← back
CVE-2019-6714

CVE-2019-6714

EPSS 31.7%
An issue was discovered in BlogEngine.NET through 3.3.6.0. A path traversal and Local File Inclusion vulnerability in PostList.ascx.cs can cause unauthenticated users to load a PostView.ascx component from a potentially untrusted location on the local filesystem. This is especially dangerous if an authenticated user uploads a PostView.ascx file using the file manager utility, which is currently allowed. This results in remote code execution for an authenticated user.
Affected products
n/a · n/a
public PoCs found3
cve_referencepacketstormsecurity.com/files/151628/BlogEngine.NET-3.3.6-Directory-Traversal-Remote-Code-Execution.htmlunverifiedexploitdbwww.exploit-db.com/exploits/46353unverifiedcve_referencewww.exploit-db.com/exploits/46353/unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/151628/BlogEngine.NET-3.3.6-Directory-Traversal-Remote-Code-Execution.htmlhttps://blogengine.io/http://seclists.org/fulldisclosure/2019/Jun/26https://github.com/rxtur/BlogEngine.NET/https://www.exploit-db.com/exploits/46353/