Platform
dotnet
Component
dotnetnuke.core
Fixed in
10.1.1
10.1.0
CVE-2025-59545 is a critical Cross-Site Scripting (XSS) vulnerability affecting DotNetNuke.Core versions up to 9.9.1. This vulnerability arises from insufficient sanitization within the Prompt module, allowing attackers to inject malicious scripts. Successful exploitation can lead to session hijacking, data theft, and defacement of the website. A fix is available in version 10.1.0.
The vulnerability lies within the Prompt module, which allows execution of commands that can return raw HTML. While the application generally sanitizes user-submitted data, the Prompt module's ability to treat command output as HTML creates a bypass. An attacker can craft malicious input containing embedded scripts or harmful markup. This malicious content, when processed, can be executed in the context of the user's browser, potentially leading to the theft of session cookies, redirection to phishing sites, or even the execution of arbitrary JavaScript code on the affected website. The blast radius extends to all users interacting with the Prompt module, particularly those with administrative privileges.
CVE-2025-59545 was publicly disclosed on September 23, 2025. The CVSS score of 9.0 (CRITICAL) indicates a high probability of exploitation. While no public proof-of-concept (PoC) code has been widely released, the nature of XSS vulnerabilities makes it likely that PoCs will emerge. Monitor security advisories and threat intelligence feeds for updates.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade DotNetNuke.Core to version 10.1.0 or later, which includes the necessary fixes. If immediate upgrading is not feasible, consider implementing a Web Application Firewall (WAF) rule to filter potentially malicious input targeting the Prompt module. Specifically, look for patterns indicative of HTML injection attempts. Thoroughly review and sanitize all user-supplied data within the Prompt module, ensuring that any HTML output is properly encoded. Monitor DotNetNuke logs for suspicious activity related to the Prompt module, such as unusual command executions or unexpected HTML output.
Update DNN to version 10.1.0 or higher. This version contains a fix for the XSS vulnerability in the Prompt module. The update will prevent the execution of malicious scripts through commands that return un-sanitized HTML.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-59545 is a critical Cross-Site Scripting (XSS) vulnerability in DotNetNuke.Core versions up to 9.9.1, allowing attackers to inject malicious scripts through the Prompt module.
Yes, if you are using DotNetNuke.Core version 9.9.1 or earlier, you are vulnerable to this XSS attack.
Upgrade DotNetNuke.Core to version 10.1.0 or later to resolve this vulnerability. Consider WAF rules as a temporary mitigation.
While no widespread exploitation has been confirmed, the high CVSS score and the nature of XSS vulnerabilities suggest a high probability of exploitation.
Refer to the official DotNetNuke security advisory for detailed information and updates regarding CVE-2025-59545.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your packages.lock.json file and we'll tell you instantly if you're affected.