Main Vulnerability Database Vulnerabilities #VU9684

Improper security restrictions in UI for ASP.NET AJAX - CVE-2017-11317

Published: December 14, 2017 / Updated: April 11, 2022

Vulnerability identifier: #VU9684

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber

CVE-ID: CVE-2017-11317

CWE-ID: CWE-264

Exploitation vector: Remote access

Exploit availability: The vulnerability is being exploited in the wild

Vendor: Progress Telerik

Affected software:
UI for ASP.NET AJAX

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists in Progress Telerik User Interface (UI) for ASP.NET AJAX due to weak RadAsyncUpload control encryption mechanism for data encryption. A remote attacker can upload arbitrary files and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

How to mitigate CVE-2017-11317

Update to version 2017.1.118 and 2017.2.711.

Sources

https://www.telerik.com/support/kb/aspnet-ajax/upload-%28async%29/details/unrestricted-file-upload

Improper security restrictions in UI for ASP.NET AJAX - CVE-2017-11317

Detailed vulnerability description

How to mitigate CVE-2017-11317

Sources

Please verify you're human