Main Vulnerability Database Vulnerabilities #VU9686

#VU9686 Improper security restrictions in UI for ASP.NET AJAX - CVE-2017-11357

Published: December 19, 2017 / Updated: January 26, 2023

Vulnerability identifier: #VU9686

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber

CVE-ID: CVE-2017-11357

CWE-ID: CWE-264

Exploitation vector: Remote access

Exploit availability: The vulnerability is being exploited in the wild

Vulnerable software:
UI for ASP.NET AJAX

Software vendor:
Progress Telerik

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists in Progress Telerik User Interface (UI) for ASP.NET AJAX due to use of user-supplied input by RadAsyncUpload without modification or validation. A remote attacker can upload arbitrary files and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Remediation

Update to version 2017.2.711.

External links

https://www.telerik.com/support/kb/aspnet-ajax/upload-%28async%29/details/insecure-direct-object-ref...

#VU9686 Improper security restrictions in UI for ASP.NET AJAX - CVE-2017-11357

Description

Remediation

External links

Please verify you're human