Description

The Telerik UI component for ASP.NET AJAX is using weak, static or publicly known encryption keys to encrypt data used by RadAsyncUpload. This may allow an attacker to upload arbitrary files, which may ultimately lead to remote code execution on the software's underlying host.

This vulnerability check combines active and passive testing methods. If the Telerik UI version is known to be vulnerable but the vulnerability could not be confirmed to be exploitable, Acunetix may decrease the alert confidence level to 80. If the target was found to be vulnerable and exploitable, the confidence level will be displayed as 100 (verified), even if the Telerik UI version was not previously known to be vulnerable.

Remediation

Upgrade to the latest version, follow the guidance in the RadAsyncUpload Security Guide (https://docs.telerik.com/devtools/aspnet-ajax/controls/asyncupload/security), and set all encryption keys.

References

Unrestricted File Upload

code white: Telerik Revisited (CVE-2017-11317 exploitation)

RadAsyncUpload Security Guide

Telerik UI for ASP.NET AJAX Release History

Related Vulnerabilities

WordPress Plugin Broadcast Live Video-Live Streaming:HTML5, WebRTC, HLS, RTSP, RTMP Remote Code Execution (5.5.15)

Ruby on Rails DoubleTap RCE (CVE-2019-5420)

WordPress Plugin File Manager Remote Code Execution (4.5)

WordPress Plugin Product Lister for Walmart Remote Code Execution (1.0.1)

Drupal Core 8.9.0 Remote Code Execution (8.9.0)

Severity

High

Classification

CVE-2017-11317 CWE-78 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution Unauthenticated File Upload Arbitrary File Creation