CVE-2019-12562

Name of the Vulnerable Software and Affected Versions DotNetNuke (DNN) versions prior to 9.4.0

Description The issue allows remote attackers to store and embed malicious scripts into the admin notification page, potentially leading to actions being performed with admin privileges, such as managing content, adding users, or uploading backdoors to the server. This occurs when an admin user visits a notification page with stored cross-site scripting. The exploit is possible via the Display Name field in the admin notification function.

Recommendations For versions prior to 9.4.0, update to version 9.4.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the admin notification function to minimize the risk of exploitation. Avoid using the Display Name field in the admin notification function until the issue is resolved.