GHSA-hmvq-8p83-cq52
Suggest an improvement- Source
- https://github.com/advisories/GHSA-hmvq-8p83-cq52
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-hmvq-8p83-cq52/GHSA-hmvq-8p83-cq52.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-hmvq-8p83-cq52
- Aliases
- Published
- 2025-10-29T21:47:49Z
- Modified
- 2025-10-29T22:16:47.181312Z
- Severity
-
- 6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- DNN vulnerable to stored cross-site-scripting (XSS) via SVG upload
- Details
-
Summary
Sanitization of the content of uploaded SVG files was not covering all possible XSS scenarios.
Details
DNN validates the contents of SVG's to ensure they are valid and do not contain any malicious code. These checks were introduced as part of
CVE-2025-48378.However, the checks to ensure there are no script elements within the SVG files are not comprehensive and may allow some malicious SVG files to be uploaded.
As this vulnerability allows for the execution of arbitrary JavaScript code within the context of the user's browser, it can lead to a range of attacks, including data exfiltration, session hijacking, and defacement of the web application to name a few.
- Database specific
{ "github_reviewed": true, "cwe_ids": [ "CWE-79" ], "github_reviewed_at": "2025-10-29T21:47:49Z", "nvd_published_at": "2025-10-28T22:15:38Z", "severity": "MODERATE" }- References
Affected packages
NuGet / DotNetNuke.Core
Package
- Name
- DotNetNuke.Core
- View open source insights on deps.dev
- Purl
- pkg:nuget/DotNetNuke.Core
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed10.1.1
Affected versions
6.*
6.0.0
7.*
7.0.0
7.0.6.121
7.1.0
7.1.2
7.2.0.613
7.3.0.499
7.3.1.20
7.4.0.353
7.4.1.280
7.4.2.216
8.*
8.0.0.809
8.0.1.239
8.0.2.4
8.0.3.5
8.0.4.226
9.*
9.0.0.1002
9.0.1.142
9.1.0.367
9.1.1.129
9.2.0.366
9.2.1.533
9.3.0
9.3.1
9.3.2
9.4.0
9.4.1
9.4.2
9.4.3
9.4.4
9.5.0
9.6.1
9.6.2
9.7.0
9.7.1
9.7.2
9.8.0
9.9.0
9.9.1
9.10.0
9.10.1
9.10.2
9.11.0
9.11.1
9.11.2
9.12.0
9.13.0-ci0000
9.13.0
9.13.1
9.13.2
9.13.3
9.13.4
9.13.5-ci0062
9.13.5
9.13.6
9.13.7-ci0064
9.13.7
9.13.8
9.13.9
10.*
10.0.0
10.0.1
10.1.0