Published: April 1, 2009
Maximum Severity Rating: Low
To support paypal IPN functionality, DotNetNuke posts information to and receives status information from the paypal webservice. To do this it uses a name/value pair as part of the request, which is echoed to the form action attribute to ensure that any actions post to the correct page.
It was possible to amend the name/value pairs and inject html/script which could allow hackers to perform cross-site scripting attacks.
If your site is not using paypal functionality, you can delete or rename (to a non aspx extension) the file at Website\admin\Sales\paypalipn.aspx
Affected DotNetNuke versions
Fix(s) for issue
To fix this problem, you are recommended to update to the latest version of DotNetNuke (4.9.3 at time of writing)
Click here to read more details on the DotNetNuke Security Policy