{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2020-37103","assignerOrgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","state":"PUBLISHED","assignerShortName":"VulnCheck","dateReserved":"2026-02-01T13:16:06.489Z","datePublished":"2026-02-03T16:52:42.523Z","dateUpdated":"2026-03-05T01:27:59.294Z"},"containers":{"cna":{"providerMetadata":{"orgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","shortName":"VulnCheck","dateUpdated":"2026-03-05T01:27:59.294Z"},"datePublic":"2020-02-23T00:00:00.000Z","title":"DotNetNuke 9.5 - Persistent Cross-Site Scripting","descriptions":[{"lang":"en","value":"DotNetNuke 9.5 contains a persistent cross-site scripting vulnerability that allows normal users to upload malicious XML files with executable scripts through journal tools. Attackers can upload XML files with XHTML namespace scripts to execute arbitrary JavaScript in users' browsers, potentially bypassing CSRF protections and performing more damaging attacks."}],"problemTypes":[{"descriptions":[{"lang":"en","description":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","cweId":"CWE-79","type":"CWE"}]}],"affected":[{"vendor":"Dnnsoftware","product":"DotNetNuke","versions":[{"status":"affected","versionType":"semver","version":"0","lessThanOrEqual":"9.5"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:dnnsoftware:dotnetnuke:*:*:*:*:*:*:*:*","versionEndIncluding":"9.5"}]}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":5.1,"baseSeverity":"MEDIUM","exploitMaturity":"NOT_DEFINED","privilegesRequired":"LOW","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"LOW","userInteraction":"PASSIVE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS"},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.4,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N","version":"3.1"},"format":"CVSS"}],"references":[{"url":"https://www.exploit-db.com/exploits/48124","name":"ExploitDB-48124","tags":["exploit"]},{"url":"http://dnnsoftware.com/","name":"DotNetNuke Official Vendor Homepage","tags":["product"]},{"url":"https://medium.com/@SajjadPourali/dnn-dotnetnuke-cms-not-as-secure-as-you-think-e8516f789175","name":"Vulnerability Analysis Blog Post","tags":["technical-description"]},{"name":"VulnCheck Advisory: DotNetNuke 9.5 - Persistent Cross-Site Scripting","tags":["third-party-advisory"],"url":"https://www.vulncheck.com/advisories/dotnetnuke-persistent-cross-site-scripting"}],"credits":[{"lang":"en","value":"Sajjad Pourali","type":"finder"}],"x_generator":{"engine":"vulncheck"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-02-06T20:12:29.294499Z","id":"CVE-2020-37103","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-02-06T20:12:36.575Z"}}]}}