CRITICAL🇵🇱 Wersja polska

CVE-2021-28141

CVSS 9.8v3.1pub. 2021-03-11upd. 2025-06-30

An issue was discovered in Progress Telerik UI for ASP.NET AJAX 2021.1.224. It allows unauthorized access to MicrosoftAjax.js through the Telerik.Web.UI.WebResource.axd file. This may allow the attacker to gain unauthorized access to the server and execute code. To exploit, one must use the parameter _TSM_HiddenField_ and inject a command at the end of the URI. NOTE: the vendor states that this is not a vulnerability. The request's output does not indicate that a "true" command was executed on the server, and the request's output does not leak any private source code or data from the server

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Progress Telerik Ui For Asp.net Ajax

    APP
    Progress
    2021.1.224
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2017-11357CRITICAL9.8⚠ KEVten sam produkt

Progress Telerik UI for ASP.NET AJAX before R2 2017 SP2 does not properly restrict user input to RadAsyncUploa...

CVE-2019-19790CRITICAL9.8ten sam produkt

Path traversal in RadChart in Telerik UI for ASP.NET AJAX allows a remote attacker to read and delete an image...

CVE-2026-6022HIGH7.5ten sam produkt

In Progress® Telerik® UI for AJAX prior to 2026.1.421, RadAsyncUpload contains an uncontrolled resource consum...

CVE-2026-6023HIGH8.1ten sam produkt

In Progress® Telerik® UI for AJAX versions 2024.4.1114 through 2026.1.421, the RadFilter control is vulnerable...

CVE-2025-3600HIGH7.5ten sam produkt

In Progress® Telerik® UI for AJAX, versions 2011.2.712 to 2025.1.218, an unsafe reflection vulnerability exist...