BlogEngine 3.3 XML External Entity Injection

Summary

BlogEngine.NET is a free and open source blog system. Since 2008, the blog has carried out Chinese localization based on BlogEngine.NET and made efforts to promote and apply it in China.

BlogEngine 3.3 has XML external entity injection vulnerability. An attacker can exploit the vulnerability to achieve the attack.

Solution

Currently, the vendor has issued an upgrade patch to fix the vulnerability. The patch is available at https://blogengine.io/