Plataforma
dotnet
Componente
dotnetnuke.core
Corrigido em
9.13.11
10.0.1
9.13.10
CVE-2026-24838 is a critical Cross-Site Scripting (XSS) vulnerability affecting DotNetNuke.Core versions up to 9.9.1. This flaw arises from the module title field allowing rich text content, which can be exploited to inject and execute malicious scripts. Successful exploitation could lead to account takeover or defacement. The vulnerability was published on January 28, 2026, and a fix is available in version 9.13.10.
An attacker can leverage this XSS vulnerability to inject arbitrary JavaScript code into the module title field. When a user views the affected module, the injected script will execute within their browser context. This can lead to a variety of malicious outcomes, including session hijacking, redirection to phishing sites, and the theft of sensitive information like cookies and authentication tokens. The impact is particularly severe because module titles are often displayed prominently on websites, increasing the likelihood of user exposure. A successful attack could also allow an attacker to modify website content, leading to defacement or the dissemination of malware.
CVE-2026-24838 is currently not listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, but the vulnerability's severity and ease of exploitation suggest a potential for rapid exploitation. Given the XSS nature of the vulnerability, it is likely to be targeted by automated scanners and malicious actors. The NVD was published on January 28, 2026.
Websites and applications utilizing DotNetNuke.Core versions 9.9.1 and earlier are at risk. This includes organizations relying on DotNetNuke for content management and those hosting DotNetNuke installations on shared hosting environments, where vulnerabilities can be more easily exploited due to limited control over the underlying infrastructure.
• .NET / web: Inspect module title fields for unusual characters or patterns indicative of JavaScript injection. Use browser developer tools to monitor for unexpected script execution.
• .NET / web: Review DotNetNuke logs for suspicious activity related to module creation or modification.
• .NET / web: Utilize a WAF to detect and block requests containing potentially malicious rich text content in module titles. Look for patterns like <script> tags or event handlers.
• .NET / web: Monitor for unusual network traffic originating from the DotNetNuke server, which could indicate exploitation.
disclosure
Status do Exploit
EPSS
0.03% (percentil 10%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-24838 is to upgrade DotNetNuke.Core to version 9.13.10 or later. If immediate upgrading is not possible, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious rich text content in module titles. Specifically, look for patterns indicative of JavaScript injection attempts. Additionally, carefully review and sanitize any user-supplied input used in module titles before rendering them on the website. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload into a module title and verifying that it does not execute.
Actualice DotNetNuke a la versión 9.13.10 o superior, o a la versión 10.2.0 o superior. Esto solucionará la vulnerabilidad XSS almacenada en el título del módulo. La actualización se puede realizar a través del panel de administración de DotNetNuke.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-24838 is a critical Cross-Site Scripting (XSS) vulnerability in DotNetNuke.Core versions up to 9.9.1, allowing script execution via the module title's richtext functionality.
If you are using DotNetNuke.Core versions 9.9.1 or earlier, you are potentially affected by this vulnerability. Check your version and upgrade accordingly.
Upgrade DotNetNuke.Core to version 9.13.10 or later. As a temporary workaround, implement a WAF rule to filter malicious rich text content.
While no active exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a potential for rapid exploitation.
Refer to the official DotNetNuke security advisory for detailed information and updates regarding CVE-2026-24838.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo packages.lock.json e descubra na hora se você está afetado.