CVE-2017-9248

Name of the Vulnerable Software and Affected Versions Progress Telerik UI for ASP.NET AJAX versions prior to R2 2017 SP1 Sitefinity versions prior to 10.0.6412.0

Description The issue is related to insufficient protection of registration data in the Telerik.Web.UI.dll library, which is part of the Telerik UI for ASP.NET AJAX and Sitefinity content management system. This weakness can be exploited by a remote attacker to reveal encryption keys, specifically Telerik.Web.UI.DialogParametersEncryptionKey and/or MachineKey. This can lead to a MachineKey leak, arbitrary file uploads or downloads, cross-site scripting (XSS), or ASP.NET ViewState compromise.

Recommendations For Progress Telerik UI for ASP.NET AJAX versions prior to R2 2017 SP1, update to R2 2017 SP1 or later. For Sitefinity versions prior to 10.0.6412.0, update to 10.0.6412.0 or later. As a temporary workaround, consider restricting access to the Telerik.Web.UI.DialogParametersEncryptionKey and MachineKey to minimize the risk of exploitation.