返回 CVE 瀏覽器

CVE-2017-9248

Known Exploited (CISA KEV)CRITICAL

9.8

CVSS Severity Score

EPSS Score56.5980%

EPSS Percentile94.88th

Published2017年7月3日

Last Modified2026年4月21日

Vulnerability Description

Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote attackers to defeat cryptographic protection mechanisms, leading to a MachineKey leak, arbitrary file uploads or downloads, XSS, or ASP.NET ViewState compromise.

Affected Platforms (CPE)

📦

Progress

Sitefinity

< 10.0.6412.0

📦

Telerik

Ui For Asp.net Ajax

<= 2017.2.503

References & Advisories

🔗 http://www.securityfocus.com/bid/99965

🔗 http://www.telerik.com/blogs/security-alert-for-telerik-ui-for-asp.net-ajax-and-progress-sitefinity

🔗 http://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness

🔗 https://www.exploit-db.com/exploits/43873/

🔗 http://www.securityfocus.com/bid/99965

🔗 http://www.telerik.com/blogs/security-alert-for-telerik-ui-for-asp.net-ajax-and-progress-sitefinity

🔗 http://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness

🔗 https://www.exploit-db.com/exploits/43873/

相關漏洞威脅

CVE-2019-173929.8

Progress Sitefinity 12.1 has a Weak Password Recovery Mechanism for a Forgotten Password because the HTTP Host header is mishandle...

CVE-2017-158839.8

Sitefinity 5.1, 5.2, 5.3, 5.4, 6.x, 7.x, 8.x, 9.x, and 10.x allow remote attackers to bypass authentication and consequently cause...

CVE-2017-181798.8

Progress Sitefinity 9.1 uses wrap_access_token as a non-expiring authentication token that remains valid after a password change o...

CVE-2018-170557.5

An arbitrary file upload vulnerability in Progress Sitefinity CMS versions 4.0 through 11.0 related to image uploads.