CVE-2020-37103

MEDIUM

DotNetNuke < 9.5.0 - Persistent Cross-Site Scripting via Journal XML File Upload

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-37103. PoCs published by Sajjad Pourali.

AI-analyzed exploit summary This exploit demonstrates a persistent XSS vulnerability in DotNetNuke 9.5 by uploading a malicious XML file containing XHTML script tags. The PoC shows how an attacker can execute arbitrary JavaScript in the context of a user's browser session.

Description

DotNetNuke 9.5 contains a persistent cross-site scripting vulnerability that allows normal users to upload malicious XML files with executable scripts through journal tools. Attackers can upload XML files with XHTML namespace scripts to execute arbitrary JavaScript in users' browsers, potentially bypassing CSRF protections and performing more damaging attacks.

Exploits (1)

exploitdb WORKING POC
by Sajjad Pourali · textwebappsaspx
https://www.exploit-db.com/exploits/48124

This exploit demonstrates a persistent XSS vulnerability in DotNetNuke 9.5 by uploading a malicious XML file containing XHTML script tags. The PoC shows how an attacker can execute arbitrary JavaScript in the context of a user's browser session.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: DotNetNuke <= 9.5
Auth required
Prerequisites: User authentication · Access to the journal tools in the user profile
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Product product
http://dnnsoftware.com/
Exploit, Third Party Advisory, VDB Entry exploit
https://www.exploit-db.com/exploits/48124

Scores

CVSS v3 6.4
EPSS 0.0029
EPSS Percentile 20.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
Dnnsoftware/DotNetNuke < 9.5
dnnsoftware/dotnetnuke < 9.5.0
Published Feb 03, 2026
Tracked Since Feb 18, 2026