CVE-2025-52485: 
C# vulnerability analysis and mitigation

DNN (formerly DotNetNuke), an open-source web content management platform (CMS) in the Microsoft ecosystem, has been found to contain a cross-site scripting vulnerability (CVE-2025-52485). The vulnerability affects versions 6.0.0 to before 10.0.1, where DNN.PLATFORM allows a specially crafted request to inject scripts in the Activity Feed Attachments endpoint which will then render in the feed. This vulnerability was disclosed on June 20, 2025, and has been patched in version 10.0.1 (GitHub Advisory).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue, identified as CWE-79. According to the CVSS v4.0 scoring system, it received a moderate severity rating with a score of 6.1. The attack vector is network-based (AV:N), with low attack complexity (AC:L), requiring low privileges (PR:L) and passive user interaction (UI:P). The vulnerability has no direct impact on the vulnerable system's confidentiality (VC:N), integrity (VI:N), or availability (VA:N), but has a high subsequent system confidentiality impact (SC:H) (GitHub Advisory).

The vulnerability allows attackers to inject malicious scripts through the Activity Feed Attachments endpoint, which then execute when users view the feed. This could potentially lead to unauthorized access to user data, session hijacking, or other malicious actions performed in the context of the affected users' sessions (GitHub Advisory).

The vulnerability has been patched in DNN.PLATFORM version 10.0.1. Users are strongly advised to upgrade to this version or later to protect against this security issue (GitHub Advisory).