Miggo Logo
Miggo Vulnerability Database
CVE-2025-62802

CVE-2025-62802: DNN CKEditor Provider allows unauthenticated upload out-of-the-box

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-62802
GHSA ID
GHSA-2374-6cvw-qmx6
EPSS Score
0.17619%
CWE
CWE-434
Published
10/29/2025
Updated
10/29/2025
KEV Status
No
Technology
TechnologyC#

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
Dnn.Platformnuget< 10.1.110.1.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability lies in the lack of authentication for endpoints responsible for file handling within the DNN CKEditor Provider. The security advisory and the patch make it clear that unauthenticated users could upload files. The patch addresses this by modifying the configuration to explicitly deny access to anonymous users for two specific endpoints: FileUploader.ashx and Browser.aspx.

FileUploader.ashx is an ASP.NET HTTP Handler, and its ProcessRequest method is the direct entry point for handling file upload requests. An attacker would exploit the vulnerability by sending a crafted request to this endpoint.

Browser.aspx is an ASP.NET page that provides a file browser. Its Page_Load method is executed every time the page is accessed. This page was also accessible to unauthenticated users and could be used as part of the exploit chain to browse or upload files.

By analyzing the source code of the application, I was able to confirm the exact class and method names associated with these endpoints. The vulnerable functions are therefore the methods that process requests for these unprotected endpoints, as they would be present in any runtime profile or stack trace during an exploit.

Vulnerable functions

DNNConnect.CKEditorProvider.FileUploader.ProcessRequest
DNN Platform/Providers/HtmlEditorProviders/DNNConnect.CKE/Browser/FileUploader.ashx.cs
This function is the request handler for `FileUploader.ashx`, which is responsible for processing file uploads. Before the patch, this handler was accessible to unauthenticated users, allowing them to upload files to the server without authorization. The `ProcessRequest` method is the entry point that would be executed during an exploitation attempt.
DNNConnect.CKEditorProvider.Browser.Page_Load
DNN Platform/Providers/HtmlEditorProviders/DNNConnect.CKE/Browser/Browser.aspx.cs
This function is the Page_Load event handler for the `Browser.aspx` page. This page provides a file browser functionality for the CKEditor. Before the patch, this page was accessible to unauthenticated users. While the primary upload mechanism is likely `FileUploader.ashx`, this page could also contain functionality to initiate or facilitate file uploads, and its `Page_Load` event would be triggered on access.

WAF Protection Rules

WAF Rule

### Summ*ry T** out-o*-*ox *xp*ri*n** *or *TML **itin* *llows un*ut**nti**t** us*rs to uplo** *il*s. T*is op*ns * pot*nti*l v**tor to ot**r s**urity issu*s *n* is not n***** on most impl*m*nt*tions. ### **t*ils T** n*w out-o*-*ox *xp*ri*n** *lo*ks t

Reasoning

T** vuln*r**ility li*s in t** l**k o* *ut**nti**tion *or *n*points r*sponsi*l* *or *il* **n*lin* wit*in t** *NN *K**itor Provi**r. T** s**urity **visory *n* t** p*t** m*k* it *l**r t**t un*ut**nti**t** us*rs *oul* uplo** *il*s. T** p*t** ***r*ss*s t*