BlogEngine.NET, versions 3.3.7 and earlier, is vulnerable to two separate Directory Traversal issues that can lead to Remote Code Execution.

Updated BlogEngine today because of a remote code execution (RCE) vulnerability, CVE-2019-10719 in versions 3.3.7 and earlier.  Good thing I am subscribed to the Full Disclosure mailing list (I highly recommend it.) otherwise I wouldn't have know about it.   Good luck to the other BlogEngine users out there.  I was unable to find any mailing list that would have sent a notification of this. 

 

You will have to download the latest release from the github repository directly.  Last time I checked the website link wasn't updated with the latest version.

Security Metrics has a good article about it here.

Comments are closed