Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote attackers to defeat cryptographic protection mechanisms, leading to a MachineKey leak, arbitrary file uploads or downloads, XSS, or ASP.NET ViewState compromise.
References
Link | Resource |
---|---|
http://www.securityfocus.com/bid/99965 | Broken Link Third Party Advisory VDB Entry |
http://www.telerik.com/blogs/security-alert-for-telerik-ui-for-asp.net-ajax-and-progress-sitefinity | Vendor Advisory |
http://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness | Mitigation Vendor Advisory |
https://www.exploit-db.com/exploits/43873/ | Exploit Third Party Advisory VDB Entry |
Configurations
Configuration 1 (hide)
|
History
25 Jul 2024, 14:04
Type | Values Removed | Values Added |
---|---|---|
References | () http://www.securityfocus.com/bid/99965 - Broken Link, Third Party Advisory, VDB Entry | |
References | () https://www.exploit-db.com/exploits/43873/ - Exploit, Third Party Advisory, VDB Entry | |
First Time |
Progress
Progress sitefinity |
|
CPE | cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:* |
Information
Published : 2017-07-03 19:29
Updated : 2024-07-25 14:04
NVD link : CVE-2017-9248
Mitre link : CVE-2017-9248
CVE.ORG link : CVE-2017-9248
JSON object : View
Products Affected
progress
- sitefinity
telerik
- ui_for_asp.net_ajax
CWE
CWE-522
Insufficiently Protected Credentials