Valadas

**Name of the Vulnerable Software and Affected Versions** DNN (formerly DotNetNuke) versions 9.0.0 through 9.13.9 DNN (formerly DotNetNuke) versions 10.0.0 through 10.1.x **Description** DNN (formerly DotNetNuke) is an open-source web content management platform. A content editor could inject scripts into module headers or footers, which would then execute for other users. **Recommendations** Update to version 9.13.10 or later. Update to version 10.2.0 or later.

**Name of the Vulnerable Software and Affected Versions** DNN (formerly DotNetNuke) versions prior to 10.1.0 **Description** DNN is an open-source web content management platform. The CKEditor file upload endpoint lacks sufficient filename sanitization, potentially allowing network endpoint probing. A crafted request can upload a file with Unicode characters, which could translate into a path exposing internal network resources. The issue affects the `/api/v1/upload` endpoint. The `filename` parameter is vulnerable. **Recommendations** Update to version 10.1.0 or later.

Name of the Vulnerable Software and Affected Versions: DNN (formerly DotNetNuke) versions 7.0.0 through 10.0.0 Description: The issue allows a specially crafted request or proxy to bypass the design of DNN Login IP Filters, enabling login attempts from IP addresses not in the allow list. This has been patched in version 10.0.1. Recommendations: For versions 7.0.0 through 10.0.0, update to version 10.0.1 to resolve the issue. As a temporary workaround, consider restricting access to the DNN Login IP Filters to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: DNN (formerly DotNetNuke) versions 6.0.0 through 10.0.0 Description: The issue concerns the DNN (formerly DotNetNuke) platform, which is an open-source web content management platform in the Microsoft ecosystem. It allows specially crafted content in URLs to be used with TokenReplace and not be properly sanitized by some SkinObjects. Recommendations: For versions 6.0.0 through 10.0.0, update to version 10.0.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** DNN (formerly DotNetNuke) versions prior to 9.13.9 **Description** The issue concerns the DNN (formerly DotNetNuke) open-source web content management platform, which is part of the Microsoft ecosystem. In affected versions, uploaded SVG files could contain scripts. If these SVG files are rendered inline, the scripts could run, allowing cross-site scripting (XSS) attacks. **Recommendations** For versions prior to 9.13.9, update to version 9.13.9 to resolve the issue. As a temporary workaround, consider restricting the upload of SVG files or disabling the rendering of SVG files inline until the update can be applied.

Name of the Vulnerable Software and Affected Versions: DNN (formerly DotNetNuke) versions prior to 9.13.8 Description: The issue concerns a possible denial of service that can be triggered by submitting specially crafted information in the public registration form. Recommendations: For versions prior to 9.13.8, update to version 9.13.8 to resolve the issue.

Name of the Vulnerable Software and Affected Versions: DNN (formerly DotNetNuke) versions 6.0.0 through 10.0.0 Description: The issue allows a specially crafted request to inject scripts in the "Activity Feed Attachments" endpoint, which will then render in the feed, resulting in a cross-site scripting attack. Recommendations: For versions 6.0.0 through 10.0.0, update to version 10.0.1 to resolve the issue. As a temporary workaround, consider restricting access to the "Activity Feed Attachments" endpoint until the update is applied.

**Name of the Vulnerable Software and Affected Versions** DNN (formerly DotNetNuke) versions prior to 9.13.9 **Description** A malicious SuperUser (Host) could craft a request to use an external URL for a site export to then be imported. This issue is related to the DNN (formerly DotNetNuke) open-source web content management platform (CMS) in the Microsoft ecosystem. **Recommendations** For versions prior to 9.13.9, update to version 9.13.9 to resolve the issue.