CVE-2025-48377: Reflected Cross-Site Scripting (XSS) in module actions in edit mode

The vulnerability is a reflected Cross-Site Scripting (XSS) issue triggered by specially crafted URLs affecting module actions in edit mode. The provided commit (351b166492ad4b6509c273dc83211d52238e31a7) contains numerous changes that apply encoding (primarily HttpUtility.JavaScriptStringEncode and HttpUtility.HtmlAttributeEncode) to data before it's embedded in JavaScript strings or HTML attributes. This indicates that the prior lack of encoding was the root cause.

The analysis focused on identifying functions where:

1. Input that could be derived from URL parameters (especially in the context of module actions) was being handled.
2. This input was used to dynamically generate JavaScript code or HTML content.
3. The patch introduced encoding functions to sanitize this input.

Key functions identified are:

• DotNetNuke.ExtensionPoints.ToolBarButtonRenderer.GetOutput: Server-side C# code that was directly embedding an action string (potentially user-influenced JavaScript code) into an onclick HTML attribute. The patch added HttpUtility.HtmlAttributeEncode.
• ModuleActions.js#buildMenu: Client-side JavaScript that was constructing HTML for module action menus using string concatenation with data (like action.Url and action.Title) received from the server. If this data was tainted by a crafted URL, XSS would occur. The patch refactored this to use safer jQuery DOM manipulation and removed a potentially problematic decodeURIComponent call.
• Dnn.Modules.Console.ViewConsole.GetClientSideSettings: Server-side C# code in a specific module (Console) that was embedding module settings (potentially influenced by URL parameters of an action) into a JavaScript block without encoding. The patch added HttpUtility.JavaScriptStringEncode.
• DotNetNuke.Common.Utilities.UrlUtils.PopUpUrl: A server-side C# utility function, likely used by module actions, that was constructing JavaScript for popups where URLs passed as parameters were not fully encoded for the JavaScript string context. The patch added HttpUtility.JavaScriptStringEncode.
• DotNetNuke.Web.UI.Utilities.GetOnClientClickConfirm: A server-side C# utility that generates JavaScript for confirmation dialogs. If message parameters, influenced by a module action via a crafted URL, were not encoded, XSS was possible.

These functions are representative of how a crafted URL could inject a payload that gets processed by a module action and then reflected unsafely onto the page, either directly in server-rendered HTML/JavaScript or in client-rendered HTML based on server-provided data. The common theme in the patch is the consistent application of context-aware encoding (HTML attribute encoding, JavaScript string encoding) to prevent the interpretation of user-supplied data as executable code.