Listen to this Post
- The vulnerability is a stored cross-site scripting (XSS) flaw in DotNetNuke.Core.
- It allows an attacker to upload a malicious SVG file to the DNN platform.
- The SVG file contains embedded JavaScript code within its XML structure.
- The application fails to properly sanitize or neutralize script content in uploaded SVGs.
- When the SVG is viewed by any user, the malicious script executes in their browser.
- This execution occurs in the context of the user’s session with the DNN application.
- Both authenticated and unauthenticated DNN users can be targeted by this attack.
- The impact is significantly higher if a power user or administrator views the SVG.
- The root cause is improper neutralization of input during web page generation (CWE-79).
- The vulnerability affects all DNN installations running versions prior to 10.2.2.
- A user with permission to upload image or SVG files can initiate the attack.
- No special privileges are needed beyond standard file upload capabilities.
- The uploaded SVG is stored persistently on the server, leading to a stored XSS.
- When other users browse content containing the SVG, the script is loaded and run.
- Attackers can craft SVGs using `script` tags or event handlers like
onload. - The script can steal session cookies, tokens, or perform actions on behalf of the user.
- For unauthenticated users, the script can still run if the SVG is publicly accessible.
- This vulnerability bypasses previous incomplete fixes for similar SVG XSS issues.
- The CVSS v3 base score is 8.0, indicating a high severity rating.
- A public proof-of-concept exploit is available, increasing the risk of active attacks.
DailyCVE Form
Platform: DotNetNuke.Core
Version: < 10.2.2
Vulnerability: Stored XSS via SVG
Severity: High
date: 2026-04-10
Prediction: Patch 2026-04-10
Analytics
What Undercode Say:
Check DNN version via PowerShell (Windows)
(Get-Command "DNN").FileVersionInfo.ProductVersion
Scan for vulnerable instances with Nmap
nmap -p 80 --script http-dnn-version <target>
Search for vulnerable packages in NuGet
Find-Package DotNetNuke.Core -AllVersions | Where-Object {$_.Version -lt "10.2.2"}
Audit .csproj files for the vulnerable package
grep -r "DotNetNuke.Core" .csproj
// C detection: verify package version in web.config
var version = ConfigurationManager.AppSettings["Version"];
if (Version.Parse(version) < new Version(10,2,2)) {
Console.WriteLine("Vulnerable to GHSA-ffq7-898w-9jc4");
}
Exploit
- Craft an SVG file containing malicious JavaScript, e.g.:
``
2. Upload the SVG via any DNN file upload feature (e.g., editor, user profile).
3. Obtain the URL of the uploaded SVG.
- Trick a victim (authenticated or not) into viewing the SVG (e.g., via link or auto-load).
- The script executes in the victim’s browser, enabling session hijacking or data theft.
Protection from this CVE
- Upgrade DotNetNuke.Core to version 10.2.2 or later immediately.
- If patching is not possible, disable SVG file uploads entirely.
- Implement a Web Application Firewall (WAF) rule to block suspicious SVG content.
- Enforce Content Security Policy (CSP) to restrict script execution.
- Regularly monitor security advisories for the Dnn.Platform ecosystem.
Impact
- Session Hijacking: Stealing authentication cookies or tokens of any user who views the SVG.
- Data Exfiltration: Extracting sensitive information from the victim’s browser session.
- Privilege Escalation: If a power user is affected, the attacker can gain high-level access.
- Defacement: Modifying the appearance of the web page for targeted users.
- Credential Theft: Capturing login credentials through keylogging or fake forms.
- Lateral Movement: Using the compromised session to attack internal systems.
- Compliance Breach: Violating regulations like GDPR or HIPAA due to data leaks.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

