CVE-2026-24833
BaseFortify
Publication date: 2026-01-28
Last updated on: 2026-02-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dnnsoftware | dotnetnuke | to 9.13.10 (exc) |
| dnnsoftware | dotnetnuke | From 10.0.0 (inc) to 10.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in DNN (DotNetNuke) allows a module to be installed with richtext in its description field that can contain scripts. These scripts can execute for users in the Persona Bar, potentially leading to harmful effects. The issue exists in versions prior to 9.13.10 and 10.2.0, which contain fixes for this problem.
How can this vulnerability impact me? :
The vulnerability can lead to the execution of malicious scripts within the Persona Bar for users, which can result in high impact on confidentiality, integrity, and availability of the system, as indicated by the CVSS score. This could allow attackers to compromise user sessions, steal sensitive information, or disrupt system operations.
What immediate steps should I take to mitigate this vulnerability?
Upgrade DNN (DotNetNuke) to version 9.13.10 or 10.2.0 or later, as these versions contain the fix for the vulnerability involving script execution in module descriptions.