CVE-2025-59546: 
C# vulnerability analysis and mitigation

DNN (formerly DotNetNuke), an open-source web content management platform in the Microsoft ecosystem, was found to contain a stored XSS vulnerability (CVE-2025-59546) prior to version 10.1.0. The vulnerability allows administrators and content editors to set HTML in module titles that could include malicious JavaScript code, potentially leading to XSS-based attacks (GitHub Advisory).

The vulnerability has a CVSS v3.1 base score of 4.8 MEDIUM (NIST) and 2.4 LOW (GitHub) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The attack requires high privileges and user interaction, with a network-based attack vector. The vulnerability stems from insufficient input validation in the module title functionality, where HTML content including JavaScript could be injected (NVD).

The vulnerability allows privileged users to inject malicious scripts through module titles, which could lead to cross-site scripting attacks. While the attack requires high privileges, it could potentially compromise data confidentiality and integrity within the affected scope (GitHub Advisory).

The vulnerability has been patched in DNN Platform version 10.1.0. A security setting has been added to the Security module in the Persona Bar to control HTML functionality in module titles. Users are advised to upgrade to the patched version to mitigate the risk (GitHub Advisory).