CVE-2020-37103

EUVD-2020-30988
DotNetNuke 9.5 contains a persistent cross-site scripting vulnerability that allows normal users to upload malicious XML files with executable scripts through journal tools. Attackers can upload XML files with XHTML namespace scripts to execute arbitrary JavaScript in users' browsers, potentially bypassing CSRF protections and performing more damaging attacks.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
VulnCheckCNA
6.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 14%
Affected Products (NVD)
VendorProductVersion
dnnsoftwaredotnetnuke
𝑥
≤ 9.5.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://dnnsoftware.com/
https://medium.com/@SajjadPourali/dnn-dotnetnuke-cms-not-as-secure-as-you-think-e8516f789175
https://www.exploit-db.com/exploits/48124
https://www.vulncheck.com/advisories/dotnetnuke-persistent-cross-site-scripting