What is CVE-2019-18935?

CVE-2019-18935 is a vulnerability in Progress Telerik UI for ASP.NET AJAX that allows for the deserialization of untrusted data.

How severe is CVE-2019-18935?

CVE-2019-18935 has a severity rating of 9.8, which is considered critical.

What software is affected by CVE-2019-18935?

Progress Telerik UI for ASP.NET AJAX versions between 2011.1.315 and 2019.3.1023 are affected by CVE-2019-18935.

How can CVE-2019-18935 be exploited?

CVE-2019-18935 can be exploited when the encryption keys are known or through other means, which can result in remote code execution.

Are there any resources for further information about CVE-2019-18935?

Yes, you can find more information about CVE-2019-18935 at the following references: [link1](http://packetstormsecurity.com/files/155720/Telerik-UI-Remote-Code-Execution.html), [link2](http://packetstormsecurity.com/files/159653/Telerik-UI-ASP.NET-AJAX-RadAsyncUpload-Deserialization.html), [link3](https://codewhitesec.blogspot.com/2019/02/telerik-revisited.html).

Vulnerability/
CVE-2019-18935

Exploited

critical

9.8

CWE

502

11/12/2019

5/8/2024

CVE-2019-18935: Progress Telerik UI for ASP.NET AJAX Deserialization of Untrusted Data Vulnerability

First published: Wed Dec 11 2019(Updated: )

Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)

Credit: cve@mitre.org cve@mitre.org

Affected Software	Affected Version	How to fix
Telerik UI for ASP.NET AJAX	>=2011.1.315<2019.3.1023
Progress Telerik UI for ASP.NET AJAX
Telerik UI for ASP.NET AJAX	>=2011.1.315<=2020.1.114

Remedy

https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2019-18935?
CVE-2019-18935 is a vulnerability in Progress Telerik UI for ASP.NET AJAX that allows for the deserialization of untrusted data.
How severe is CVE-2019-18935?
CVE-2019-18935 has a severity rating of 9.8, which is considered critical.
What software is affected by CVE-2019-18935?
Progress Telerik UI for ASP.NET AJAX versions between 2011.1.315 and 2019.3.1023 are affected by CVE-2019-18935.
How can CVE-2019-18935 be exploited?
CVE-2019-18935 can be exploited when the encryption keys are known or through other means, which can result in remote code execution.
Are there any resources for further information about CVE-2019-18935?
Yes, you can find more information about CVE-2019-18935 at the following references: [link1](http://packetstormsecurity.com/files/155720/Telerik-UI-Remote-Code-Execution.html), [link2](http://packetstormsecurity.com/files/159653/Telerik-UI-ASP.NET-AJAX-RadAsyncUpload-Deserialization.html), [link3](https://codewhitesec.blogspot.com/2019/02/telerik-revisited.html).

collector/nvd-index
agent/type
agent/description
agent/title
agent/severity
agent/remedy
agent/weakness
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/author
agent/softwarecombine
collector/bleeping-computer
source/BleepingComputer
alias/CVE-2019-18935
alias/CVE-2024-6327
alias/CVE-2024-4358
alias/CVE-2024-1800
collector/the-register
source/The Register
alias/CVE-2024-6096
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/event
agent/first-publish-date
exploited/true
ransomware/true
collector/cisa-known-exploited
source/CISA
agent/references
agent/tags
collector/nvd-cve
vendor/telerik
canonical/telerik ui for asp.net ajax
version/telerik ui for asp.net ajax/2011.1.315
version/telerik ui for asp.net ajax/2020.1.114
vendor/progress
canonical/progress telerik ui for asp.net ajax