PT-2019-12008 · Microsoft · Blogengine.Net
Aaron Bishop
·
Published
2019-06-21
·
Updated
2019-06-23
·
CVE-2019-10718
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
BlogEngine.NET versions 3.3.7.0 and earlier
Description
The issue is related to XML External Entity Blind Injection. It is associated with the
pingback.axd endpoint and the BlogEngine.Core/Web/HttpHandlers/PingbackHandler.cs file.Recommendations
For BlogEngine.NET versions 3.3.7.0 and earlier, consider disabling the
pingback.axd endpoint until a patch is available. Restrict access to the BlogEngine.Core/Web/HttpHandlers/PingbackHandler.cs file to minimize the risk of exploitation.Exploit
Fix
XXE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Blogengine.Net