{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24784", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-26T21:06:47.870Z", "datePublished": "2026-01-27T23:47:41.846Z", "dateUpdated": "2026-01-28T15:06:44.527Z"}, "containers": {"cna": {"title": "DotNetNuke.Core has a potential XSS vulnerability in modules' header and footer", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-jjwg-4948-6wxp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-jjwg-4948-6wxp"}], "affected": [{"vendor": "dnnsoftware", "product": "Dnn.Platform", "versions": [{"version": ">= 9.0.0, < 9.13.10", "status": "affected"}, {"version": ">= 10.0.0, < 10.2.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-27T23:47:41.846Z"}, "descriptions": [{"lang": "en", "value": "DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, a content editor could inject scripts in module headers/footers that would run for other users. Versions 9.13.10 and 10.2.0 contain a fix for the issue."}], "source": {"advisory": "GHSA-jjwg-4948-6wxp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-28T15:06:32.703941Z", "id": "CVE-2026-24784", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T15:06:44.527Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "DotNetNuke.Core has a potential XSS vulnerability in modules' header and footer", "source": {"advisory": "GHSA-jjwg-4948-6wxp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "dnnsoftware", "product": "Dnn.Platform", "versions": [{"status": "affected", "version": ">= 9.0.0, < 9.13.10"}, {"status": "affected", "version": ">= 10.0.0, < 10.2.0"}]}], "references": [{"url": "https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-jjwg-4948-6wxp", "name": "https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-jjwg-4948-6wxp", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, a content editor could inject scripts in module headers/footers that would run for other users. Versions 9.13.10 and 10.2.0 contain a fix for the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-27T23:47:41.846Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24784", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-28T15:06:32.703941Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-01-28T15:06:39.588Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-24784", "state": "PUBLISHED", "dateUpdated": "2026-01-27T23:47:41.846Z", "dateReserved": "2026-01-26T21:06:47.870Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-27T23:47:41.846Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dnnsoftware:dotnetnuke:*:*:*:*:*:*:*:*", "matchCriteriaId": "702DB18F-9415-4782-97AD-BE8BB66C7D47", "versionEndExcluding": "9.13.10", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:dnnsoftware:dotnetnuke:*:*:*:*:*:*:*:*", "matchCriteriaId": "183DA3B3-D5F9-4C05-93A3-4B17DE048679", "versionEndExcluding": "10.2.0", "versionStartIncluding": "10.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, a content editor could inject scripts in module headers/footers that would run for other users. Versions 9.13.10 and 10.2.0 contain a fix for the issue."}], "id": "CVE-2026-24784", "lastModified": "2026-02-04T20:13:46.463", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-28T00:15:50.480", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-jjwg-4948-6wxp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T01:51:32.179085+00:00", "value": {"mitigation_remediation": ["Upgrade Dnn.Platform to at least version 9.13.10 or 10.2.0, which contain the vendor fix for the XSS flaw", "Restrict or remove editing permissions for module header and footer fields to trusted administrators, ensuring that only users with a legitimate need can modify these parts of a page", "Implement server\u2011side input filtering or sanitization to strip or encode script tags before storing header and footer content, mitigating the risk of accidental script insertion until a patch is applied"], "summary": {"action": "Patch Now", "impact": "Cross\u2011site scripting that allows injected scripts to run in browsers of other users, potentially enabling session hijacking or data theft"}, "threat_synthesis": {"affected_systems": "The issue affects the DnnSoftware Dnn.Platform product. Any installation from version 9.0.0 up to, but not including, 9.13.10 is vulnerable, as are any releases of the platform before version 10.2.0. Versions 9.13.10 and 10.2.0 contain the fix, and later releases are presumed unaffected.", "description_and_impact": "The vulnerability resides in DotNetNuke's handling of module headers and footers, enabling a content editor with write access to embed malicious scripts that are subsequently rendered for all other users who view the page. This cross\u2011site scripting flaw can lead to the execution of arbitrary code in victims' browsers, resulting in credential theft, phishing, or the compromise of the hosted site. The weakness is documented as CWE\u201179, indicating an unchecked ability to inject and execute script content.", "risk_and_exploitability": "The CVSS score of 6.8 denotes a moderate severity. The EPSS score is below 1\u202f%, indicating a very low probability of exploitation in the wild, and the vulnerability does not appear in CISA's KEV catalog. Exploitation requires a user with content\u2011editing privileges to inject script tags into module header or footer fields; once injected, the payload executes for all users who view the affected page. Given the necessity of privileged access and the relatively high effort compared to remote code execution, the overall risk is moderate but non\u2011negligible for sites that allow widespread editor access or are sensitive to data integrity and confidentiality concerns."}}}}, "created": "2026-01-28T12:21:48.114061+00:00", "updated": "2026-04-18T02:00:10.464135+00:00", "vendors": ["dnnsoftware", "dnnsoftware$PRODUCT$dnn_platform"]}