A critical vulnerability exists in multiple DNN products that allows an attacker to inject malicious scripts into module titles. When a user views a page with a compromised module, this script can execute in their browser, potentially leading to account takeover, data theft, or website defacement. Organizations are urged to apply the available security updates immediately to mitigate this high-risk threat.

The vulnerability is a stored Cross-Site Scripting (XSS) flaw within the module title field. Because this field improperly sanitizes rich text input, an authenticated attacker with permissions to edit module titles can inject malicious HTML and JavaScript code. When any user, including administrators, views the page containing the malicious module title, the injected script executes within the context of their browser session, compromising that session.

With a critical severity rating and a CVSS score of 9.1, this vulnerability poses a significant threat to the organization. Successful exploitation could lead to the theft of sensitive user data, session cookies, and administrative credentials, enabling complete account and site takeover. Further consequences include website defacement, redirection of users to malicious phishing sites, and the deployment of malware, resulting in severe reputational damage, loss of customer trust, and potential regulatory non-compliance.

Immediate Action: The primary remediation is to upgrade affected systems. Administrators must update their DNN instances to version 9.13.10, 10.2.0, or a later patched version immediately. Refer to the official DNN security advisory for specific patch instructions and details.

Proactive Monitoring: Security teams should actively monitor web application and server logs for attempts to inject script tags (<script>, <iframe>, onerror) into POST requests associated with module title updates. Review existing module titles across the site for any suspicious code. Implement alerts for unusual client-side script execution or unexpected outbound network traffic from user browsers interacting with the site.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Deploy a Web Application Firewall (WAF) with strict XSS filtering rules to detect and block malicious payloads.
• Restrict permissions for editing module titles to a minimal number of highly trusted administrators.
• Implement a strong Content Security Policy (CSP) to prevent the execution of untrusted inline scripts.

Public Exploit Available: false

Given the critical CVSS score of 9.1, this vulnerability requires immediate attention. We strongly recommend that all organizations using affected DNN products prioritize the deployment of the security patches to versions 9.13.10 or 10.2.0. Although this CVE is not currently on the CISA KEV list, its high severity and potential for complete system compromise present an unacceptable risk. If patching is delayed, the compensating controls outlined above should be implemented as an urgent temporary measure.