CVE-2017-11357

Progress Telerik UI for ASP.NET AJAX before R2 2017 SP2 does not properly restrict user input to RadAsyncUpload, which allows remote attackers to...

Basic Information

CVE State: PUBLISHED
Reserved Date: July 16, 2017
Published Date: August 23, 2017
Last Updated: February 07, 2025
Vendor: n/a
Product: n/a
Description: Progress Telerik UI for ASP.NET AJAX before R2 2017 SP2 does not properly restrict user input to RadAsyncUpload, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code.

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC Information

Exploitation: active
Automatable: Yes
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (added 2023-01-26 00:00:00 UTC) Source
Used in Malware: Yes (added 2023-01-26 00:00:00 UTC) Source

References

https://www.exploit-db.com/exploits/43874/ http://www.telerik.com/support/kb/aspnet-ajax/upload-%28async%29/details/insecure-direct-object-reference

Known Exploited Vulnerability Information

Source	Added Date
CISA	2023-01-26 00:00:00 UTC