CVE-2017-9248

high-risk

Published 2017-07-03

Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote attackers to defeat cryptographic protection mechanisms, leading to a MachineKey leak, arbitrary file uploads or downloads, XSS, or ASP.NET ViewState compromise.

Do I need to act?

87.8% chance of exploitation in next 30 days

EPSS score — higher than 12% of all CVEs

CISA KEV: actively exploited in the wild

On the Known Exploited Vulnerabilities catalog — federal agencies must patch

1 public exploit available

43873

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (2)

Ui For Asp.Net Ajax

Sitefinity

Affected Vendors

Progress Telerik

References (9)

Broken Link http://www.securityfocus.com/bid/99965

Vendor Advisory http://www.telerik.com/blogs/security-alert-for-telerik-ui-for-asp.net-ajax-and-...

Mitigation http://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness

Exploit https://www.exploit-db.com/exploits/43873/

Broken Link http://www.securityfocus.com/bid/99965

Vendor Advisory http://www.telerik.com/blogs/security-alert-for-telerik-ui-for-asp.net-ajax-and-...

Mitigation http://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness

Exploit https://www.exploit-db.com/exploits/43873/

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-...

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 27/34 · High

Exposure 7/34 · Low