Technical writeup of vulnerabilities identified within BlogEngine .NET.
Advisory: BlogEngine .Net - XML External Entity Injection & Cross-Site Request Forgery (CVE-2022-28921)
An Out-of-Band XML External Entity (XXE) injection and Cross-Site Request Forgery (CSRF) vulnerability were discovered in BlogEngine .Net.
RFC 9116 - Security.txt
Finding vulnerabilities in modern applications is getting harder and harder as security is slowly being brought to the forefront of conversation. Unfortunately, reporting the vulnerabilities that are found to the appropriate personnel can sometimes be even more challenging.
Advisory: BlogEngine .Net - Unauthenticated Arbitrary File Deletion (CVE-2022-25591)
An unauthenticated arbitrary file deletion vulnerability was discovered in BlogEngine .NET. By performing a directory traversal attack out of the intended folder structure, a remote, unauthenticated attacker could delete critical files required by the application.