> >

HTML/Script Code Injection Vulnerability in User messaging

Published: May 19, 2010

Version: 1.0

Maximum Severity Rating: Low

Background

DotNetNuke added support for user messaging in 5.3.0.

Issue Summary

The code for the user messaging module does not sanitize all entered text, meaning it would be possible to generate a message that contained a script or html vulnerability.

Mitigating factors

The user messaging module is only available to logged in users. If your site contains a controlled set of users i.e. does not allow public or verifed registration then this issue is greatly mitigated. In cases where a site has a single user the issue obviously is non existant.

Affected DotNetNuke versions

5.3.0 - 5.4.1

Non-Affected Versions:

All others

Fix(s) for issue

To fix this problem, you are recommended to update to the latest version of DotNetNuke (5.4.2 at time of writing).

Acknowledgments

Chris Wood

Security Policy

Click here to read more details on the DotNetNuke Security Policy

Advertisers

DotNetNuke Corporation

DotNetNuke Corp. is the steward of the DotNetNuke open source project, the most widely adopted Web Content Management Platform for building web sites and web applications on Microsoft .NET. Organizations use DotNetNuke to quickly develop and deploy interactive and dynamic web sites, intranets, extranets and web applications. The DotNetNuke platform is available in a free Community and subscription-based Professional and Enterprise Editions with an Elite Support option. DotNetNuke Corp. also operates Snowcovered.com where users purchase third party apps for the platform.

Community
- Get Involved
- Extension Forge
- Forum
- Blog
- Teams
- Recognition
Resources & Support
Partners
News Room
App Gallery
What is DNN
Get Started
- Downloads
- Video Instruction
In Action
About Us
sales@dnncorp.com (650) 288 - 3150 (650) 288 - 3191

Hosted by MaximumASP

HTML/Script Code Injection Vulnerability in User messaging

Advertisers

Sponsors

DotNetNuke Corporation