CVE-2017-9248: Progress Telerik UI for ASP.NET AJAX and Sitefinity Cryptographic Weakness Vulnerability
First published: Mon Jul 03 2017(Updated: )
Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote attackers to defeat cryptographic protection mechanisms, leading to a MachineKey leak, arbitrary file uploads or downloads, XSS, or ASP.NET ViewState compromise.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Progress Sitefinity | ||
| Progress Sitefinity CMS | <=10.0.6401.0 | |
| Progress Telerik UI for ASP.NET AJAX | <=2017.2.503 | |
| Progress Sitefinity CMS | <10.0.6412.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.securityfocus.com/bid/99965
- http://www.telerik.com/blogs/security-alert-for-telerik-ui-for-asp.net-ajax-and-progress-sitefinity
- http://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness
- https://www.exploit-db.com/exploits/43873/
- https://nvd.nist.gov/vuln/detail/CVE-2017-9248
- https://www.darkreading.com/cyber-risk/xe-group-shifts-card-skimming-supply-chain-attacks
Frequently Asked Questions
What is the severity of CVE-2017-9248?
CVE-2017-9248 has a medium severity rating, indicating that it poses a moderate risk to affected systems.
How do I fix CVE-2017-9248?
To mitigate CVE-2017-9248, update Telerik UI for ASP.NET AJAX to version R2 2017 SP1 or later and Progress Sitefinity to version 10.0.6412.0 or later.
What does CVE-2017-9248 affect?
CVE-2017-9248 affects Telerik UI for ASP.NET AJAX versions up to 2017.2.503 and Progress Sitefinity versions prior to 10.0.6412.0.
What is the impact of CVE-2017-9248?
The impact of CVE-2017-9248 allows attackers to potentially defeat cryptographic protections leading to unauthorized data access.
Is my application vulnerable if it uses Telerik.Web.UI.dll?
If your application uses Telerik.Web.UI.dll versions specified in CVE-2017-9248 and you have not applied the necessary updates, it is vulnerable.
- agent/type
- agent/description
- agent/title
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/first-publish-date
- agent/last-modified-date
- collector/darkreading
- source/Dark Reading
- alias/CVE-2017-9248
- alias/CVE-2024-57968
- alias/CVE-2025-25181
- agent/source
- agent/references
- agent/weakness
- agent/event
- agent/trending
- agent/news-ai
- zeroday/true
- agent/severity
- exploited/true
- collector/cisa-known-exploited
- source/CISA
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/nvd-api
- source/NVD
- collector/nvd-cve
- agent/tags
- agent/softwarecombine
- vendor/progress
- canonical/progress sitefinity
- vendor/telerik
- canonical/progress sitefinity cms
- version/progress sitefinity cms/10.0.6401.0
- canonical/progress telerik ui for asp.net ajax
- version/progress telerik ui for asp.net ajax/2017.2.503