DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-FFQ7-898W-9JC4: GHSA-FFQ7-898W-9JC4: Stored Cross-Site Scripting via SVG Upload in DotNetNuke

#security #cve #cybersecurity #ghsa

GHSA-FFQ7-898W-9JC4: Stored Cross-Site Scripting via SVG Upload in DotNetNuke

Vulnerability ID: GHSA-FFQ7-898W-9JC4
CVSS Score: 6.1
Published: 2026-04-10

DotNetNuke (DNN) suffers from a high-severity stored Cross-Site Scripting (XSS) vulnerability due to inadequate sanitization of Scalable Vector Graphics (SVG) files during the upload process. Authenticated users with file upload permissions can embed arbitrary JavaScript within SVG payloads, which execute in the security context of the DNN application when viewed by other users, including administrators.

TL;DR

DNN versions prior to 10.2.2 and 9.13.9 fail to sanitize SVG file uploads, allowing attackers to store malicious JavaScript. When an administrator views the file, the script executes, enabling session hijacking and account takeover.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-79
  • Attack Vector: Network
  • CVSS v4.0: 6.1
  • Privileges Required: Low
  • User Interaction: Required
  • Exploit Status: Proof of Concept

Affected Systems

  • DotNetNuke.Core (10.x branch prior to 10.2.2)
  • Dnn.Platform (9.x branch prior to 9.13.9)
  • Web applications relying on vulnerable NuGet packages
  • DotNetNuke.Core: >= 10.0.0, < 10.2.2 (Fixed in: 10.2.2)
  • Dnn.Platform: < 9.13.9 (Fixed in: 9.13.9)

Mitigation Strategies

  • Upgrade DNN to version 10.2.2 or 9.13.9.
  • Restrict file upload privileges to trusted users.
  • Remove .svg from the global allowed file extensions list.
  • Implement WAF rules to inspect multipart form data for script tags.

Remediation Steps:

  1. Log into the DNN Host or SuperUser account.
  2. Navigate to Host Settings > Other Settings > Allowable File Extensions.
  3. Remove 'svg' from the list of allowed extensions if immediate patching is impossible.
  4. Download the applicable update package (10.2.2 or 9.13.9).
  5. Deploy the update package following standard DNN upgrade procedures.
  6. Audit the filesystem for existing malicious SVG files.

Read the full report for GHSA-FFQ7-898W-9JC4 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)