MidnightBSD

Advisories for dotnetblogengine

CVE-2013-6953 MEDIUM

BlogEngine.NET 2.8.0.0 and earlier allows remote attackers to read usernames and password hashes via a request for the sioc.axd file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
dotnetblogengine blogengine.net 1.6
dotnetblogengine blogengine.net 2.0
dotnetblogengine blogengine.net 1.4.5
dotnetblogengine blogengine.net *
dotnetblogengine blogengine.net 2.6
dotnetblogengine blogengine.net 2.7
dotnetblogengine blogengine.net 1.5
dotnetblogengine blogengine.net 2.5
CVE-2019-10717 MEDIUM

BlogEngine.NET 3.3.7.0 allows /api/filemanager Directory Traversal via the path parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
dotnetblogengine blogengine.net 3.3.7.0
CVE-2019-10718 MEDIUM

BlogEngine.NET 3.3.7.0 and earlier allows XML External Entity Blind Injection, related to pingback.axd and BlogEngine.Core/Web/HttpHandlers/PingbackHandler.cs.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-611,

Products Affected

Vendor Product Version
dotnetblogengine blogengine.net *
CVE-2019-10719 MEDIUM

BlogEngine.NET 3.3.7.0 and earlier allows Directory Traversal and Remote Code Execution because file creation is mishandled, related to /api/upload and BlogEngine.NET/AppCode/Api/UploadController.cs. NOTE: this issue exists because of an incomplete fix for CVE-2019-6714.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
dotnetblogengine blogengine.net *
CVE-2019-10721 MEDIUM

BlogEngine.NET 3.3.7.0 allows a Client Side URL Redirect via the ReturnUrl parameter, related to BlogEngine/BlogEngine.Core/Services/Security/Security.cs, login.aspx, and register.aspx.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-601,

Products Affected

Vendor Product Version
dotnetblogengine blogengine.net 3.3.7.0
CVE-2019-11392 MEDIUM

BlogEngine.NET 3.3.7 and earlier allows XXE via an apml file to syndication.axd.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-611,

Products Affected

Vendor Product Version
dotnetblogengine blogengine.net *