CVE-2019-6714

Name of the Vulnerable Software and Affected Versions BlogEngine.NET versions through 3.3.6.0

Description A path traversal and Local File Inclusion issue in PostList.ascx.cs allows unauthenticated users to load a PostView.ascx component from potentially untrusted locations on the local filesystem. This can lead to remote code execution if an authenticated user uploads a PostView.ascx file using the file manager utility.

Recommendations For BlogEngine.NET versions through 3.3.6.0, restrict access to the file manager utility to prevent authenticated users from uploading potentially malicious PostView.ascx files. As a temporary workaround, consider disabling the PostList.ascx.cs component until a patch is available.