9.8

CVE-2021-28141

Exploit

EPSS 1.04%
Veröffentlicht 11.03.2021 17:15:13
Zuletzt bearbeitet 30.06.2025 13:06:41
Quelle cve@mitre.org
Teams Watchlist Login
Unerledigt Login

An issue was discovered in Progress Telerik UI for ASP.NET AJAX 2021.1.224. It allows unauthorized access to MicrosoftAjax.js through the Telerik.Web.UI.WebResource.axd file. This may allow the attacker to gain unauthorized access to the server and execute code. To exploit, one must use the parameter _TSM_HiddenField_ and inject a command at the end of the URI. NOTE: the vendor states that this is not a vulnerability. The request's output does not indicate that a "true" command was executed on the server, and the request's output does not leak any private source code or data from the server

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Progress ≫ Telerik Ui For Asp.Net Ajax Version2021.1.224

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.04%	0.765

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://gist.github.com/shreyasfegade/e2480e26b2ed1d0c7175ecf7cb15f9c1

Third Party Advisory

Exploit

https://pastebin.com/JULpfvFJ

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2021-28141

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-28141

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-28141

EUVD