Published: Feb 1, 2012 Version: 1.0 Maximum Severity Rating: Low Background DotNetNuke 6.0 introduced a system on modal dialogs Issue Summary It's possible for a potential hacker to craft a particular URL which would cause the javascript for the modal popup to be polluted with a cross-site scriping attack. Mitigating factors The user would have to click on a URL that contained the javascript injection and then immeadiately after would need to click a modal popup link. DotNetNuke contains protection against cross-site scripting attacks accessing the users authentication cookie.   Affected DotNetNuke versions 6.0.0-6.0.2  Non-Affected Versions: versions prior to 6.0.0 6.1.0 and higher Fix(s) for issue To fix this problem, you are recommended to update to the 6.1.0 or higher - ideally upgrade to the latest version of DotNetNuke (/6.1.3 at time of writing) Acknowledgments Richard Lundeen of Microsoft and Microsoft Vulnerability Research (MSVR 

[Read More...]