Published: June 11, 2008
Maximum Severity Rating: Low
To support switching between languages via the Language skin object, the skin object renders the existing page path along with the relevant country flag and a language token.
The language skin object failed to encode the newly generated paths which meant that a hacker could inject html/script to perform cross-site scripting attacks.
Only DotNetNuke sites that have multiple language pack installs and use the Language skin object suffer from this flaw.
Affected DotNetNuke versions
Fix(s) for issue
To fix this problem, you are recommended to update to the latest version of DotNetNuke (4.8.4 at time of writing)
Click here to read more details on the DotNetNuke Security Policy