Brian Cardinale reported a file upload directory traversal vulnerability that affects the AjaxControlToolkit prior to version 15.1. On a poorly configured web server this vulnerability can lead to remote code execution. The flaw was introduced in version 7.429 which was released on April 30, 2013. The latest vulnerable version is 7.1213.
List of vulnerable versions:
- It's recommended to upgrade to the latest version of AjaxControlToolkit.
- WordPress Plugin WP-Stateless-Google Cloud Storage Remote Code Execution (2.2.0)
- TinyMCE ajax_create_folder remote code execution vulnerability
- WordPress Plugin Robo Gallery-Photo Gallery and Images Gallery Remote Code Execution (2.0.14)
- UnrealIRCd 18.104.22.168 backdoor
- WordPress Plugin BJ Lazy Load Remote Code Execution (0.7.5)