CVE-2019-9845
Description
madskristensen Miniblog.Core through 2019-01-16 allows remote attackers to execute arbitrary ASPX code via an IMG element with a data: URL, because SaveFilesToDisk in Controllers/BlogController.cs writes a decoded base64 string to a file without validating the extension.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
MadsKristensen.AspNetCore.MiniblogNuGet | <= 1.0.3 | — |
Affected products
2- Range: <= 1.0.3
Patches
Vulnerability mechanics
Root cause
"Missing file extension validation in SaveFilesToDisk allows an attacker to upload arbitrary ASPX files via a crafted data URL."
Attack vector
An authenticated attacker with the ability to create or edit blog posts crafts an `
Affected code
The vulnerable method is `SaveFilesToDisk` in `Controllers/BlogController.cs` [ref_id=3]. The code extracts a MIME type and base64 content from a data URL via regular expressions, then uses the latter half of the MIME type as the file extension without validating that it is a safe extension such as `.gif` or `.jpeg` [ref_id=1]. In Miniblog.Core, the attacker can also specify the filename via a `data-filename` attribute on the `img` element [ref_id=1].
What the fix does
The bundle does not include a patch diff. The researcher's disclosure timeline states that a patch was published to GitHub on 2019-03-16 for both MiniBlog and Miniblog.Core [ref_id=1]. The advisory recommends validating the file extension derived from the MIME type (or from the `data-filename` attribute) against a whitelist of safe image extensions before writing the decoded base64 content to disk, preventing upload of `.aspx` or other executable extensions [ref_id=1].
Preconditions
- authAttacker must be authenticated to the blog application (able to create/edit posts)
- inputAttacker must have access to the post editor's markup/HTML mode
- configThe application must be hosted on a server that executes .aspx files (IIS with ASP.NET)
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-958r-g534-ccmrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-9845ghsaADVISORY
- github.com/madskristensen/Miniblog.Core/blob/master/src/Controllers/BlogController.csghsax_refsource_MISCWEB
- rastating.github.io/miniblog-remote-code-executionghsaWEB
- rastating.github.io/miniblog-remote-code-execution/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.