Overview
- Description
- Telerik.Web.UI in Progress Telerik UI for ASP.NET AJAX before R1 2017 and R2 before R2 2017 SP2 uses weak RadAsyncUpload encryption, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code.
- Source
- cve@mitre.org
- NVD status
- Analyzed
Risk scores
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
CVSS 2.0
- Type
- Primary
- Base score
- 7.5
- Impact score
- 6.4
- Exploitability score
- 10
- Vector string
- AV:N/AC:L/Au:N/C:P/I:P/A:P
Known exploits
Data from CISA
- Vulnerability name
- Telerik UI for ASP.NET AJAX Unrestricted File Upload Vulnerability
- Exploit added on
- Apr 11, 2022
- Exploit action due
- May 2, 2022
- Required action
- Apply updates per vendor instructions.
Weaknesses
- nvd@nist.gov
- CWE-326
Social media
- Hype score
- Not currently trending
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:telerik:ui_for_asp.net_ajax:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "D76294AA-998D-4411-8C38-A94E960991EB",
"versionEndIncluding": "2016.3.1027"
},
{
"criteria": "cpe:2.3:a:telerik:ui_for_asp.net_ajax:2017.2.503:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "894650C2-0A22-43E4-A032-D5806A6332AB"
},
{
"criteria": "cpe:2.3:a:telerik:ui_for_asp.net_ajax:2017.2.621:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "4D83BFE5-6C1C-4BDB-B2BE-92E83509DB94"
}
],
"operator": "OR"
}
]
}
]