GHSA-7rcc-q6rq-jpcm: 
C# vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was identified in DNN Platform's Profile Biography field, tracked as GHSA-7rcc-q6rq-jpcm. The vulnerability was discovered and disclosed on September 22, 2025, affecting DotNetNuke.Core (NuGet) versions below 10.1.0. The issue allows users to inject malicious JavaScript code into their profile biography field, which executes in the context of the website for any viewer, including administrators and superusers, despite existing sanitization measures (GitHub Advisory).

The vulnerability is classified with a CVSS v3.1 base score of 6.3 (Moderate severity), with the following metrics: Network attack vector, Low attack complexity, Low privileges required, No user interaction needed, Unchanged scope, and Low impact on confidentiality, integrity, and availability. The vulnerability is categorized as CWE-79 (Improper Neutralization of Input During Web Page Generation), where the application fails to properly neutralize user-controllable input before displaying it to other users (GitHub Advisory).

The vulnerability allows attackers to execute JavaScript code in the context of other users' browsers, including those of administrators and superusers who view the compromised profile. This could potentially lead to unauthorized access, data theft, or further exploitation of privileged users' sessions (GitHub Advisory).

The vulnerability has been patched in version 10.1.0 of DotNetNuke.Core. Users are advised to upgrade to this version or later to protect against this security issue (GitHub Advisory).