Description

Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote attackers to defeat cryptographic protection mechanisms, leading to a MachineKey leak, arbitrary file uploads or downloads, XSS, or ASP.NET ViewState compromise.

Remediation

References

CVE-2017-9248

Related Vulnerabilities

WordPress Plugin Open Graph for Facebook, Google+ and Twitter Card Tags Cross-Site Scripting (2.2.4)

WordPress Plugin QIWI payment module for Woocommerce Cross-Site Scripting (0.0.9)

WordPress Plugin WordPress Gallery-NextGEN Gallery Cross-Site Request Forgery (3.28)

WebLogic Deserialization of Untrusted Data Vulnerability (CVE-2020-11111)

WebLogic Deserialization of Untrusted Data Vulnerability (CVE-2019-16942)

Severity

Critical

Classification

CVE-2017-9248 CWE-522 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities