Microsoft is providing notification of the discovery and remediation of a vulnerability affecting DotNetNuke 6.0.0 through version 6.0.2. Microsoft discovered and disclosed the vulnerability under coordinated vulnerability disclosure to the affected vendor, DotNetNuke. DotNetNuke has remediated the vulnerability in their software.
The vulnerability exists in the way that affected versions of DotNetNuke validate script information included within a specially crafted URL. A specially crafted URL can be constructed allowing the JavaScript for the modal popup to be polluted with attacker-controlled script creating a reflected cross-site scripting condition.
Microsoft Vulnerability Research reported this issue to and coordinated with DotNetNuke to ensure remediation of this issue. The vulnerability has been assigned the entry, CVE-2012-1030, in the Common Vulnerabilities and Exposures list. For more information, including information about updates from DotNetNuke, see DotNetNuke Security Bulletin 62.