CVE-2025-48377: 
C# vulnerability analysis and mitigation

DNN (formerly DotNetNuke), an open-source web content management platform (CMS) in the Microsoft ecosystem, was found to contain a Cross-Site Scripting (XSS) vulnerability (CVE-2025-48377). The vulnerability was discovered and disclosed on May 23, 2025, affecting DNN Platform versions prior to 9.13.9. A specially crafted URL could be constructed to inject an XSS payload that is triggered by using some module actions (Wiz Database, GitHub Advisory).

The vulnerability is classified as a Reflected Cross-Site Scripting (XSS) vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation). The CVSS v4.0 score is 6.0 (Medium), with the vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N. This indicates that the vulnerability requires network access, low attack complexity, no special attack requirements, low privileges, and active user interaction to exploit (Wiz Database).

The vulnerability could allow attackers to execute malicious scripts in the context of the user's browser session when the user interacts with specially crafted module actions in edit mode. While the direct vulnerable system impact is rated as none for confidentiality, integrity, and availability, the subsequent system confidentiality impact is rated as high (Wiz Database).

The vulnerability has been fixed in DNN Platform version 9.13.9. Users are advised to upgrade to this version or later to mitigate the risk (Wiz Database, GitHub Advisory).