CVE-2019-9845

Name of the Vulnerable Software and Affected Versions Miniblog.Core versions prior to 2019-01-16

Description The issue allows remote attackers to execute arbitrary ASPX code via an IMG element with a data: URL. This is because the SaveFilesToDisk function in Controllers/BlogController.cs writes a decoded base64 string to a file without validating the extension.

Recommendations For versions prior to 2019-01-16, as a temporary workaround, consider disabling the SaveFilesToDisk function in Controllers/BlogController.cs until a patch is available. Restrict access to the BlogController.cs module to minimize the risk of exploitation. Avoid using the data: URL scheme in IMG elements until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.