cbcvebase.
CVE-2019-10719
published 2019-06-21

CVE-2019-10719: BlogEngine.NET 3.3.7.0 and earlier allows Directory Traversal and Remote Code Execution because file creation is mishandled, related to /api/upload and…

PriorityP263high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
7.60%
93.8th percentile
BlogEngine.NET 3.3.7.0 and earlier allows Directory Traversal and Remote Code Execution because file creation is mishandled, related to /api/upload and BlogEngine.NET/AppCode/Api/UploadController.cs. NOTE: this issue exists because of an incomplete fix for CVE-2019-6714.

Affected

1 ranges
VendorProductVersion rangeFixed in
dotnetblogengineblogengine.net<= 3.3.7.0

Detection & IOCsextracted from sources · hover to see the quote

url/api/upload?action=filemgr&dirPath=%2f..%2f..%2fCustom%2fThemes%2fRCE_Test
url/api/upload?action=filemgr&dirPath=~/App_Data/files/../../Custom/Themes/
url/api/upload?action=filemgr
path/App_Data/files/
cookietheme=../../App_Data/files/
  • Detect POST requests to /api/upload containing 'dirPath' parameter with path traversal sequences (%2f..%2f or ../), especially targeting /Custom/Themes/ directory
  • Detect upload of a file named 'PostView.ascx' to /api/upload endpoint, which is the malicious web shell payload used for RCE
  • Detect HTTP requests containing a 'theme' cookie value with directory traversal sequences (e.g., ../../App_Data/files/) — authentication is not required to trigger RCE via this vector
  • Detect GET requests to /?theme=<directory_name> which trigger execution of the uploaded PostView.ascx shell from the Custom/Themes directory
  • Monitor for outbound TCP connections from the BlogEngine.NET web process (w3wp.exe) spawning cmd.exe, indicative of the reverse shell payload executing
  • ·CVE-2019-10719 is an incomplete fix for CVE-2019-6714; both vulnerabilities share the same /api/upload endpoint and PostView.ascx payload. Detections for CVE-2019-6714 may not fully cover this variant.
  • ·The exploit script routes traffic through a local proxy at 127.0.0.1:8080, which may cause network-level detections to miss the attack if only inspecting direct connections.
  • ·The theme-cookie RCE trigger (CVE-2019-10720 variant in DOC 3) requires no authentication, meaning the upload and trigger steps can be decoupled — an attacker may upload via an authenticated session and trigger via an unauthenticated request.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.