Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity prior to 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote malicious users to defeat cryptographic protection mechanisms, leading to a MachineKey leak, arbitrary file uploads or downloads, XSS, or ASP.NET ViewState compromise.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
telerik ui for asp.net ajax |
||
telerik sitefinity cms |
Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Also: Hackers target security researchers, MaaS model flourishing, and this week's vulnerabilities
Infosec in brief Remember earlier this year, when we found out that a bunch of baddies including at least one nation-state group broke into a US federal government agency's Microsoft Internet Information Services (IIS) web server by exploiting a critical three-year-old Telerik bug to achieve remote code execution? It turns out that this same gang of government-backed hackers used a different – and even older – Telerik flaw to break into another US federal agency's Microsoft IIS web server, a...