← Retour aux CVEs
CVE-2017-11357
CRITICALCISA KEV9.8
Description
Progress Telerik UI for ASP.NET AJAX before R2 2017 SP2 does not properly restrict user input to RadAsyncUpload, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code.
Details CVE
Score CVSS v3.19.8
SeveriteCRITICAL
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisNONE
Interaction utilisateurNONE
Publie8/23/2017
Derniere modification4/22/2026
Sourcekev
Observations honeypot0
CISA KEV
FournisseurTelerik
ProduitUser Interface (UI) for ASP.NET AJAX
Nom vulnerabiliteTelerik UI for ASP.NET AJAX Insecure Direct Object Reference Vulnerability
Date ajout KEV2023-01-26
Date limite remediation2023-02-16
Utilise dans ransomwareKnown
Produits affectes
progress:telerik_ui_for_asp.net_ajax
Faiblesses (CWE)
CWE-434CWE-434
References
http://www.telerik.com/support/kb/aspnet-ajax/upload-%28async%29/details/insecure-direct-object-reference(cve@mitre.org)
https://www.exploit-db.com/exploits/43874/(cve@mitre.org)
http://www.telerik.com/support/kb/aspnet-ajax/upload-%28async%29/details/insecure-direct-object-reference(af854a3a-2127-422b-91ae-364da2661108)
https://www.exploit-db.com/exploits/43874/(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-11357(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.