Dotnetnuke < 9.13.10 / 10.0.x < 10.02.00 Stored XSS via Module Title (CVE-2026-24838)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(297827);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/04/30");

  script_cve_id("CVE-2026-24838");
  script_xref(name:"IAVB", value:"2026-B-0028-S");

  script_name(english:"Dotnetnuke < 9.13.10 / 10.0.x < 10.02.00 Stored XSS via Module Title (CVE-2026-24838)");

  script_set_attribute(attribute:"synopsis", value:
"An ASP.NET application running on the remote web server is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, the instance of Dotnetnuke running on the remote web server is prior to 9.13.10
or 10.0.x prior to 10.02.00. It is, therefore, affected by a vulnerability.

  - DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft
    ecosystem. Prior to versions 9.13.10 and 10.2.0, module title supports richtext which could include
    scripts that would execute in certain scenarios. Versions 9.13.10 and 10.2.0 contain a fix for the issue.
    (CVE-2026-24838)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-w9pf-h6m6-v89h
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b676c85d");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Dotnetnuke version 10.02.00 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-24838");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/01/27");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/01/27");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/02/04");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:dotnetnuke:dotnetnuke");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:dnnsoftware:dotnetnuke");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("dotnetnuke_detect.nasl");
  script_require_keys("installed_sw/DNN");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}

include('vcf.inc');
include('http.inc');

var app = 'DNN';

get_install_count(app_name:app, exit_if_zero:TRUE);

var port = get_http_port(default:80, asp:TRUE);

var app_info = vcf::get_app_info(app:app, port:port, webapp:TRUE);
vcf::check_granularity(app_info:app_info, sig_segments:3);

var constraints = [
  { 'fixed_version' : '9.13.10' },
  { 'min_version' : '10.0.0', 'fixed_version' : '10.02.00' }
];

vcf::check_version_and_report(
    app_info:app_info,
    constraints:constraints,
    severity:SECURITY_WARNING
);