Attacker Value
High
(2 users assessed)
Exploitability
High
(2 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
3

CVE-2019-18935

Disclosure Date: December 11, 2019
Exploited in the Wild
Reported by ccondon-r7
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)

Add Assessment

3
Ratings
  • Attacker Value
    Very High
  • Exploitability
    High
Technical Analysis

We’re consistently seeing reports of this vulnerability being exploited in the wild and used to compromise organizations. I’m upping its attacker value rating based on the fact that evidently attackers are finding value in it.

General Information

Technical Analysis