CVE-2021-28141
Last modified
CVE-2021-28141 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. An issue was discovered in Progress Telerik UI for ASP.NET AJAX 2021.1.224. It allows unauthorized access to MicrosoftAjax.js through the Telerik.Web.UI.WebResource.axd file. EPSS estimates a 2.24% chance of exploitation in the next 30 days.
Description
An issue was discovered in Progress Telerik UI for ASP.NET AJAX 2021.1.224. It allows unauthorized access to MicrosoftAjax.js through the Telerik.Web.UI.WebResource.axd file. This may allow the attacker to gain unauthorized access to the server and execute code. To exploit, one must use the parameter _TSM_HiddenField_ and inject a command at the end of the URI. NOTE: the vendor states that this is not a vulnerability. The request's output does not indicate that a "true" command was executed on the server, and the request's output does not leak any private source code or data from the server
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Progress | Telerik Ui For Asp.Net Ajax | 2021.1.224 |
References
- https://gist.github.com/shreyasfegade/e2480e26b2ed1d0c7175ecf7cb15f9c1Exploit, Third Party Advisory
- https://pastebin.com/JULpfvFJExploit, Third Party Advisory
- https://gist.github.com/shreyasfegade/e2480e26b2ed1d0c7175ecf7cb15f9c1Exploit, Third Party Advisory
- https://pastebin.com/JULpfvFJExploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-28141?
How severe is CVE-2021-28141?
How do I fix CVE-2021-28141?
Are you affected by CVE-2021-28141?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST