CVE-2020-37103

Description

DotNetNuke 9.5 contains a persistent cross-site scripting vulnerability that allows normal users to upload malicious XML files with executable scripts through journal tools. Attackers can upload XML files with XHTML namespace scripts to execute arbitrary JavaScript in users' browsers, potentially bypassing CSRF protections and performing more damaging attacks.

PUBLISHED Reserved 2026-02-01 | Published 2026-02-03 | Updated 2026-02-06 | Assigner VulnCheck

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Credits

Sajjad Pourali finder

References

www.exploit-db.com/exploits/48124 (ExploitDB-48124) exploit

dnnsoftware.com/ (DotNetNuke Official Vendor Homepage) product

medium.com/...ke-cms-not-as-secure-as-you-think-e8516f789175 (Vulnerability Analysis Blog Post) technical-description

www.vulncheck.com/...netnuke-persistent-cross-site-scripting (VulnCheck Advisory: DotNetNuke 9.5 - Persistent Cross-Site Scripting) third-party-advisory

cve.org (CVE-2020-37103)

nvd.nist.gov (CVE-2020-37103)

Download JSON