CVE-2021-31858 Stored Cross-Site Scripting in DotNetNuke

1. Vulnerability Properties

Title: Stored Cross-Site Scripting in DotNetNuke
CVE ID: CVE-2021-31858
CVSSv3 Base Score: 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)
Vendor: DNNSoftware
Products: DotNetNuke
Advisory Release Date: 19-07-2022
Advisory URL: https://labs.integrity.pt/advisories/cve-2021-31858
Credits: Discovery by Bruno Barreirinhas <bb[at]integrity.pt>

2. Vulnerability Summary

DotNetNuke CMS is vulnerable to a Stored Cross-Site Scripting vulnerability in the user profile biography section which allows remote authenticated users to inject JavaScript and/or HTML via a crafted payload.
Any subsequent requests to the attacker’s user profile page will retrieve the malicious content and exploit the vulnerability in the victim’s browser.

3. Vulnerable Versions

• <= 9.10.2

4. Solutions

Until an official patch is released, it’s recommended that affected users take one of the following actions:

• Disable User profile page in Settings > Site Behavior > Default Pages > User Profile Page
• Set user profile visibility mode to Admin Only in Settings > Site Behavior > User Profiles > User Profile Settings
• Disable user profile Biography field in Settings > Site Behavior > User Profiles > User Profile Fields

5. Vulnerability Timeline

• 28/Apr/21 - Bug reported to DNNSoftware via email (no feedback)
• 26/May/21 - Contacted vendor via GitHub
• 26/May/21 - Bug reported to DNNSoftware via email
• 27/May/21 - Bug verified by DNNSoftware
• 13/Jul/21 - Requested feedback regarding the vulnerability
• 22/Jul/21 - Informed the vendor about the assigned CVE ID (no feedback)
• 20/Sep/21 - Requested feedback regarding the vulnerability
• 23/Dez/21 - Requested feedback regarding the vulnerability
• 05/Jul/22 - Notified the vendor about the disclosure (no feedback)
• 11/Jul/22 - Notified the vendor regarding the vulnerability details (no feedback)
• 19/Jul/22 - Advisory released

6. References

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31858