Listen to this Post
The vulnerability exists within the `ContentPane.InjectHeaderFooter` method of the DotNetNuke (DNN) platform. This method is responsible for injecting user-supplied header and footer content into the rendered HTML output of a module. When a user with content editing privileges, such as a module editor, saves content for a module’s header or footer, the input is not properly sanitized or encoded before being persisted to the database. The platform trusts this stored data when it is later retrieved for display. During page rendering for other users, the unescaped header/footer content is directly injected into the HTML stream via methods like `LiteralControl` or by being written to the response. This lack of contextual output encoding on the client-side allows any JavaScript payloads entered by the malicious editor to be executed in the browser of any subsequent user viewing that module, leading to a stored Cross-Site Scripting attack. The attack is contextual within the HTML page, meaning scripts injected into the header or footer sections execute with the full privilege of the current page session.
Platform: DotNetNuke (DNN)
Version: 9.0.0-9.13.9
Vulnerability : Stored XSS
Severity: Moderate
date: 2026-01-28
Prediction: Patched 2026-01-28
What Undercode Say:
Find potentially vulnerable code patterns in custom modules find /path/to/dnn/ -name ".ascx" -o -name ".cs" | xargs grep -l "InjectHeaderFooter|.Header|.Footer" Check installed DNN platform version cat /path/to/dnn/bin/DotNetNuke.dll.config | grep -i version
// Simplified vulnerable pattern (example) string userHeader = GetStoredUserHeader(moduleId); this.myLiteralControl.Text = userHeader; // Direct assignment without encode
How Exploit:
1. Attacker with edit privileges logs into DNN.
- Edits a module, inserts `` into header field.
3. Saves module settings.
4. Victim user visits page containing the module.
- Malicious script executes in victim’s browser, stealing session cookies.
Protection from this CVE
Update to patched versions DNN Platform 9.13.10 or 10.2.0.
Implement strict input validation rejecting HTML/script in header/footer fields.
Apply proper output encoding using `System.Web.Security.AntiXss.HtmlEncode()` or `HttpUtility.HtmlEncode()` before rendering any user-controlled data to the response.
Impact:
Session Hijacking
Data Theft
Unauthorized Actions
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

