New QID for vulnerability in Telerik UI for ASP.NET AJAX

Document created by Dave Ferguson Employee on Mar 25, 2020
Version 1Show Document
  • View in full screen mode

A new detection in Qualys WAS has been released to detect an unrestricted file upload vulnerability in Telerik UI for ASP.NET AJAX.  The flaw consists of weakly-encrypted data that is used by RadAsyncUpload.  An attacker who successfully exploits the vulnerability can upload arbitrary files to the server.  This vulnerability was assigned CVE-2017-11317.

 

Telerik UI components are quite popular with ASP.NET developers and your ASP.NET web applications may be vulnerable if the underlying components haven't been updated or patched.  To test for this vulnerability, make sure QID 150285 is enabled during your WAS vulnerability scans.  QID 150285 is a severity "3" potential vulnerability. 

 

Note: An authenticated Qualys Vulnerability Management (VM) scan can also be used to test for this vulnerability (the QID is 370708).

Attachments

    Outcomes