cbcvebase.
CVE-2019-10720
published 2019-06-21

CVE-2019-10720: BlogEngine.NET 3.3.7.0 and earlier allows Directory Traversal and Remote Code Execution via the theme cookie to the File Manager. NOTE: this issue exists…

PriorityP262high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
7.13%
93.5th percentile
BlogEngine.NET 3.3.7.0 and earlier allows Directory Traversal and Remote Code Execution via the theme cookie to the File Manager. NOTE: this issue exists because of an incomplete fix for CVE-2019-6714.

Affected

1 ranges
VendorProductVersion rangeFixed in
blogengineblogengine.net<= 3.3.7.0

Detection & IOCsextracted from sources · hover to see the quote

cookietheme=../../App_Data/files/{YYYY/MM/}
url/api/upload?action=filemgr
url/api/filemanager
filenamePostView.ascx
path../../App_Data/files/
  • Detect directory traversal exploitation via the 'theme' cookie containing path traversal sequences (e.g., '../../App_Data/files/') on any page request — authentication is NOT required to trigger RCE.
  • Alert on HTTP POST requests to '/api/upload?action=filemgr' uploading a file named 'PostView.ascx', which is the malicious web shell payload used for RCE.
  • Monitor for multipart/form-data uploads with a filename of 'PostView.ascx' to the BlogEngine.NET file manager endpoint.
  • Inspect HTTP requests where the 'theme' cookie value contains '../' sequences, indicating attempted directory traversal to reach uploaded files under App_Data.
  • ·This CVE is an incomplete fix for CVE-2019-6714; both vulnerabilities share the same theme-cookie traversal vector. Detection rules should cover both CVEs.
  • ·The exploit hardcodes a proxy at 127.0.0.1:8080 for all requests; in a real attack this proxy may not be present — do not rely on proxy-based detection alone.
  • ·The traversal path in the theme cookie is date-dependent (YYYY/MM/), so the exact cookie value will vary by upload date. Detection should use a pattern match rather than a static string.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.