Miggo Logo
Miggo Vulnerability Database
CVE-2025-64094

CVE-2025-64094: DNN vulnerable to stored cross-site-scripting (XSS) via SVG upload

6.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-64094
GHSA ID
GHSA-hmvq-8p83-cq52
EPSS Score
0.0692%
CWE
CWE-79
Published
10/29/2025
Updated
10/29/2025
KEV Status
No
Technology
TechnologyC#

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
DotNetNuke.Corenuget< 10.1.110.1.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The analysis of the security advisory and the associated commit clearly indicates that the vulnerability is a stored XSS in the SVG file upload functionality of DNN Platform. The commit 360256d4296e2b0d53ef004a877c3f80e91d0a73 directly addresses this issue by modifying the SvgFileChecker.cs file.

The core of the vulnerability is in the DotNetNuke.Services.FileSystem.Internal.SecurityCheckers.SvgFileChecker.Validate method. The original code used a simple and incomplete blacklist to check for malicious content, which could be easily bypassed. The patch replaces this with a robust allow-list approach, only permitting known-safe SVG elements and attributes. This change is the direct remediation for the vulnerability.

The FileManagerTests.cs file was also updated in the same commit to include a large number of new test cases with various XSS payloads in SVG files. These tests confirm that the FileManager.AddFile method is the entry point that triggers the validation, and that the changes in SvgFileChecker.Validate are intended to prevent these malicious files from being uploaded. Therefore, the Validate function is identified as the vulnerable function.

Vulnerable functions

DotNetNuke.Services.FileSystem.Internal.SecurityCheckers.SvgFileChecker.Validate
DNN Platform/Library/Services/FileSystem/Internal/SecurityCheckers/SvgFileChecker.cs
The vulnerability lies in the `Validate` method, which is responsible for sanitizing SVG files upon upload. The original implementation used a weak blacklist that only checked for the presence of `<script>` tags and attributes starting with `on`. This left the application vulnerable to various XSS payloads that use other elements or event handlers. The patch replaces this insecure blacklist with a much stricter allow-list of known safe SVG elements, and also makes the attribute check case-insensitive, effectively mitigating the stored XSS vulnerability.

WAF Protection Rules

WAF Rule

### Summ*ry S*nitiz*tion o* t** *ont*nt o* uplo**** SV* *il*s w*s not *ov*rin* *ll possi*l* XSS s**n*rios. ### **t*ils *NN v*li**t*s t** *ont*nts o* SV*'s to *nsur* t**y *r* v*li* *n* *o not *ont*in *ny m*li*ious *o**. T**s* ****ks w*r* intro*u*** *

Reasoning

T** *n*lysis o* t** s**urity **visory *n* t** *sso*i*t** *ommit *l**rly in*i**t*s t**t t** vuln*r**ility is * stor** XSS in t** SV* *il* uplo** *un*tion*lity o* *NN Pl*t*orm. T** *ommit `****************************************` *ir**tly ***r*ss*s t*