Skip to main content

Blogengine Net CVE-2023-33404

CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2023-06-26 cve@mitre.org
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Jun 26, 2023 - 20:15 nvd
CRITICAL 9.8

DescriptionNVD

An Unrestricted Upload vulnerability, due to insufficient validation on UploadControlled.cs file, in BlogEngine.Net version 3.3.8.0 and earlier allows remote attackers to execute remote code.

AnalysisAI

An Unrestricted Upload vulnerability, due to insufficient validation on UploadControlled.cs file, in BlogEngine.Net version 3.3.8.0 and earlier allows remote attackers to execute remote code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Unrestricted File Upload (CWE-434), which allows attackers to upload malicious files that can be executed on the server. An Unrestricted Upload vulnerability, due to insufficient validation on UploadControlled.cs file, in BlogEngine.Net version 3.3.8.0 and earlier allows remote attackers to execute remote code. Affected products include: Blogengine Blogengine.Net. Version information: version 3.3.8.0.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate file types server-side, store uploads outside webroot, use random filenames, scan for malware.

CVE-2019-6714 CRITICAL POC
9.8 Mar 21

An issue was discovered in BlogEngine.NET through 3.3.6.0. Rated critical severity (CVSS 9.8), this vulnerability is rem

CVE-2022-25591 CRITICAL POC
9.1 May 13

BlogEngine.NET v3.3.8.0 was discovered to contain an arbitrary file deletion vulnerability which allows attackers to del

CVE-2019-10720 HIGH POC
8.8 Jun 21

BlogEngine.NET 3.3.7.0 and earlier allows Directory Traversal and Remote Code Execution via the theme cookie to the File

CVE-2019-10719 HIGH POC
8.8 Jun 21

BlogEngine.NET 3.3.7.0 and earlier allows Directory Traversal and Remote Code Execution because file creation is mishand

CVE-2019-11392 HIGH POC
7.5 Jun 21

BlogEngine.NET 3.3.7 and earlier allows XXE via an apml file to syndication.axd. Rated high severity (CVSS 7.5), this vu

CVE-2019-10718 HIGH POC
7.5 Jun 21

BlogEngine.NET 3.3.7.0 and earlier allows XML External Entity Blind Injection, related to pingback.axd and BlogEngine.Co

CVE-2019-10717 HIGH POC
7.1 Jul 03

BlogEngine.NET 3.3.7.0 allows /api/filemanager Directory Traversal via the path parameter. Rated high severity (CVSS 7.1

CVE-2022-28921 MEDIUM POC
6.5 May 18

A Cross-Site Request Forgery (CSRF) vulnerability discovered in BlogEngine.Net v3.3.8.0 allows unauthenticated attackers

CVE-2023-33405 MEDIUM POC
6.1 Jun 21

Blogengine.net 3.3.8.0 and earlier is vulnerable to Open Redirect. Rated medium severity (CVSS 6.1), this vulnerability

CVE-2019-10721 MEDIUM POC
6.1 Jul 03

BlogEngine.NET 3.3.7.0 allows a Client Side URL Redirect via the ReturnUrl parameter, related to BlogEngine/BlogEngine.C

CVE-2022-36600 MEDIUM POC
4.8 Sep 02

BlogEngine v3.3.8.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /blogengine/ap

CVE-2022-41418 HIGH
7.2 Dec 19

An issue in the component BlogEngine/BlogEngine.NET/AppCode/Api/UploadController.cs of BlogEngine.NET v3.3.8.0 allows at

Share

CVE-2023-33404 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy