Plattform
dotnet
Komponente
dotnetnuke.core
Behoben in
9.13.11
10.0.1
9.13.10
CVE-2026-24838 is a critical Cross-Site Scripting (XSS) vulnerability affecting DotNetNuke.Core versions up to 9.9.1. This flaw arises from the module title field allowing rich text content, which can be exploited to inject and execute malicious scripts. Successful exploitation could lead to account takeover or defacement. The vulnerability was published on January 28, 2026, and a fix is available in version 9.13.10.
The XSS vulnerability in DotNetNuke.Core allows an attacker to inject arbitrary JavaScript code into a web page viewed by other users. This can be exploited to steal user cookies, redirect users to malicious websites, or even deface the website. Specifically, the vulnerability lies in the module title field which improperly handles rich text content. An attacker could craft a malicious module title containing JavaScript payloads that execute when a user views the module. Successful exploitation could lead to complete account takeover, allowing the attacker to perform actions on behalf of the compromised user, including accessing sensitive data and modifying website content. The impact is particularly severe given DotNetNuke's use in managing content and user access for many organizations.
CVE-2026-24838 is currently not listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, but the criticality of the vulnerability suggests a high probability of exploitation if a PoC is released. The vulnerability was disclosed publicly on January 28, 2026, and given the ease of exploitation associated with XSS vulnerabilities, it is likely to attract attention from malicious actors.
Websites and applications utilizing DotNetNuke.Core versions 9.9.1 and earlier are at risk. This includes organizations relying on DotNetNuke for content management and those hosting DotNetNuke installations on shared hosting environments, where vulnerabilities can be more easily exploited due to limited control over the underlying infrastructure.
• .NET / web: Inspect module title fields for unusual characters or patterns indicative of JavaScript injection. Use browser developer tools to monitor for unexpected script execution.
• .NET / web: Review DotNetNuke logs for suspicious activity related to module creation or modification.
• .NET / web: Utilize a WAF to detect and block requests containing potentially malicious rich text content in module titles. Look for patterns like <script> tags or event handlers.
• .NET / web: Monitor for unusual network traffic originating from the DotNetNuke server, which could indicate exploitation.
disclosure
Exploit-Status
EPSS
0.03% (10% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-24838 is to upgrade DotNetNuke.Core to version 9.13.10 or later, which contains the fix for this vulnerability. If upgrading immediately is not feasible, consider implementing a temporary workaround by sanitizing user input in the module title field to prevent the injection of malicious scripts. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of protection. Regularly review and update your DotNetNuke installation to ensure you are running the latest security patches. After upgrading, confirm the fix by attempting to create a module with a rich text title containing a simple JavaScript alert (e.g., <script>alert('XSS')</script>); the script should not execute.
Aktualisieren Sie DotNetNuke auf Version 9.13.10 oder höher oder auf Version 10.2.0 oder höher. Dies behebt die Stored XSS-Schwachstelle im Modultitel. Das Update kann über das DotNetNuke-Admin-Panel durchgeführt werden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-24838 is a critical Cross-Site Scripting (XSS) vulnerability in DotNetNuke.Core versions up to 9.9.1, allowing script execution via the module title's richtext functionality.
If you are using DotNetNuke.Core versions 9.9.1 or earlier, you are potentially affected by this vulnerability. Check your version and upgrade accordingly.
Upgrade DotNetNuke.Core to version 9.13.10 or later. As a temporary workaround, implement a WAF rule to filter malicious rich text content.
While no active exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a potential for rapid exploitation.
Refer to the official DotNetNuke security advisory for detailed information and updates regarding CVE-2026-24838.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine packages.lock.json-Datei hoch und wir sagen dir sofort, ob du betroffen bist.