Potential XSS in language skin object

Published: Apr 3, 2013

Version: 1.0

Maximum Severity Rating: low

Background

DotNetNuke supports the ability to to use multiple languages.

Issue Summary

When running with multiple languages a flag selector is available. This echoes the page address with the different culture's available, but fails to remove any potential html/javascript injection.

Mitigating factors

sites must have more than 1 language enabled
sites must be using core language skin object

Affected DotNetNuke versions

Non-Affected Versions:

Fix(s) for issue

To fix this problem, you are recommended to update to the latest version of DotNetNuke (6.2.7/7.0.5 at time of writing)

Acknowledgments

N/A

Security Policy

Click here to read more details on the DotNetnuke Security Policy

DotNetNuke Corporation

DotNetNuke (DNN) provides a suite of solutions that make designing, building and managing feature-rich sites and communities fast, easy and cost-effective. The DotNetNuke Platform CMS is the foundation for more than one million websites worldwide. DNN Social, our newest solution, enables businesses to create immersive, interactive communities. Thousands of organizations like True Value Hardware, Bose, Cornell University, Glacier Water, Dannon, Delphi, USAA, NASCAR, Northern Health and the City of Denver have leveraged DNN to deploy highly engaging business- critical websites. Our rapid growth in product sales and deployments resulted in DotNetNuke Corp. being named one of the fastest growing private companies in America by Inc. Magazine in 2011 and 2012.

Community
Resources & Support
- Support
- Training
- FAQs
- Report a Bug
- Downloads
- Security Policy
Partners
News Room
App Gallery
- The Store
- Extension Forge
What is DNN
Get Started
- Downloads
- Video Instruction
In Action
About Us
sales@dnncorp.com (650) 288 - 3150 (650) 288 - 3191

Hosted by MaximumASP