CVE-2017-9248
KEV
🔴 Łataj teraz
Luka w Telerik UI dla ASP.NET AJAX umożliwia atakującym przejęcie kluczy i ataki XSS.
CVSS
9.8
EPSS
88.6%
Exploit
weaponized
Vendor
progress
Opis źródłowy (NVD)
Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote attackers to defeat cryptographic protection mechanisms, leading to a MachineKey leak, arbitrary file uploads or downloads, XSS, or ASP.NET ViewState compromise.
exploit xss
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 9.8 |
| CISA KEV (aktywnie wykorzystywane) | Tak |
| FIRST EPSS (prawdopodobieństwo exploita) | 88.6% |
| Opublikowano (NVD) | 2017-07-03 19:29:00 UTC |
| Ostatnia modyfikacja (NVD) | 2026-04-21 18:02:31 UTC |
Referencje
- http://www.securityfocus.com/bid/99965 (cve@mitre.org) [Broken Link, Third Party Advisory, VDB Entry]
- http://www.telerik.com/blogs/security-alert-for-telerik-ui-for-asp.net-ajax-and-progress-sitefinity (cve@mitre.org) [Vendor Advisory]
- http://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness (cve@mitre.org) [Mitigation, Vendor Advisory]
- https://www.exploit-db.com/exploits/43873/ (cve@mitre.org) [Exploit, Third Party Advisory, VDB Entry]
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-9248 (134c704f-9b21-4f2e-91b3-4a467353bcc0) [US Government Resource]