Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-28141

An issue was discovered in Progress Telerik UI for ASP.NET AJAX 2021.1.224. It allows unauthorized access to MicrosoftAjax.js through the Telerik.Web.UI.WebResource.axd file. This may allow the attacker to gain unauthorized access to the server and execute code. To exploit, one must use the parameter _TSM_HiddenField_ and inject a command at the end of the URI. NOTE: the vendor states that this is not a vulnerability. The request's output does not indicate that a "true" command was executed on the server, and the request's output does not leak any private source code or data from the server

Published

2021-03-11T17:15:13.267

Last Modified

2025-06-30T13:06:41.513

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

10.0

Impact Score

6.4

Weaknesses

Type: Primary
CWE-862

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	progress	telerik_ui_for_asp.net_ajax	2021.1.224	Yes

References

https://gist.github.com/shreyasfegade/e2480e26b2ed1d0c7175ecf7cb15f9c1 Exploit, Third Party Advisory ([email protected])
https://pastebin.com/JULpfvFJ Exploit, Third Party Advisory ([email protected])
https://gist.github.com/shreyasfegade/e2480e26b2ed1d0c7175ecf7cb15f9c1 Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://pastebin.com/JULpfvFJ Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)