CVE-2017-11357
Summary
| CVE | CVE-2017-11357 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2017-08-23 17:29:00 UTC |
| Updated | 2018-01-28 02:29:00 UTC |
| Description | Progress Telerik UI for ASP.NET AJAX before R2 2017 SP2 does not properly restrict user input to RadAsyncUpload, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code. |
Risk And Classification
EPSS: 0.938550000 probability, percentile 0.998660000 (date 2026-04-01)
CISA KEV: Listed on 2023-01-26; due 2023-02-16; ransomware use Known
Problem Types: CWE-20
CISA Known Exploited Vulnerability
| Vendor | Telerik |
|---|---|
| Product | User Interface (UI) for ASP.NET AJAX |
| Name | Telerik UI for ASP.NET AJAX Insecure Direct Object Reference Vulnerability |
| Required Action | Apply updates per vendor instructions. |
| Notes | https://docs.telerik.com/devtools/aspnet-ajax/knowledge-base/asyncupload-insecure-direct-object-reference; https://nvd.nist.gov/vuln/detail/CVE-2017-11357 |
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Telerik | Ui For Asp.net Ajax | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Insecure Direct Object Reference - Telerik UI for ASP.NET AJAX - KB | CONFIRM | www.telerik.com | Mitigation, Vendor Advisory |
| Telerik UI for ASP.NET AJAX 2012.3.1308 < 2017.1.118 - Arbitrary File Upload - ASPX webapps Exploit | EXPLOIT-DB | www.exploit-db.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
| CISA Known Exploited Vulnerabilities catalog | CISA | www.cisa.gov | kev |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.