CVE-2025-32035

low-risk

Published 2025-04-08

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to 9.13.2, when uploading files (e.g. when uploading assets), the file extension is checked to see if it's an allowed file type but the actual contents of the file aren't checked. This means that it's possible to e.g. upload an executable file renamed to be a .jpg. This file could then be executed by another security vulnerability. This vulnerability is fixed in 9.13.2.

Do I need to act?

0.07% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 2.6/10 Low

NETWORK / HIGH complexity

Affected Products (1)

Dotnetnuke

Affected Vendors

Dnnsoftware

References (2)

Patch https://github.com/dnnsoftware/Dnn.Platform/commit/a5c13c3836cfbde374dc19dac032c...

Vendor Advisory https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-8q89-mqw7-9...

/ 100

low-risk

Severity 10/34 · Low

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal