GHSA-m4hf-fxcg-cp34
Suggest an improvement- Source
- https://github.com/advisories/GHSA-m4hf-fxcg-cp34
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-m4hf-fxcg-cp34/GHSA-m4hf-fxcg-cp34.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-m4hf-fxcg-cp34
- Aliases
- Published
- 2025-05-23T16:58:08Z
- Modified
- 2025-05-23T19:11:03.395068Z
- Severity
-
- 6.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N CVSS Calculator
- Summary
- DNN allows Stored Cross-Site Scripting (XSS) with svg files rendered inline
- Details
-
Uploaded SVG files could contain scripts and if rendered inline those scripts could run allowing XSS attacks.
- Database specific
{ "github_reviewed_at": "2025-05-23T16:58:08Z", "severity": "MODERATE", "nvd_published_at": "2025-05-23T16:15:27Z", "github_reviewed": true, "cwe_ids": [ "CWE-79" ] }- References
Affected packages
NuGet / DotNetNuke.Core
Package
- Name
- DotNetNuke.Core
- View open source insights on deps.dev
- Purl
- pkg:nuget/DotNetNuke.Core
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed9.13.9
Affected versions
6.*
6.0.0
7.*
7.0.0
7.0.6.121
7.1.0
7.1.2
7.2.0.613
7.3.0.499
7.3.1.20
7.4.0.353
7.4.1.280
7.4.2.216
8.*
8.0.0.809
8.0.1.239
8.0.2.4
8.0.3.5
8.0.4.226
9.*
9.0.0.1002
9.0.1.142
9.1.0.367
9.1.1.129
9.2.0.366
9.2.1.533
9.3.0
9.3.1
9.3.2
9.4.0
9.4.1
9.4.2
9.4.3
9.4.4
9.5.0
9.6.1
9.6.2
9.7.0
9.7.1
9.7.2
9.8.0
9.9.0
9.9.1
9.10.0
9.10.1
9.10.2
9.11.0
9.11.1
9.11.2
9.12.0
9.13.0-ci0000
9.13.0
9.13.1
9.13.2
9.13.3
9.13.4
9.13.5-ci0062
9.13.5
9.13.6
9.13.7-ci0064
9.13.7
9.13.8