VDB
GHSA-52hx-8455-4qwv
GHSA-52hx-8455-4qwv
PUBLISHED
Exploit Intelligence
- Telerik UI for ASP.NET AJAX File upload and .NET deserialisation exploit (CVE-2017-11317, CVE-2017-11357, CVE-2019-18935) (github-poc-repo)
- Telerik UI for ASP.NET AJAX File upload and .NET deserialisation exploit (CVE-2017-11317, CVE-2017-11357, CVE-2019-18935) (github-poc-repo)
- The insecure deserialization of JSON objects in Telerik UI for ASP.NET results in arbitrary remote code execution. An attacker can break the RadAsyncUpload encryption (or have prior knowledge of your custom encryption keys) and stage a malicious request. Affects: v2011.1.315 - 2017.2.621 without keys v2011.1.315 - 2020.1.114 with encryption keys Big Ups: Markus Wulftange (@mwulftange) && Paul Taylor (@bao7uo) Ref: https://github.com/noperator/CVE-2019-18935 See: https://github.com/bao7uo/RAU_... (nmap-nse)
- kev.json (github-poc)
- kev.json (github-poc)
- data.js (github-poc)
- data.js (github-poc)
Timeline
- CVE Published
- May 17, 2020 PoC Published
- Apr 9, 2026 Security Advisory