CVE-2025-48376: 
C# vulnerability analysis and mitigation

DNN (formerly DotNetNuke), an open-source web content management platform in the Microsoft ecosystem, was found to contain a security vulnerability identified as CVE-2025-48376. The vulnerability was discovered and disclosed on May 23, 2025, affecting versions prior to 9.13.9. The issue allows a malicious SuperUser (Host) to craft a request to use an external URL for a site export that could then be imported (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 3.5 (Low severity) with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:L. This indicates that the vulnerability requires network access, has low attack complexity, requires high privileges (SuperUser access), and needs user interaction. The vulnerability is classified as CWE-841 (Improper Enforcement of Behavioral Workflow) (NVD, GitHub Advisory).

The vulnerability has low impact on both integrity and availability of the system, with no direct impact on confidentiality. The scope is unchanged, meaning the vulnerability can only affect resources managed by the same security authority (GitHub Advisory).

The vulnerability has been patched in version 9.13.9 of the DNN Platform. Users are advised to upgrade to this version or later to mitigate the security risk. The fix includes refined validation of portal import functionality (GitHub Commit).