CVE-2017-9248

Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote attackers to defeat cryptographic protection mechanisms, leading to a MachineKey leak, arbitrary file uploads or downloads, XSS, or ASP.NET ViewState compromise.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*
cpe:2.3:a:telerik:ui_for_asp.net_ajax:*:*:*:*:*:*:*:*

History

21 Nov 2024, 03:35

Type Values Removed Values Added
References () http://www.securityfocus.com/bid/99965 - Broken Link, Third Party Advisory, VDB Entry () http://www.securityfocus.com/bid/99965 - Broken Link, Third Party Advisory, VDB Entry
References () http://www.telerik.com/blogs/security-alert-for-telerik-ui-for-asp.net-ajax-and-progress-sitefinity - Vendor Advisory () http://www.telerik.com/blogs/security-alert-for-telerik-ui-for-asp.net-ajax-and-progress-sitefinity - Vendor Advisory
References () http://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness - Mitigation, Vendor Advisory () http://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness - Mitigation, Vendor Advisory
References () https://www.exploit-db.com/exploits/43873/ - Exploit, Third Party Advisory, VDB Entry () https://www.exploit-db.com/exploits/43873/ - Exploit, Third Party Advisory, VDB Entry

25 Jul 2024, 14:04

Type Values Removed Values Added
References () http://www.securityfocus.com/bid/99965 - () http://www.securityfocus.com/bid/99965 - Broken Link, Third Party Advisory, VDB Entry
References () https://www.exploit-db.com/exploits/43873/ - () https://www.exploit-db.com/exploits/43873/ - Exploit, Third Party Advisory, VDB Entry
First Time Progress
Progress sitefinity
CPE cpe:2.3:a:telerik:sitefinity_cms:*:*:*:*:*:*:*:* cpe:2.3:a:progress:sitefinity:*:*:*:*:*:*:*:*

Information

Published : 2017-07-03 19:29

Updated : 2024-11-21 03:35


NVD link : CVE-2017-9248

Mitre link : CVE-2017-9248

CVE.ORG link : CVE-2017-9248


JSON object : View

Products Affected

progress

  • sitefinity

telerik

  • ui_for_asp.net_ajax
CWE
CWE-522

Insufficiently Protected Credentials