CVE-2023-33405

MEDIUM NUCLEI

Blogengine.net <3.3.8.0 - Open Redirect

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-33405. PoCs published by hacip. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository documents an open redirection vulnerability in BlogEngine.NET CMS (version 3.3.8.0 and earlier) where the 'years' parameter in a GET request to default.aspx is not properly sanitized, allowing attackers to redirect users to arbitrary URLs.

Description

Blogengine.net 3.3.8.0 and earlier is vulnerable to Open Redirect.

Exploits (1)

nomisec WRITEUP

by hacip · poc

https://github.com/hacip/CVE-2023-33405

View Code ZIP pw:eip

This repository documents an open redirection vulnerability in BlogEngine.NET CMS (version 3.3.8.0 and earlier) where the 'years' parameter in a GET request to default.aspx is not properly sanitized, allowing attackers to redirect users to arbitrary URLs.

Classification

Writeup 90%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: BlogEngine.NET CMS <= 3.3.8.0

No auth needed

Prerequisites: Access to the target BlogEngine.NET CMS instance

MITRE ATT&CK

T1505 - Server Software Component T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

BlogEngine CMS - Open Redirect

MEDIUMVERIFIEDby Shankar Acharya

Shodan: http.html:"blogengine.net"

FOFA: body="blogengine.net"

References (1)

Core 1

Core References

Exploit, Third Party Advisory

https://github.com/hacip/CVE-2023-33405

Scores

CVSS v3 6.1

EPSS 0.3061

EPSS Percentile 98.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-601

Status published

Products (1)

blogengine/blogengine.net < 3.3.8.0

Published Jun 21, 2023

Tracked Since Feb 18, 2026