CVE-2025-64094: 
C# 脆弱性の分析と軽減

DNN (formerly DotNetNuke), an open-source web content management platform (CMS) in the Microsoft ecosystem, was found to have a vulnerability in versions prior to 10.1.1. The vulnerability (CVE-2025-64094) was discovered due to incomplete sanitization of uploaded SVG files content, which failed to cover all possible XSS scenarios. This issue exists as an incomplete fix for a previous vulnerability (CVE-2025-48378) (NVD, GitHub Advisory).

The vulnerability is classified as a stored cross-site scripting (XSS) issue with a CVSS v3.1 base score of 6.4 (Medium). The vulnerability stems from inadequate validation of SVG file contents, where the checks to prevent script elements within SVG files were not comprehensive. The technical assessment shows that while DNN implements validation for SVG files to ensure they are valid and free of malicious code, these checks could be bypassed due to their incomplete nature (GitHub Advisory, Miggo).

The vulnerability allows for the execution of arbitrary JavaScript code within the context of the user's browser. This can lead to various attacks, including data exfiltration, session hijacking, and web application defacement. The CVSS scoring indicates low impact on both confidentiality and integrity, with no impact on availability (GitHub Advisory).

The vulnerability has been fixed in DNN version 10.1.1. Users are advised to upgrade to this version or later to mitigate the risk. The fix implements more comprehensive validation checks for SVG file contents (NVD).