CVE-2025-59547
BaseFortify
Publication date: 2025-09-23
Last updated on: 2025-09-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dnnsoftware | dotnetnuke | to 10.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-176 | The product does not properly handle when an input contains Unicode encoding. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in DNN's CKEditor file upload endpoint prior to version 10.1.0. It involves insufficient sanitization of filenames, allowing an attacker to upload files with specially crafted Unicode characters. These characters can be translated into paths that expose internal network resources of the hosted site, potentially allowing unauthorized probing of network endpoints.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to probe and potentially access internal network resources of the hosted site by uploading files with crafted filenames. This could lead to unauthorized information disclosure about the internal network structure, which might be leveraged for further attacks.
What immediate steps should I take to mitigate this vulnerability?
Upgrade DNN (DotNetNuke) to version 10.1.0 or later, as this version includes a patch that fixes the insufficient sanitization of filenames in the CKEditor file upload endpoint. Until the upgrade can be applied, consider restricting or monitoring file uploads to the CKEditor endpoint to prevent exploitation.