EDB-43874
webappsaspx
Telerik UI for ASP.NET AJAX 2012.3.1308 < 2017.1.118 - Arbitrary File Upload
CVE-2017-11357CVE-2017-11317
Paul Taylor1/24/2018
CISA既知の悪用された脆弱性
Telerik UI for ASP.NET AJAX contains an insecure direct object reference vulnerability in RadAsyncUpload that can result in file uploads in a limited location and/or remote code execution.
必要な対応:
Apply updates per vendor instructions.
期限:
2023-02-16
既知のランサムウェア使用
説明
Progress Telerik UI for ASP.NET AJAX before R2 2017 SP2 does not properly restrict user input to RadAsyncUpload, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code.
AI分析AIによる分析
影響を受ける製品
telerikui_for_asp.net_ajax
利用可能なエクスプロイト (1)
参照
- http://www.telerik.com/support/kb/aspnet-ajax/upload-%28async%29/details/insecure-direct-object-referenceMitigationVendor Advisory
- https://www.exploit-db.com/exploits/43874/ExploitThird Party AdvisoryVDB Entry
- http://www.telerik.com/support/kb/aspnet-ajax/upload-%28async%29/details/insecure-direct-object-referenceMitigationVendor Advisory
- https://www.exploit-db.com/exploits/43874/ExploitThird Party AdvisoryVDB Entry
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-11357