Plattform
dotnet
Komponente
dotnetnuke.core
Behoben in
10.1.1
10.1.0
CVE-2025-59545 is a critical Cross-Site Scripting (XSS) vulnerability affecting DotNetNuke.Core versions up to 9.9.1. This vulnerability arises from insufficient sanitization within the Prompt module, allowing attackers to inject malicious scripts. Successful exploitation can lead to session hijacking, data theft, and defacement of the website. A fix is available in version 10.1.0.
The vulnerability lies within the Prompt module, which allows execution of commands that can return raw HTML. While the application generally sanitizes user-submitted data, the Prompt module's ability to treat command output as HTML creates a bypass. An attacker can craft malicious input containing embedded scripts or harmful markup. This malicious content, when processed, can be executed in the context of the user's browser, potentially leading to the theft of session cookies, redirection to phishing sites, or even the execution of arbitrary JavaScript code on the affected website. The blast radius extends to all users interacting with the Prompt module, particularly those with administrative privileges.
CVE-2025-59545 was publicly disclosed on September 23, 2025. The CVSS score of 9.0 (CRITICAL) indicates a high probability of exploitation. While no public proof-of-concept (PoC) code has been widely released, the nature of XSS vulnerabilities makes it likely that PoCs will emerge. Monitor security advisories and threat intelligence feeds for updates.
Websites and applications utilizing DotNetNuke.Core versions 9.9.1 and earlier are at risk. This includes organizations relying on DotNetNuke for content management, particularly those with publicly accessible Prompt modules. Shared hosting environments using vulnerable DotNetNuke installations are also at increased risk due to the potential for cross-tenant exploitation.
• dotnet: Examine DotNetNuke application logs for unusual HTML output from the Prompt module. Use a debugger to trace the execution flow of the Prompt module and identify potential injection points.
• generic web: Use curl or wget to test the Prompt module with various payloads containing HTML tags and JavaScript code. Check the response headers for signs of script execution.
• generic web: Monitor access logs for requests containing suspicious HTML or JavaScript patterns targeting the Prompt module.
curl -X POST -d '<script>alert("XSS")</script>' https://your-dotnetnuke-site.com/prompt-moduledisclosure
Exploit-Status
EPSS
0.04% (13% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade DotNetNuke.Core to version 10.1.0 or later, which includes the necessary fixes. If immediate upgrading is not feasible, consider implementing a Web Application Firewall (WAF) rule to filter potentially malicious input targeting the Prompt module. Specifically, look for patterns indicative of HTML injection attempts. Thoroughly review and sanitize all user-supplied data within the Prompt module, ensuring that any HTML output is properly encoded. Monitor DotNetNuke logs for suspicious activity related to the Prompt module, such as unusual command executions or unexpected HTML output.
Aktualisieren Sie DNN auf Version 10.1.0 oder höher. Diese Version enthält eine Korrektur für die XSS-Schwachstelle im Prompt Modul. Das Update verhindert die Ausführung von bösartigem Skript über Befehle, die nicht bereinigtes HTML zurückgeben.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-59545 is a critical Cross-Site Scripting (XSS) vulnerability in DotNetNuke.Core versions up to 9.9.1, allowing attackers to inject malicious scripts through the Prompt module.
Yes, if you are using DotNetNuke.Core version 9.9.1 or earlier, you are vulnerable to this XSS attack.
Upgrade DotNetNuke.Core to version 10.1.0 or later to resolve this vulnerability. Consider WAF rules as a temporary mitigation.
While no widespread exploitation has been confirmed, the high CVSS score and the nature of XSS vulnerabilities suggest a high probability of exploitation.
Refer to the official DotNetNuke security advisory for detailed information and updates regarding CVE-2025-59545.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine packages.lock.json-Datei hoch und wir sagen dir sofort, ob du betroffen bist.