.. / CVE-2019-10717

Exploit for BlogEngine.NET 3.3.7.0 - Local File Inclusion (CVE-2019-10717)

Description:

BlogEngine.NET 3.3.7.0 allows /api/filemanager local file inclusion via the path parameter

Nuclei Template

View the template here CVE-2019-10717.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2019/CVE-2019-10717.yaml

References:

https://github.com/rxtur/BlogEngine.NET/commits/master
https://www.securitymetrics.com/blog/Blogenginenet-Directory-Traversal-Listing-Login-Page-Unvalidated-Redirect
https://github.com/ARPSyndicate/kenzer-templates
http://seclists.org/fulldisclosure/2019/Jun/44
https://nvd.nist.gov/vuln/detail/CVE-2019-10717