Technical writeup of vulnerabilities identified within BlogEngine .NET.
An Out-of-Band XML External Entity (XXE) injection and Cross-Site Request Forgery (CSRF) vulnerability were discovered in BlogEngine .Net.
Finding vulnerabilities in modern applications is getting harder and harder as security is slowly being brought to the forefront of conversation. Unfortunately, reporting the vulnerabilities that are found to the appropriate personnel can sometimes be even more challenging.
An unauthenticated arbitrary file deletion vulnerability was discovered in BlogEngine .NET. By performing a directory traversal attack out of the intended folder structure, a remote, unauthenticated attacker could delete critical files required by the application.