CVE-2020-37103
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-02-03

Last updated on: 2026-02-09

Assigner: VulnCheck

Description
DotNetNuke 9.5 contains a persistent cross-site scripting vulnerability that allows normal users to upload malicious XML files with executable scripts through journal tools. Attackers can upload XML files with XHTML namespace scripts to execute arbitrary JavaScript in users' browsers, potentially bypassing CSRF protections and performing more damaging attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-03
Last Modified
2026-02-09
Generated
2026-06-16
AI Q&A
2026-02-03
EPSS Evaluated
2026-06-15
NVD
CVE-2020-37103
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dnnsoftware dotnetnuke to 9.5.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

[{'type': 'paragraph', 'content': "The vulnerability in DotNetNuke 9.5 is a persistent cross-site scripting (XSS) flaw that allows authenticated users to upload malicious XML files containing executable scripts. This can lead to arbitrary JavaScript execution in other users' browsers, potentially bypassing CSRF protections and enabling more damaging attacks."}, {'type': 'paragraph', 'content': 'While the provided information does not explicitly mention compliance with standards such as GDPR or HIPAA, vulnerabilities like persistent XSS can lead to unauthorized access or manipulation of user data, which may impact the confidentiality and integrity requirements mandated by these regulations.'}, {'type': 'paragraph', 'content': 'Therefore, organizations using affected versions of DotNetNuke may face increased risk of non-compliance with data protection regulations if this vulnerability is exploited, as it could facilitate data breaches or unauthorized actions within the application.'}] [2, 3]

Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2020-37103 is a persistent cross-site scripting (XSS) vulnerability in DotNetNuke version 9.5. It allows authenticated users with limited privileges to upload malicious XML files containing executable scripts through the journal tools.'}, {'type': 'paragraph', 'content': 'These XML files use XHTML namespace scripts to execute arbitrary JavaScript in the browsers of other users who view the uploaded content.'}, {'type': 'paragraph', 'content': "This vulnerability arises from improper neutralization of input during web page generation, enabling attackers to inject scripts that run in other users' browsers."}, {'type': 'paragraph', 'content': 'The XSS can potentially bypass Cross-Site Request Forgery (CSRF) protections and enable more damaging attacks.'}] [2, 3]

Impact Analysis

This vulnerability can impact you by allowing attackers to execute arbitrary JavaScript in the browsers of users who view the malicious XML files.

Such script execution can lead to bypassing CSRF protections, which may allow attackers to perform unauthorized actions on behalf of users.

More severe impacts include the potential upload of backdoor web shells by exploiting the vulnerability to upload ASPX files through the settings page, leading to server-side compromises.

Although authentication cookies are protected by the HttpOnly flag, preventing their theft, the vulnerability still enables client-side attacks and escalation to more damaging exploits.

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for the presence of malicious XML files uploaded via the journal tools in DotNetNuke 9.5. Specifically, look for XML files containing XHTML namespace scripts such as <script xmlns="http://www.w3.org/1999/xhtml"> which execute arbitrary JavaScript.'}, {'type': 'paragraph', 'content': 'Detection can involve inspecting user-uploaded XML files for suspicious script tags or namespaces that enable script execution.'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves authenticated users uploading malicious XML files, monitoring upload activity and scanning uploaded XML content for embedded scripts is recommended.'}, {'type': 'paragraph', 'content': 'No specific commands are provided in the available resources, but a general approach could include using command-line tools to search for suspicious XML files on the server, for example:'}, {'type': 'list_item', 'content': 'Using grep to find XML files containing the XHTML namespace script tag: grep -r \'<script xmlns="http://www.w3.org/1999/xhtml"\' /path/to/dnn/uploads'}, {'type': 'list_item', 'content': 'Reviewing web server logs for unusual POST requests to journal tools endpoints that handle XML uploads.'}] [2, 3]

Mitigation Strategies

Immediate mitigation steps include restricting or disabling the ability of normal users to upload XML files via the journal tools in DotNetNuke 9.5.

Applying input validation and sanitization to neutralize executable scripts in uploaded XML files is critical.

Updating DotNetNuke to a version later than 9.5 where this vulnerability is fixed is strongly recommended.

Monitoring and auditing user uploads and access to journal tools can help detect and prevent exploitation.

Additionally, consider implementing web application firewall (WAF) rules to block malicious XML payloads containing script tags.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2020-37103. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart