Progress Telerik UI for ASP.NET AJAX up to and including 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
telerik ui for asp.net ajax |
Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Why patching matters: Everyone seemingly had a crack at security bug
Multiple criminals, including at least potentially one nation-state group, broke into a US federal government agency's Microsoft Internet Information Services web server by exploiting a critical three-year-old Telerik bug to achieve remote code execution. The snafu happened between November 2022 and early January, according to a joint alert from the FBI, CISA, and America's Multi-State Information Sharing and Analysis Center (MS-ISAC) this week. The Feds became aware of the intrusion after spott...
Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Also: Hackers target security researchers, MaaS model flourishing, and this week's vulnerabilities
Infosec in brief Remember earlier this year, when we found out that a bunch of baddies including at least one nation-state group broke into a US federal government agency's Microsoft Internet Information Services (IIS) web server by exploiting a critical three-year-old Telerik bug to achieve remote code execution? It turns out that this same gang of government-backed hackers used a different – and even older – Telerik flaw to break into another US federal agency's Microsoft IIS web server, a...