CVE-2019-12562

MEDIUM

Dnnsoftware Dotnetnuke < 9.4.0 - XSS

Title source: rule

Description

Stored Cross-Site Scripting in DotNetNuke (DNN) Version before 9.4.0 allows remote attackers to store and embed the malicious script into the admin notification page. The exploit could be used to perfom any action with admin privileges such as managing content, adding users, uploading backdoors to the server, etc. Successful exploitation occurs when an admin user visits a notification page with stored cross-site scripting.

Exploits (2)

nomisec WORKING POC 8 stars

by MAYASEVEN · poc

https://github.com/MAYASEVEN/CVE-2019-12562

View Code ZIP pw:eip

exploitdb WORKING POC

by MaYaSeVeN · pythonwebappsmultiple

https://www.exploit-db.com/exploits/47448

View Code ZIP pw:eip

References (2)

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/154673/DotNetNuke-Cross-Site-Scripting.html

[Exploit, Third Party Advisory] https://mayaseven.com/cve-2019-12562-stored-cross-site-scripting-in-dotnetnuke-dnn-version-v9-3-2/

Scores

CVSS v3 6.1

EPSS 0.3867

EPSS Percentile 97.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Classification

CWE

CWE-79

Status published

Affected Products (2)

dnnsoftware/dotnetnuke < 9.4.0

nuget/DotNetNuke.Core < 9.4.0NuGet

Timeline

Published Sep 26, 2019

Tracked Since Feb 18, 2026