GHSA-xr96-7ccp-pg5c — medium GitHub Advisory (CVE-2007-0660) in nuget/DotNetNuke.Core

Description

Cross-site scripting (XSS) vulnerability in the IFrame module before 03.02.01 for DotNetNuke (DNN), caused by improper validation of user-supplied input by an unspecified script. Pass through values were not getting filtered, leaving them vulnerable to XSS. A remote attacker could exploit this vulnerability using various parameters in a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

Basic information

Type: reviewed
Severity: medium
Advisory on GitHub: Open advisory ↗
Repository advisory: —
Source code: Not specified
Published (advisory): 2022-05-01 17:46:11 UTC
Updated: 2023-09-21 23:09:21 UTC
GitHub reviewed: 2023-09-21 23:09:06 UTC
NVD published: 2007-02-01 22:28:00 UTC

Score	Percentile
1.24%	79.01%

CVSS Scores

No CVSS scores in this advisory.

Identifiers

Type	Value
GHSA	GHSA-xr96-7ccp-pg5c ↗
CVE	CVE-2007-0660 ↗

CWEs

CWE id	Name
CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem	Package	Vulnerable range	First patched	Vulnerable functions
nuget	DotNetNuke.Core	< 03.02.01	03.02.01	—

DotNetNuke Vulnerable to XSS in Pass-Through Values