Skip to main content

Blogengine Net CVE-2019-10719

HIGH
Path Traversal (CWE-22)
2019-06-21 cve@mitre.org
8.8
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Jun 21, 2019 - 19:15 nvd
HIGH 8.8

DescriptionNVD

BlogEngine.NET 3.3.7.0 and earlier allows Directory Traversal and Remote Code Execution because file creation is mishandled, related to /api/upload and BlogEngine.NET/AppCode/Api/UploadController.cs. NOTE: this issue exists because of an incomplete fix for CVE-2019-6714.

AnalysisAI

BlogEngine.NET 3.3.7.0 and earlier allows Directory Traversal and Remote Code Execution because file creation is mishandled, related to /api/upload and BlogEngine.NET/AppCode/Api/UploadController.cs. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Path Traversal (CWE-22), which allows attackers to access files and directories outside the intended path. BlogEngine.NET 3.3.7.0 and earlier allows Directory Traversal and Remote Code Execution because file creation is mishandled, related to /api/upload and BlogEngine.NET/AppCode/Api/UploadController.cs. NOTE: this issue exists because of an incomplete fix for CVE-2019-6714. Affected products include: Dotnetblogengine Blogengine.Net.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate and canonicalize file paths. Use chroot or sandboxing. Reject input containing path separators or '../' sequences.

CVE-2023-33404 CRITICAL POC
9.8 Jun 26

An Unrestricted Upload vulnerability, due to insufficient validation on UploadControlled.cs file, in BlogEngine.Net vers

CVE-2019-6714 CRITICAL POC
9.8 Mar 21

An issue was discovered in BlogEngine.NET through 3.3.6.0. Rated critical severity (CVSS 9.8), this vulnerability is rem

CVE-2022-25591 CRITICAL POC
9.1 May 13

BlogEngine.NET v3.3.8.0 was discovered to contain an arbitrary file deletion vulnerability which allows attackers to del

CVE-2019-10720 HIGH POC
8.8 Jun 21

BlogEngine.NET 3.3.7.0 and earlier allows Directory Traversal and Remote Code Execution via the theme cookie to the File

CVE-2019-11392 HIGH POC
7.5 Jun 21

BlogEngine.NET 3.3.7 and earlier allows XXE via an apml file to syndication.axd. Rated high severity (CVSS 7.5), this vu

CVE-2019-10718 HIGH POC
7.5 Jun 21

BlogEngine.NET 3.3.7.0 and earlier allows XML External Entity Blind Injection, related to pingback.axd and BlogEngine.Co

CVE-2019-10717 HIGH POC
7.1 Jul 03

BlogEngine.NET 3.3.7.0 allows /api/filemanager Directory Traversal via the path parameter. Rated high severity (CVSS 7.1

CVE-2022-28921 MEDIUM POC
6.5 May 18

A Cross-Site Request Forgery (CSRF) vulnerability discovered in BlogEngine.Net v3.3.8.0 allows unauthenticated attackers

CVE-2023-33405 MEDIUM POC
6.1 Jun 21

Blogengine.net 3.3.8.0 and earlier is vulnerable to Open Redirect. Rated medium severity (CVSS 6.1), this vulnerability

CVE-2019-10721 MEDIUM POC
6.1 Jul 03

BlogEngine.NET 3.3.7.0 allows a Client Side URL Redirect via the ReturnUrl parameter, related to BlogEngine/BlogEngine.C

CVE-2022-36600 MEDIUM POC
4.8 Sep 02

BlogEngine v3.3.8.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /blogengine/ap

CVE-2022-41418 HIGH
7.2 Dec 19

An issue in the component BlogEngine/BlogEngine.NET/AppCode/Api/UploadController.cs of BlogEngine.NET v3.3.8.0 allows at

Share

CVE-2019-10719 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy