Description

The Telerik UI component for ASP.NET AJAX is using weak encryption keys to encrypt data used by RadAsyncUpload. This may allow an attacker to upload arbitrary files, and to achieve remote code execution on the software's underlying host.

It was not confirmed that remote code execution is possible, this alert was issued based on the version of the Telerik UI component.

Remediation

Upgrade to the latest version, follow the guidance in the RadAsyncUpload Security Guide (https://docs.telerik.com/devtools/aspnet-ajax/controls/asyncupload/security), and set all encryption keys.

References

Related Vulnerabilities