← back
CVE-2017-9248

CVE-2017-9248

CVSS 9.8 CRITICALEPSS 75.1%● KEVCWE-522
In short

A security flaw in Progress Telerik UI for ASP.NET AJAX fails to properly protect encryption keys, allowing attackers to steal important security credentials and then upload malicious files, steal data, or inject malicious code into web pages.

Technical detail

CVE-2017-9248 involves improper protection of Telerik.Web.UI.DialogParametersEncryptionKey and MachineKey in affected versions, enabling remote attackers to decrypt sensitive material and compromise cryptographic protections. Exploitation can lead to MachineKey disclosure, arbitrary file operations, XSS, or ViewState tampering without authentication requirements.

Summary generated and translated by AI from the official description.
Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote attackers to defeat cryptographic protection mechanisms, leading to a MachineKey leak, arbitrary file uploads or downloads, XSS, or ASP.NET ViewState compromise.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/a
public PoCs found9
githubgithub.com/bao7uo/dp_crypto177githubgithub.com/capt-meelo/Telewreck97githubgithub.com/blacklanternsecurity/dp_cryptomg60githubgithub.com/0xsharz/telerik-scanner-cve-2017-92482githubgithub.com/ictnamanh/CVE-2017-92480githubgithub.com/oldboysonnt/dp0githubgithub.com/cehamod/UI_CVE-2017-92480exploitdbwww.exploit-db.com/exploits/43873unverifiedcve_referencewww.exploit-db.com/exploits/43873/unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-9248https://www.exploit-db.com/exploits/43873/http://www.securityfocus.com/bid/99965http://www.telerik.com/blogs/security-alert-for-telerik-ui-for-asp.net-ajax-and-progress-sitefinityhttp://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness