CVE-2025-64095: DNN Insufficient Access Control - Image Upload allows for Site Content Overwrite

The vulnerability allows unauthenticated users to upload and overwrite files. The security advisory and the patch point to the CKEditor provider as the source of the vulnerability. The patch, found in commit 6497d3c35217e6e62e50d3ed7c8809eb69e3d06b, modifies the DNNConnect.CKEditorProvider.dnn manifest file to add authorization rules to the web.config. These rules deny anonymous users (<deny users="?" />) access to two specific endpoints: Providers/HtmlEditorProviders/DNNConnect.CKE/Browser/FileUploader.ashx and Providers/HtmlEditorProviders/DNNConnect.CKE/Browser/Browser.aspx. This indicates that these two endpoints were the entry points for the vulnerable functionality.

FileUploader.ashx is an ASP.NET web handler. Its content (<%@ WebHandler Language="C#" CodeBehind="FileUploader.ashx.cs" Class="DNNConnect.CKEditorProvider.Browser.FileUploader" %>) shows that the class DNNConnect.CKEditorProvider.Browser.FileUploader handles the requests. The entry point for a web handler is the ProcessRequest method. This method was processing file uploads without checking if the user was authenticated.

Browser.aspx is an ASP.NET web page, likely a file browser. The patch also restricts access to this page. The entry point for an ASP.NET page is the Page_Load event. The class name is inferred to be DNNConnect.CKEditorProvider.Browser.Browser based on the file name and the namespace of the other class. This page likely contained functionality to manage files, which was accessible to unauthenticated users.

The vulnerable functions are the entry points of these two components, as they failed to perform the necessary authentication checks before allowing access to file management functionality.