CVE-2025-32371

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. A url could be crafted to the DNN ImageHandler to render text from a querystring parameter. This text would display in the resulting image and a user that trusts the domain might think that the information is legitimate. This vulnerability is fixed in 9.13.4.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/dnnsoftware/Dnn.Platform/commit/5def7cc2e7931bb1041b21540bde99f96874a5a9	Patch
https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-2rrc-g594-rhqw	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:dnnsoftware:dotnetnuke:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-04-09 16:15

Updated : 2025-08-26 00:48

NVD link : CVE-2025-32371

Mitre link : CVE-2025-32371

CVE.ORG link : CVE-2025-32371

JSON object : View

Products Affected

dnnsoftware

dotnetnuke

CWE

CWE-451

User Interface (UI) Misrepresentation of Critical Information

{"id": "CVE-2025-32371", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2025-04-09T16:15:24.933", "references": [{"url": "https://github.com/dnnsoftware/Dnn.Platform/commit/5def7cc2e7931bb1041b21540bde99f96874a5a9", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-2rrc-g594-rhqw", "tags": ["Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-451"}]}], "descriptions": [{"lang": "en", "value": "DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. A url could be crafted to the DNN ImageHandler to render text from a querystring parameter. This text would display in the resulting image and a user that trusts the domain might think that the information is legitimate. This vulnerability is fixed in 9.13.4."}, {"lang": "es", "value": "DNN (anteriormente DotNetNuke) es una plataforma de gesti\u00f3n de contenido web (CMS) de c\u00f3digo abierto del ecosistema de Microsoft. Se pod\u00eda manipular una URL para el ImageHandler de DNN para representar el texto de un par\u00e1metro de cadena de consulta. Este texto se mostrar\u00eda en la imagen resultante y un usuario que confiara en el dominio podr\u00eda pensar que la informaci\u00f3n es leg\u00edtima. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 9.13.4."}], "lastModified": "2025-08-26T00:48:09.823", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dnnsoftware:dotnetnuke:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E7A63998-2CDE-487E-993A-F8C6FF497F5B", "versionEndExcluding": "9.13.4"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}