internal network reconnaissance, bypassing firewalls. This vulnerability is fixed in 9.13.8.

CVE-2025-32371 dnnsoftware vulnerability CVSS: 0 09 Apr 2025, 16:15 UTC

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. A url could be crafted to the DNN ImageHandler to render text from a querystring parameter. This text would display in the resulting image and a user that trusts the domain might think that the information is legitimate. This vulnerability is fixed in 9.13.4.

CVE-2025-32036 dnnsoftware vulnerability CVSS: 0 08 Apr 2025, 18:16 UTC

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. The algorithm used to generate the captcha image shows the least complexity of the desired image. For this reason, the created image can be easily read by OCR tools, and the intruder can send automatic requests by building a robot and using this tool. This vulnerability is fixed in 9.13.8.

CVE-2025-32035 dnnsoftware vulnerability CVSS: 0 08 Apr 2025, 18:16 UTC

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to 9.13.2, when uploading files (e.g. when uploading assets), the file extension is checked to see if it's an allowed file type but the actual contents of the file aren't checked. This means that it's possible to e.g. upload an executable file renamed to be a .jpg. This file could then be executed by another security vulnerability. This vulnerability is fixed in 9.13.2.

CVE-2022-47053 dnnsoftware vulnerability CVSS: 0 12 Apr 2023, 13:15 UTC

An arbitrary file upload vulnerability in the Digital Assets Manager module of DNN Corp DotNetNuke v7.0.0 to v9.10.2 allows attackers to execute arbitrary code via a crafted SVG file.

CVE-2022-2922 dnnsoftware vulnerability CVSS: 0 30 Sep 2022, 07:15 UTC

Relative Path Traversal in GitHub repository dnnsoftware/dnn.platform prior to 9.11.0.

CVE-2021-31858 dnnsoftware vulnerability CVSS: 0 20 Jul 2022, 13:15 UTC

DotNetNuke (DNN) 9.9.1 CMS is vulnerable to a Stored Cross-Site Scripting vulnerability in the user profile biography section which allows remote authenticated users to inject arbitrary code via a crafted payload.

CVE-2021-40186 dnnsoftware vulnerability CVSS: 5.0 02 Jun 2022, 14:15 UTC

The AppCheck research team identified a Server-Side Request Forgery (SSRF) vulnerability within the DNN CMS platform, formerly known as DotNetNuke. SSRF vulnerabilities allow the attacker to exploit the target system to make network requests on their behalf, allowing a range of possible attacks. In the most common scenario, the attacker exploits SSRF vulnerabilities to attack systems behind the firewall and access sensitive information from Cloud Provider metadata services.

CVE-2020-11585 dnnsoftware vulnerability CVSS: 4.0 06 Apr 2020, 21:15 UTC

There is an information disclosure issue in DNN (formerly DotNetNuke) 9.5 within the built-in Activity-Feed/Messaging/Userid/ Message Center module. A registered user is able to enumerate any file in the Admin File Manager (other than ones contained in a secure folder) by sending themselves a message with the file attached, e.g., by using an arbitrary small integer value in the fileIds parameter.

CVE-2020-5188 dnnsoftware vulnerability CVSS: 4.0 24 Feb 2020, 15:15 UTC

DNN (formerly DotNetNuke) through 9.4.4 has Insecure Permissions.

CVE-2020-5187 dnnsoftware vulnerability CVSS: 6.5 24 Feb 2020, 15:15 UTC

DNN (formerly DotNetNuke) through 9.4.4 allows Path Traversal (issue 2 of 2).

CVE-2020-5186 dnnsoftware vulnerability CVSS: 3.5 24 Feb 2020, 15:15 UTC

DNN (formerly DotNetNuke) through 9.4.4 allows XSS (issue 1 of 2).

CVE-2019-12562 dnnsoftware vulnerability CVSS: 4.3 26 Sep 2019, 20:15 UTC

Stored Cross-Site Scripting in DotNetNuke (DNN) Version before 9.4.0 allows remote attackers to store and embed the malicious script into the admin notification page. The exploit could be used to perfom any action with admin privileges such as managing content, adding users, uploading backdoors to the server, etc. Successful exploitation occurs when an admin user visits a notification page with stored cross-site scripting.

CVE-2018-18326 dnnsoftware vulnerability CVSS: 5.0 03 Jul 2019, 17:15 UTC

DNN (aka DotNetNuke) 9.2 through 9.2.2 incorrectly converts encryption key source values, resulting in lower than expected entropy. NOTE: this issue exists because of an incomplete fix for CVE-2018-15812.

CVE-2018-18325 dnnsoftware vulnerability CVSS: 5.0 03 Jul 2019, 17:15 UTC

DNN (aka DotNetNuke) 9.2 through 9.2.2 uses a weak encryption algorithm to protect input parameters. NOTE: this issue exists because of an incomplete fix for CVE-2018-15811.

CVE-2018-15812 dnnsoftware vulnerability CVSS: 5.0 03 Jul 2019, 17:15 UTC

DNN (aka DotNetNuke) 9.2 through 9.2.1 incorrectly converts encryption key source values, resulting in lower than expected entropy.

CVE-2018-15811 dnnsoftware vulnerability CVSS: 5.0 03 Jul 2019, 17:15 UTC

DNN (aka DotNetNuke) 9.2 through 9.2.1 uses a weak encryption algorithm to protect input parameters.

CVE-2018-14486 dnnsoftware vulnerability CVSS: 4.3 21 Mar 2019, 16:00 UTC

DNN (formerly DotNetNuke) 9.1.1 allows cross-site scripting (XSS) via XML.

CVE-2017-0929 dnnsoftware vulnerability CVSS: 5.0 03 Jul 2018, 21:29 UTC

DNN (aka DotNetNuke) before 9.2.0 suffers from a Server-Side Request Forgery (SSRF) vulnerability in the DnnImageHandler class. Attackers may be able to access information about internal network resources.

CVE-2017-9822 dnnsoftware vulnerability CVSS: 6.5 20 Jul 2017, 12:29 UTC

DNN (aka DotNetNuke) before 9.1.1 has Remote Code Execution via a cookie, aka "2017-08 (Critical) Possible remote code execution on DNN sites."

CVE-2015-2794 dnnsoftware vulnerability CVSS: 7.5 06 Feb 2017, 15:59 UTC

The installation wizard in DotNetNuke (DNN) before 7.4.1 allows remote attackers to reinstall the application and gain SuperUser access via a direct request to Install/InstallWizard.aspx.

CVE-2016-7119 dnnsoftware vulnerability CVSS: 3.5 31 Aug 2016, 14:59 UTC

Cross-site scripting (XSS) vulnerability in the user-profile biography section in DotNetNuke (DNN) before 8.0.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted onclick attribute in an IMG element.

CVE-2015-1566 dnnsoftware vulnerability CVSS: 4.3 09 Feb 2015, 17:59 UTC

Cross-site scripting (XSS) vulnerability in DotNetNuke (DNN) before 7.4.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2013-7335 dnnsoftware vulnerability CVSS: 4.3 12 Mar 2014, 14:55 UTC

Open redirect vulnerability in DotNetNuke (DNN) before 6.2.9 and 7.x before 7.1.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

CVE-2013-4649 dnnsoftware vulnerability CVSS: 4.3 12 Mar 2014, 14:55 UTC

Cross-site scripting (XSS) vulnerability in DotNetNuke (DNN) before 6.2.9 and 7.x before 7.1.1 allows remote attackers to inject arbitrary web script or HTML via the __dnnVariable parameter to the default URI.

CVE-2013-3943 dnnsoftware vulnerability CVSS: 3.5 12 Mar 2014, 14:55 UTC

Cross-site scripting (XSS) vulnerability in DotNetNuke (DNN) before 6.2.9 and 7.x before 7.1.1 allows remote authenticated users to inject arbitrary web script or HTML via vectors related to the Display Name field in the Manage Profile.

CVE-2012-1036 dnnsoftware vulnerability CVSS: 4.3 11 Apr 2012, 10:39 UTC

Cross-site scripting (XSS) vulnerability in the telerik HTML editor in DotNetNuke before 5.6.4 and 6.x before 6.1.0 allows remote attackers to inject arbitrary web script or HTML via a message.

CVE-2012-1030 dnnsoftware vulnerability CVSS: 4.3 11 Apr 2012, 10:39 UTC

Cross-site scripting (XSS) vulnerability in DotNetNuke 6.x through 6.0.2 allows user-assisted remote attackers to inject arbitrary web script or HTML via a crafted URL containing text that is used within a modal popup.

CVE-2010-4514 dnnsoftware vulnerability CVSS: 4.3 09 Dec 2010, 21:00 UTC

Cross-site scripting (XSS) vulnerability in Install/InstallWizard.aspx in DotNetNuke 5.05.01 and 5.06.00 allows remote attackers to inject arbitrary web script or HTML via the __VIEWSTATE parameter. NOTE: some of these details are obtained from third party information.

CVE-2009-4110 dnnsoftware vulnerability CVSS: 4.3 29 Nov 2009, 13:08 UTC

Cross-site scripting (XSS) vulnerability in the search functionality in DotNetNuke 4.8 through 5.1.4 allows remote attackers to inject arbitrary web script or HTML via search terms that are not properly filtered before display in a custom results page.

CVE-2009-4109 dnnsoftware vulnerability CVSS: 5.0 29 Nov 2009, 13:08 UTC

The install wizard in DotNetNuke 4.0 through 5.1.4 does not prevent anonymous users from accessing functionality related to determination of the need for an upgrade, which allows remote attackers to access version information and possibly other sensitive information.

CVE-2008-7102 dnnsoftware vulnerability CVSS: 7.5 27 Aug 2009, 20:30 UTC

DotNetNuke 2.0 through 4.8.4 allows remote attackers to load .ascx files instead of skin files, and possibly access privileged functionality, via unknown vectors related to parameter validation.

CVE-2008-7101 dnnsoftware vulnerability CVSS: 5.0 27 Aug 2009, 20:30 UTC

Unspecified vulnerability in DotNetNuke 4.0 through 4.8.4 and 5.0 allows remote attackers to obtain sensitive information (portal number) by accessing the install wizard page via unknown vectors.

CVE-2008-7100 dnnsoftware vulnerability CVSS: 6.5 27 Aug 2009, 20:30 UTC

Unspecified vulnerability in DotNetNuke 4.4.1 through 4.8.4 allows remote authenticated users to bypass authentication and gain privileges via unknown vectors related to a "unique id" for user actions and improper validation of a "user identity."

CVE-2009-1366 dnnsoftware vulnerability CVSS: 4.3 22 Apr 2009, 21:30 UTC

Cross-site scripting (XSS) vulnerability in Website\admin\Sales\paypalipn.aspx in DotNetNuke (DNN) before 4.9.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "name/value pairs" and "paypal IPN functionality."

CVE-2008-6733 dnnsoftware vulnerability CVSS: 4.3 21 Apr 2009, 18:30 UTC

Cross-site scripting (XSS) vulnerability in the error handling page in DotNetNuke 4.6.2 through 4.8.3 allows remote attackers to inject arbitrary web script or HTML via the querystring parameter.

CVE-2008-6732 dnnsoftware vulnerability CVSS: 4.3 21 Apr 2009, 18:30 UTC

Cross-site scripting (XSS) vulnerability in the Language skin object in DotNetNuke before 4.8.4 allows remote attackers to inject arbitrary web script or HTML via "newly generated paths."

CVE-2008-6644 dnnsoftware vulnerability CVSS: 4.3 07 Apr 2009, 14:17 UTC

Cross-site scripting (XSS) vulnerability in Default.aspx in DotNetNuke 4.8.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.

CVE-2008-6542 dnnsoftware vulnerability CVSS: 4.6 30 Mar 2009, 01:30 UTC

Unspecified vulnerability in the Skin Manager in DotNetNuke before 4.8.2 allows remote authenticated administrators to perform "server-side execution of application logic" by uploading a static file that is converted into a dynamic script via unknown vectors related to HTM or HTML files.

CVE-2008-6541 dnnsoftware vulnerability CVSS: 6.8 30 Mar 2009, 01:30 UTC

Unrestricted file upload vulnerability in the file manager module in DotNetNuke before 4.8.2 allows remote administrators to upload arbitrary files and gain privileges to the server via unspecified vectors.

CVE-2008-6540 dnnsoftware vulnerability CVSS: 5.1 30 Mar 2009, 01:30 UTC

DotNetNuke before 4.8.2, during installation or upgrade, does not warn the administrator when the default (1) ValidationKey and (2) DecryptionKey values cannot be modified in the web.config file, which allows remote attackers to bypass intended access restrictions by using the default keys.

CVE-2008-6399 dnnsoftware vulnerability CVSS: 6.4 05 Mar 2009, 20:30 UTC

Unspecified vulnerability in DotNetNuke 4.5.2 through 4.9 allows remote attackers to "add additional roles to their user account" via unknown attack vectors.

CVE-2006-4973 dnnsoftware vulnerability CVSS: 4.3 25 Sep 2006, 01:07 UTC

Cross-site scripting (XSS) vulnerability in Default.aspx in Perpetual Motion Interactive Systems DotNetNuke before 3.3.5, and 4.x before 4.3.5, allows remote attackers to inject arbitrary HTML via the error parameter.

CVE-2006-3601 dnnsoftware vulnerability CVSS: 10.0 18 Jul 2006, 15:37 UTC

** UNVERIFIABLE ** Unspecified vulnerability in an unspecified DNN Modules module for DotNetNuke (.net nuke) allows remote attackers to gain privileges via unspecified vectors, as used in an attack against the Microsoft France web site. NOTE: due to the lack of details and uncertainty about which product is affected, this claim is not independently verifiable.

CVE-2005-0040 dnnsoftware vulnerability CVSS: 4.3 19 May 2005, 04:00 UTC

Multiple cross-site scripting (XSS) vulnerabilities in DotNetNuke before 3.0.12 allow remote attackers to inject arbitrary web script or HTML via the (1) register a new user page, (2) User-Agent, or (3) Username, which is not properly quoted before sending to the error log.

CVE-2004-2324 dnnsoftware vulnerability CVSS: 7.5 31 Dec 2004, 05:00 UTC

SQL injection vulnerability in DotNetNuke (formerly IBuySpy Workshop) 1.0.6 through 1.0.10d allows remote attackers to modify the backend database via the (1) table and (2) field parameters in LinkClick.aspx.

CVE-2004-2323 dnnsoftware vulnerability CVSS: 5.0 31 Dec 2004, 05:00 UTC

DotNetNuke (formerly IBuySpy Workshop) 1.0.6 through 1.0.10d allows remote attackers to obtain sensitive information, including the SQL server username and password, via a GET request for source or configuration files such as Web.config.

CVE-2004-2325 dnnsoftware vulnerability CVSS: 4.3 31 Dec 2004, 05:00 UTC

Cross-site scripting (XSS) vulnerability in EditModule.aspx for DotNetNuke (formerly IBuySpy Workshop) 1.0.6 through 1.0.10d allows remote attackers to inject arbitrary web script or HTML.