CVE-2019-10720
published 2019-06-21CVE-2019-10720: BlogEngine.NET 3.3.7.0 and earlier allows Directory Traversal and Remote Code Execution via the theme cookie to the File Manager. NOTE: this issue exists…
PriorityP262high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
7.13%
93.5th percentile
BlogEngine.NET 3.3.7.0 and earlier allows Directory Traversal and Remote Code Execution via the theme cookie to the File Manager. NOTE: this issue exists because of an incomplete fix for CVE-2019-6714.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| blogengine | blogengine.net | <= 3.3.7.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect directory traversal exploitation via the 'theme' cookie containing path traversal sequences (e.g., '../../App_Data/files/') on any page request — authentication is NOT required to trigger RCE. ↗
- →Alert on HTTP POST requests to '/api/upload?action=filemgr' uploading a file named 'PostView.ascx', which is the malicious web shell payload used for RCE. ↗
- →Monitor for multipart/form-data uploads with a filename of 'PostView.ascx' to the BlogEngine.NET file manager endpoint. ↗
- →Inspect HTTP requests where the 'theme' cookie value contains '../' sequences, indicating attempted directory traversal to reach uploaded files under App_Data. ↗
- ·This CVE is an incomplete fix for CVE-2019-6714; both vulnerabilities share the same theme-cookie traversal vector. Detection rules should cover both CVEs. ↗
- ·The exploit hardcodes a proxy at 127.0.0.1:8080 for all requests; in a real attack this proxy may not be present — do not rely on proxy-based detection alone. ↗
- ·The traversal path in the theme cookie is date-dependent (YYYY/MM/), so the exact cookie value will vary by upload date. Detection should use a pattern match rather than a static string. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/153348/BlogEngine.NET-3.3.6-3.3.7-Theme-Cookie-Directory-Traversal-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2019/Jun/26https://www.securitymetrics.com/blog/BlogEngineNET-Directory-Traversal-Remote-Code-Execution-CVE-2019-10719-CVE-2019-10720http://packetstormsecurity.com/files/153348/BlogEngine.NET-3.3.6-3.3.7-Theme-Cookie-Directory-Traversal-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2019/Jun/26https://www.securitymetrics.com/blog/BlogEngineNET-Directory-Traversal-Remote-Code-Execution-CVE-2019-10719-CVE-2019-10720
2019-06-21
Published