CVE-2019-10719

BlogEngine.NET 3.3.7.0 and earlier allows Directory Traversal and Remote Code Execution because file creation is mishandled, related to /api/upload and BlogEngine.NET/AppCode/Api/UploadController.cs. NOTE: this issue exists because of an incomplete fix for CVE-2019-6714...

Directory traversal

BlogEngine.NET 3.3.7.0 and earlier allows Directory Traversal and Remote Code Execution via the theme cookie to the File Manager. NOTE: this issue exists because of an incomplete fix for CVE-2019-6714...

Directory traversal

BlogEngine.NET 3.3.7.0 and earlier allows Directory Traversal and Remote Code Execution because file creation is mishandled, related to /api/upload and BlogEngine.NET/AppCode/Api/UploadController.cs. NOTE: this issue exists because of an incomplete fix for CVE-2019-6714...

Design/Logic Flaw

BlogEngine.NET 3.3.7 and earlier allows XXE via an apml file to syndication.axd...

Sql injection

BlogEngine.NET 3.3.7.0 and earlier allows XML External Entity Blind Injection, related to pingback.axd and BlogEngine.Core/Web/HttpHandlers/PingbackHandler.cs...

CVE-2019-10718

CVE-2019-10718 affects BlogEngine.NET 3.3.7.0 and earlier, where XML External Entity Blind Injection is possible via /pingback.axd. Root cause is XXE in BlogEngine.Core/Web/HttpHandlers/PingbackHandler.cs. Impacts include potential data exposure via XXE; exploitation PoCs exist (e.g., out-of-band...

CVE-2019-10718

BlogEngine.NET 3.3.7.0 and earlier allows XML External Entity Blind Injection, related to pingback.axd and BlogEngine.Core/Web/HttpHandlers/PingbackHandler.cs...

CVE-2019-11392

BlogEngine.NET 3.3.7 and earlier allows XXE via an apml file to syndication.axd...

CVE-2019-11392

BlogEngine.NET 3.3.7 and earlier are affected by an XXE via an apml file to the syndication.axd endpoint. Root cause: external entity processing in the app. Impact: potential exposure of sensitive data. Affected versions: 3.3.7 and earlier. Remediation: disable the syndication.axd endpoint until ...

CVE-2019-10720

CVE-2019-10720 affects BlogEngine.NET 3.3.7.0 and earlier. The issue enables Directory Traversal and Remote Code Execution via the theme cookie to the File Manager, stemming from an incomplete fix for CVE-2019-6714. Related CVE-2019-10719 describes a similar condition where file creation mishandl...

CVE-2019-10720

BlogEngine.NET 3.3.7.0 and earlier allows Directory Traversal and Remote Code Execution via the theme cookie to the File Manager. NOTE: this issue exists because of an incomplete fix for CVE-2019-6714...

CVE-2019-10719

BlogEngine.NET 3.3.7.0 and earlier allows Directory Traversal and Remote Code Execution because file creation is mishandled, related to /api/upload and BlogEngine.NET/AppCode/Api/UploadController.cs. NOTE: this issue exists because of an incomplete fix for CVE-2019-6714...

CVE-2019-10719

CVE-2019-10719 (and related CVE-2019-10720) affect BlogEngine.NET 3.3.7.0 and earlier. The vulnerability arises from Directory Traversal and Remote Code Execution due to mishandling of file creation in /api/upload (UploadController.cs) and related paths, noted as stemming from an incomplete fix f...

PT-2019-12278 · Microsoft · Blogengine.Net

Name of the Vulnerable Software and Affected Versions: BlogEngine.NET versions 3.3.7 and earlier Description: The issue allows for an out-of-band XML External Entity XXE attack via an apml file to the "syndication.axd" API endpoint. This can potentially lead to unauthorized access to sensitive...

CVE-2019-10719

BlogEngine.NET 3.3.7.0 and earlier allows Directory Traversal and Remote Code Execution because file creation is mishandled, related to /api/upload and BlogEngine.NET/AppCode/Api/UploadController.cs. NOTE: this issue exists because of an incomplete fix for CVE-2019-6714. Recent assessments: Leafr...

BlogEngine.NET 3.3.63.3.7 - XML External Entity Injection

BlogEngine.NET 3.3.63.3.7 - XML External Entity Injection Exploit Title: Out-of-band XML External Entity Injection on BlogEngine.NET Date: 19 June 2019 Exploit Author: Aaron Bishop Vendor Homepage: https://blogengine.io/ Version: v3.3.7 Tested on: 3.3.7, 3.3.6 CVE : 2019-10718 1. Description...

BlogEngine.NET 3.3.6/3.3.7 - XML External Entity Injection Exploit

Exploit for asp platform in category web applications Exploit Title: Out-of-band XML External Entity Injection on BlogEngine.NET Exploit Author: Aaron Bishop Vendor Homepage: https://blogengine.io/ Version: v3.3.7 Tested on: 3.3.7, 3.3.6 CVE : 2019-10718 1. Description ============== BlogEngine.N...

BlogEngine.NET 3.3.6/3.3.7 - XML External Entity Injection

Exploit Title: Out-of-band XML External Entity Injection on BlogEngine.NET Date: 19 June 2019 Exploit Author: Aaron Bishop Vendor Homepage: https://blogengine.io/ Version: v3.3.7 Tested on: 3.3.7, 3.3.6 CVE : 2019-10718 1. Description ============== BlogEngine.NET is vulnerable to an Out-of-Band...

BlogEngine.NET 3.3.6 / 3.3.7 dirPath Directory Traversal / Remote Code Execution

Exploit Title: Directory Traversal + RCE on BlogEngine.NET Date: 17 Jun 2019 Exploit Author: Aaron Bishop Vendor Homepage: https://blogengine.io/ Version: v3.3.7 Tested on: 3.3.7, 3.3.6 CVE : 2019-10719 1. Description ============== BlogEngine.NET is vulnerable to an Directory Traversal on...

BlogEngine.NET 3.3.6/3.3.7 - 'theme Cookie' Directory Traversal / Remote Code Execution

Exploit Title: Directory Traversal + RCE on BlogEngine.NET Date: 17 Jun 2019 Exploit Author: Aaron Bishop Vendor Homepage: https://blogengine.io/ Version: v3.3.7 Tested on: 3.3.7, 3.3.6 CVE : 2019-10720 1. Description ============== BlogEngine.NET is vulnerable to a Directory Traversal through th...