CVE-2019-9845: Improper Input Validation

April 16, 2019 (updated April 17, 2019)

madskristensen Miniblog.Core allows remote attackers to execute arbitrary ASPX code via an IMG element with a data: URL, because SaveFilesToDisk in Controllers/BlogController.cs writes a decoded base64 string to a file without validating the extension.

References

github.com/madskristensen/Miniblog.Core/blob/master/src/Controllers/BlogController.cs
nvd.nist.gov/vuln/detail/CVE-2019-9845
rastating.github.io/miniblog-remote-code-execution/

Detect and mitigate CVE-2019-9845 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →