Unauthorized Access Vulnerability in Progress Telerik UI for ASP.NET AJAX
CVE-2021-28141

9.8CRITICAL

Key Information:

Vendor: Telerik
Status: Ui For Asp.net Ajax
Vendor: CVE Published:; 11 March 2021

What is CVE-2021-28141?

A vulnerability in Progress Telerik UI for ASP.NET AJAX 2021.1.224 allows unauthorized access to critical scripts via the Telerik.Web.UI.WebResource.axd file. By manipulating the TSM_HiddenField parameter, an attacker may inject a command into the URI, potentially leading to code execution on the server. Although the vendor claims that this does not constitute a true vulnerability as the output does not reveal sensitive data or indicate actual command execution, it nonetheless poses a risk for unauthorized access.

References

https://pastebin.com/JULpfvFJ

x_refsource_MISC

https://gist.github.com/shreyasfegade/e2480e26b2ed1d0c717...

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 11, 2021
Vulnerability Reserved
Mar 11, 2021