Vulnerability Note VU#838200
Telerik Web UI contains cryptographic weakness
The Telerik Web UI, versions R2 2017 (2017.2.503) and prior, is vulnerable to a cryptographic weakness which an attacker can exploit to extract encryption keys.
CWE-326: Inadequate Encryption Strength - CVE-2017-9248
The Telerik.Web.UI.dll is vulnerable to a cryptographic weakness which allows the attacker to extract the Telerik.Web.UI.DialogParametersEncryptionKey and/or the MachineKey.
A remote, unauthenticated attacker could perform arbitrary file upload and downloads, cross-site scripting attacks, leak the MachineKey, or compromise the ASP.NET ViewState.
Apply an update
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|DotNetNuke||Affected||-||18 Jul 2017|
|Telerik||Affected||-||19 Jul 2017|
CVSS Metrics (Learn More)
Telerik thanks to Erlend Leiknes, security consultant in Mnemonic AS, and Thanh Van Tien Nguyen for reporting this vulnerability.
This document was written by Trent Novelly.
- CVE IDs: CVE-2017-9248
- Date Public: 26 Jun 2017
- Date First Published: 25 Jul 2017
- Date Last Updated: 25 Jul 2017
- Document Revision: 11
If you have feedback, comments, or additional information about this vulnerability, please send us email.