CVE-2017-9248 Information

Description

Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey which makes it easier for remote attackers to defeat cryptographic protection mechanisms leading to a MachineKey leak arbitrary file uploads or downloads XSS or ASP.NET ViewState compromise.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

http://www.securityfocus.com/bid/99965 http://www.telerik.com/blogs/security-alert-for-telerik-ui-for-asp.net-ajax-and-progress-sitefinity http://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness https://www.exploit-db.com/exploits/43873/

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8