DotNetNukeCore, Stored Cross-Site Scripting (XSS), GHSA-ffq7-898w-9jc4 (High)

Listen to this Post

  1. The vulnerability is a stored cross-site scripting (XSS) flaw in DotNetNuke.Core.
  2. It allows an attacker to upload a malicious SVG file to the DNN platform.
  3. The SVG file contains embedded JavaScript code within its XML structure.
  4. The application fails to properly sanitize or neutralize script content in uploaded SVGs.
  5. When the SVG is viewed by any user, the malicious script executes in their browser.
  6. This execution occurs in the context of the user’s session with the DNN application.
  7. Both authenticated and unauthenticated DNN users can be targeted by this attack.
  8. The impact is significantly higher if a power user or administrator views the SVG.
  9. The root cause is improper neutralization of input during web page generation (CWE-79).
  10. The vulnerability affects all DNN installations running versions prior to 10.2.2.
  11. A user with permission to upload image or SVG files can initiate the attack.
  12. No special privileges are needed beyond standard file upload capabilities.
  13. The uploaded SVG is stored persistently on the server, leading to a stored XSS.
  14. When other users browse content containing the SVG, the script is loaded and run.
  15. Attackers can craft SVGs using `script` tags or event handlers like onload.
  16. The script can steal session cookies, tokens, or perform actions on behalf of the user.
  17. For unauthenticated users, the script can still run if the SVG is publicly accessible.
  18. This vulnerability bypasses previous incomplete fixes for similar SVG XSS issues.
  19. The CVSS v3 base score is 8.0, indicating a high severity rating.
  20. A public proof-of-concept exploit is available, increasing the risk of active attacks.

DailyCVE Form

Platform: DotNetNuke.Core
Version: < 10.2.2
Vulnerability: Stored XSS via SVG
Severity: High
date: 2026-04-10

Prediction: Patch 2026-04-10

Analytics

What Undercode Say:

Check DNN version via PowerShell (Windows)
(Get-Command "DNN").FileVersionInfo.ProductVersion
Scan for vulnerable instances with Nmap
nmap -p 80 --script http-dnn-version <target>
Search for vulnerable packages in NuGet
Find-Package DotNetNuke.Core -AllVersions | Where-Object {$_.Version -lt "10.2.2"}
Audit .csproj files for the vulnerable package
grep -r "DotNetNuke.Core" .csproj
// C detection: verify package version in web.config
var version = ConfigurationManager.AppSettings["Version"];
if (Version.Parse(version) < new Version(10,2,2)) {
Console.WriteLine("Vulnerable to GHSA-ffq7-898w-9jc4");
}

Exploit

  1. Craft an SVG file containing malicious JavaScript, e.g.:
    ``
    2. Upload the SVG via any DNN file upload feature (e.g., editor, user profile).

3. Obtain the URL of the uploaded SVG.

  1. Trick a victim (authenticated or not) into viewing the SVG (e.g., via link or auto-load).
  2. The script executes in the victim’s browser, enabling session hijacking or data theft.

Protection from this CVE

  • Upgrade DotNetNuke.Core to version 10.2.2 or later immediately.
  • If patching is not possible, disable SVG file uploads entirely.
  • Implement a Web Application Firewall (WAF) rule to block suspicious SVG content.
  • Enforce Content Security Policy (CSP) to restrict script execution.
  • Regularly monitor security advisories for the Dnn.Platform ecosystem.

Impact

  • Session Hijacking: Stealing authentication cookies or tokens of any user who views the SVG.
  • Data Exfiltration: Extracting sensitive information from the victim’s browser session.
  • Privilege Escalation: If a power user is affected, the attacker can gain high-level access.
  • Defacement: Modifying the appearance of the web page for targeted users.
  • Credential Theft: Capturing login credentials through keylogging or fake forms.
  • Lateral Movement: Using the compromised session to attack internal systems.
  • Compliance Breach: Violating regulations like GDPR or HIPAA due to data leaks.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top