GHSA-7rcc-q6rq-jpcm: 
C# vulnerability analysis and mitigation

DNN (formerly DotNetNuke), an open-source web content management platform in the Microsoft ecosystem, was found to contain a stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-59539) in versions prior to 10.1.0. The vulnerability was discovered in September 2025 and affects the Biography field functionality of user profiles (GitHub Advisory).

The vulnerability exists in the Biography field of user profiles where, even when the field is not configured for rich-text, users could inject malicious JavaScript code. Despite having sanitization mechanisms in place, certain scenarios were not properly covered, allowing the execution of injected scripts in the context of the website. The vulnerability has been assigned a CVSS v3.1 base score of 6.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L (NVD).

When exploited, the vulnerability allows injected JavaScript code to execute in the context of the website for any user viewing the profile, including administrators and superusers. This could lead to unauthorized access to sensitive information, session hijacking, or other malicious actions performed with the privileges of the viewing user (GitHub Advisory).

The vulnerability has been patched in DNN version 10.1.0. Users are advised to upgrade to this version or later to protect against this security issue (GitHub Advisory).