PT-2019-12278 · Microsoft · Blogengine.Net
Published
2019-06-21
·
Updated
2024-12-25
·
CVE-2019-11392
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
BlogEngine.NET versions 3.3.7 and earlier
Description
The issue allows for an out-of-band XML External Entity (XXE) attack via an apml file to the "syndication.axd" API endpoint. This can potentially lead to unauthorized access to sensitive data.
Recommendations
For BlogEngine.NET versions 3.3.7 and earlier, consider disabling the syndication.axd endpoint until a patch is available to prevent XXE attacks. Restrict access to apml files to minimize the risk of exploitation.
Exploit
Fix
XXE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Blogengine.Net