Published: Jan 19, 2011
Maximum Severity Rating: Low
DotNetNuke contains support for user profile properties to capture values such as city, state etc., as well as any custom properties required for each user
Whilst the majority of profile properties encode output, some contain HTML and cannot do so. An additional filter to remove potential XSS issues was added to these profile properties.
This only affects sites which display richtext profile properites. The user profile module supports templating so these properties are optional.
Affected DotNetNuke versions
Fix(s) for issue
To fix this problem, you are recommended to update to the latest version of DotNetNuke (5.6.1 at time of writing)
Click here to read more details on the DotNetnuke Security Policy