CVE-2019-12277: Blogifier does not properly restrict APIs

May 24, 2022 (updated April 4, 2025)

Blogifier 2.3 before 2019-05-11 does not properly restrict APIs, as demonstrated by missing checks for .. in a pathname.

The issue is patched in the 2.4 branch, but 2.5.5 is the lowest available patched version on https://www.nuget.org/packages/Blogifier.Core.

References

github.com/advisories/GHSA-qcx4-gfh8-w5p5
github.com/blogifierdotnet/Blogifier
github.com/blogifierdotnet/Blogifier/commit/3e2ae11f6be8aab82128f223c2916fab5a408be5
nvd.nist.gov/vuln/detail/CVE-2019-12277

Code Behaviors & Features

Detect and mitigate CVE-2019-12277 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →