Leif M. Wright's Blog 3.5 does not make a password comparison when authenticating an administrator via a cookie, which allows remote attackers to bypass login authentication, probably by setting the blogAdmin cookie.
Leif M. Wright's Blog version 3.5 is susceptible to information disclosure, authentication bypass, code execution, and cross site scripting flaws. Exploit details provided.