GHSA-7rcc-q6rq-jpcm

Suggest an improvement
Source
https://github.com/advisories/GHSA-7rcc-q6rq-jpcm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-7rcc-q6rq-jpcm/GHSA-7rcc-q6rq-jpcm.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-7rcc-q6rq-jpcm
Aliases
Published
2025-09-22T21:51:04Z
Modified
2025-09-23T19:38:06.391704Z
Severity
  • 6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
Summary
DNN affected by Stored Cross-Site Scripting (XSS) in Profile Biography field
Details

Summary

Users can use special syntax to inject javascript code in their profile biography field. Although there was sanitization in place, it did not cover all possible scenarios

Description

When embedding information in the Biography field, even if that field is not rich-text, users could inject javascript code that would run in the context of the website and to any other user that can view the profile including administrators and/or superusers.

Database specific
{
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-22T21:51:04Z",
    "nvd_published_at": "2025-09-23T18:15:38Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-79"
    ]
}
References

Affected packages

NuGet / DotNetNuke.Core

Package

Name
DotNetNuke.Core
View open source insights on deps.dev
Purl
pkg:nuget/DotNetNuke.Core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
10.1.0

Affected versions

6.*

6.0.0

7.*

7.0.0
7.0.6.121
7.1.0
7.1.2
7.2.0.613
7.3.0.499
7.3.1.20
7.4.0.353
7.4.1.280
7.4.2.216

8.*

8.0.0.809
8.0.1.239
8.0.2.4
8.0.3.5
8.0.4.226

9.*

9.0.0.1002
9.0.1.142
9.1.0.367
9.1.1.129
9.2.0.366
9.2.1.533
9.3.0
9.3.1
9.3.2
9.4.0
9.4.1
9.4.2
9.4.3
9.4.4
9.5.0
9.6.1
9.6.2
9.7.0
9.7.1
9.7.2
9.8.0
9.9.0
9.9.1
9.10.0
9.10.1
9.10.2
9.11.0
9.11.1
9.11.2
9.12.0
9.13.0-ci0000
9.13.0
9.13.1
9.13.2
9.13.3
9.13.4
9.13.5-ci0062
9.13.5
9.13.6
9.13.7-ci0064
9.13.7
9.13.8
9.13.9

10.*

10.0.0
10.0.1