Vulnerability Description
An issue was discovered in Progress Telerik UI for ASP.NET AJAX 2021.1.224. It allows unauthorized access to MicrosoftAjax.js through the Telerik.Web.UI.WebResource.axd file. This may allow the attacker to gain unauthorized access to the server and execute code. To exploit, one must use the parameter _TSM_HiddenField_ and inject a command at the end of the URI. NOTE: the vendor states that this is not a vulnerability. The request's output does not indicate that a "true" command was executed on the server, and the request's output does not leak any private source code or data from the server
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Progress | Telerik Ui For Asp.Net Ajax | 2021.1.224 |
Related Weaknesses (CWE)
References
- https://gist.github.com/shreyasfegade/e2480e26b2ed1d0c7175ecf7cb15f9c1ExploitThird Party Advisory
- https://pastebin.com/JULpfvFJExploitThird Party Advisory
- https://gist.github.com/shreyasfegade/e2480e26b2ed1d0c7175ecf7cb15f9c1ExploitThird Party Advisory
- https://pastebin.com/JULpfvFJExploitThird Party Advisory
FAQ
What is CVE-2021-28141?
CVE-2021-28141 is a vulnerability with a CVSS score of 9.8 (CRITICAL). An issue was discovered in Progress Telerik UI for ASP.NET AJAX 2021.1.224. It allows unauthorized access to MicrosoftAjax.js through the Telerik.Web.UI.WebResource.axd file. This may allow the attack...
How severe is CVE-2021-28141?
CVE-2021-28141 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-28141?
Check the references section above for vendor advisories and patch information. Affected products include: Progress Telerik Ui For Asp.Net Ajax.