Critical DNN Platform Vulnerability Let Attackers Execute Malicious Scripts

Critical DNN Platform Vulnerability Let Attackers Execute Malicious Scripts

A severe Stored Cross-Site Scripting (XSS) vulnerability in the Prompt module of the DNN Platform enables low-privilege attackers to inject and execute arbitrary scripts in the context of privileged users.

Published as GHSA-2qxc-mf4x-wr29 by Daniel Valadas yesterday, this vulnerability affects all versions of the DotNetNuke.Core package prior to 10.1.0 and carries a CVSS v3.1 base score of 9.8 (Critical).

Organizations running DNN-based websites should apply patch 10.1.0 immediately to prevent potential data theft, session hijacking, or full administrative takeover.

The Prompt module in DNN provides an interactive command-execution interface capable of returning raw HTML.

While the platform sanitizes most user-submitted data before rendering it in entry forms, Prompt commands process their output as HTML, bypassing standard sanitation routines.

An attacker with any authenticated account can craft input containing embedded