{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24833", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-27T14:51:03.058Z", "datePublished": "2026-01-27T23:49:25.084Z", "dateUpdated": "2026-01-28T21:05:02.861Z"}, "containers": {"cna": {"title": "DotNetNuke.Core Vulnerable to Stored XSS in Module Description", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-9r3h-mpf8-25gj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-9r3h-mpf8-25gj"}], "affected": [{"vendor": "dnnsoftware", "product": "Dnn.Platform", "versions": [{"version": "< 9.13.10", "status": "affected"}, {"version": ">= 10.0.0, < 10.2.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-27T23:49:25.084Z"}, "descriptions": [{"lang": "en", "value": "DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to versions 9.13.10 and 10.2.0, a module could install with richtext in its description field which could contain scripts that will run for user in the Persona Bar. Versions 9.13.10 and 10.2.0 contain a fix for the issue."}], "source": {"advisory": "GHSA-9r3h-mpf8-25gj", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-28T21:04:54.593397Z", "id": "CVE-2026-24833", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T21:05:02.861Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24833", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-28T21:04:54.593397Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T21:04:58.493Z"}}], "cna": {"title": "DotNetNuke.Core Vulnerable to Stored XSS in Module Description", "source": {"advisory": "GHSA-9r3h-mpf8-25gj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "dnnsoftware", "product": "Dnn.Platform", "versions": [{"status": "affected", "version": "< 9.13.10"}, {"status": "affected", "version": ">= 10.0.0, < 10.2.0"}]}], "references": [{"url": "https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-9r3h-mpf8-25gj", "name": "https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-9r3h-mpf8-25gj", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to versions 9.13.10 and 10.2.0, a module could install with richtext in its description field which could contain scripts that will run for user in the Persona Bar. Versions 9.13.10 and 10.2.0 contain a fix for the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-27T23:49:25.084Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24833", "state": "PUBLISHED", "dateUpdated": "2026-01-28T21:05:02.861Z", "dateReserved": "2026-01-27T14:51:03.058Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-27T23:49:25.084Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dnnsoftware:dotnetnuke:*:*:*:*:*:*:*:*", "matchCriteriaId": "44A2C358-234E-40C4-BC42-942B1E8CB6BB", "versionEndExcluding": "9.13.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:dnnsoftware:dotnetnuke:*:*:*:*:*:*:*:*", "matchCriteriaId": "183DA3B3-D5F9-4C05-93A3-4B17DE048679", "versionEndExcluding": "10.2.0", "versionStartIncluding": "10.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to versions 9.13.10 and 10.2.0, a module could install with richtext in its description field which could contain scripts that will run for user in the Persona Bar. Versions 9.13.10 and 10.2.0 contain a fix for the issue."}], "id": "CVE-2026-24833", "lastModified": "2026-02-04T20:12:35.700", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-28T00:15:50.773", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-9r3h-mpf8-25gj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T14:43:56.111050+00:00", "value": {"mitigation_remediation": ["Apply the official patch by upgrading to DNN Platform 9.13.10 or later, or 10.2.0 or later, following the vendor\u2019s release notes.", "Verify that no existing modules contain script\u2011enabled descriptions; remove any scripts if found and test.", "Disable script execution in rich text editors by configuring the module's description field to allow only safe markup, and restrict privileged access to the Persona Bar."], "summary": {"action": "Patch Now", "impact": "Stored Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "Vulnerable versions of DNN Platform (formerly DotNetNuke) are those before 9.13.10 for the 9.x series and before 10.2.0 for the 10.x series. The problem exists in the core platform code that renders module descriptions, affecting any site that uses the open\u2011source CMS in the Microsoft ecosystem.", "description_and_impact": "The issue originates from DNN modules that allow richtext in their description field, which can contain JavaScript that executes for any user who opens the module in the Persona Bar. This stored XSS can enable attackers to run arbitrary scripts in the victim\u2019s browser, steal session cookies, deface content, or perform further attacks against users of the CMS. The flaw is limited to the context of module description rendering and does not provide arbitrary code execution on the server.", "risk_and_exploitability": "The CVSS score of 7.7 categorizes the vulnerability as high severity. The EPSS score being less than 1% indicates a very low likelihood that it will be exploited in the wild, and the vulnerability is not yet listed in CISA\u2019s KEV catalog. Attackers would most commonly exploit the flaw by installing a malicious module or submitting a script\u2011laden description through a privileged content\u2011authoring interface. While broad system impact exists for any site that permits richtext in module descriptions, the risk is mitigated by access controls; mis\u2011configured or privileged users provide the necessary entry point."}}}}, "created": "2026-01-28T12:21:37.284498+00:00", "updated": "2026-04-18T14:45:03.151740+00:00", "vendors": ["dnnsoftware", "dnnsoftware$PRODUCT$dnn_platform"]}