Cross-site scripting (XSS) vulnerability in Telerik UI for ASP.NET AJAX RadEditor control 2014.1.403.35, 2009.3.1208.20, and other versions allows remote attackers to inject arbitrary web script or HTML via CSS expressions in style attributes.
{"securityvulns": [{"lastseen": "2018-08-31T11:10:54", "bulletinFamily": "software", "cvelist": ["CVE-2014-4958"], "description": "\r\n\r\nAll versions of the popular UI for ASP.NET AJAX RadEditor Control product by Telerik may be affected by a high-risk stored attribute-based cross-site scripting (XSS) vulnerability that is assigned CVE-2014-4958. This WYSIWYG rich text editor is \u201c...what Microsoft chose to use in MSDN, CodePlex, TechNet, MCMS and even as an alternative to the default editor in SharePoint.\u201d\r\n\r\nPersonally tested and confirmed are versions: 2014.1.403.35 (much newer) and 2009.3.1208.20 (much older) using Internet Explorer 8, version 8.0.7601.17514. However, all versions from Telerik at this time may be vulnerable and will continue to be until a patched is released. A workaround may be available.\r\n\r\nMore information on the vulnerability: http://maverickblogging.com/disclosing-cve-2014-4958-stored-attribute-based-cross-site-scripting-xss-vulnerability-in-telerik-ui-for-asp-net-ajax-radeditor-control/\r\n\r\nRemediation: Telerik states: We have applied a patch to the editor that will be delivered with our Q3 edition of the controls that should be released towards the end of October. A blog post on the issue has been published here: http://blogs.telerik.com/blogs/14-09-24/securing-radeditor-content-and-preventing-xss-attacks\r\n\r\nAdditional credit goes to Tyler Hoyle and the rest of my team in CGI Federal\u2019s Emerging Technologies Security Practice for their hard work.\r\n\r\n", "edition": 1, "modified": "2014-10-14T00:00:00", "published": "2014-10-14T00:00:00", "id": "SECURITYVULNS:DOC:31198", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31198", "title": "CVE-2014-4958: Stored Attribute-Based Cross-Site Scripting (XSS) Vulnerability in Telerik UI for ASP.NET AJAX RadEditor Control", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2021-06-08T18:46:26", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 2, "cvss3": {}, "published": "2014-10-14T00:00:00", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-4958", "CVE-2014-5450", "CVE-2014-4737", "CVE-2014-5516", "CVE-2014-5375", "CVE-2014-7138", "CVE-2014-5258", "CVE-2014-6035", "CVE-2014-4735", "CVE-2014-6300", "CVE-2014-4954", "CVE-2014-4986", "CVE-2014-0103", "CVE-2014-5447", "CVE-2014-6034", "CVE-2014-4955", "CVE-2014-5451", "CVE-2014-5259", "CVE-2014-4348", "CVE-2014-4349", "CVE-2014-6036", "CVE-2014-7217", "CVE-2014-6243", "CVE-2014-6242", "CVE-2014-5376", "CVE-2014-1608", "CVE-2014-5273", "CVE-2014-5300", "CVE-2014-6315", "CVE-2014-5297", "CVE-2014-5449", "CVE-2014-5448", "CVE-2014-5460", "CVE-2014-4987", "CVE-2014-7295", "CVE-2014-1609", "CVE-2014-5274", "CVE-2014-7139", "CVE-2014-5298"], "modified": "2014-10-14T00:00:00", "id": "SECURITYVULNS:VULN:14008", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14008", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "threatpost": [{"lastseen": "2018-10-06T22:58:04", "bulletinFamily": "info", "cvelist": ["CVE-2014-4958"], "description": "All versions of an HTML editor used in several Microsoft technologies, including ASP.NET, suffer from a high-risk cross-site scripting (XSS) vulnerability that could allow an attacker to inject malicious script and glean private information.\n\nThe problem exists in all versions of RadEditor, a WYSIWYG text editor manufactured by Bulgaria-based firm Telerik, according to security researcher G.S. McNamara, who disclosed the vulnerability on [his blog late last week](<http://maverickblogging.com/disclosing-cve-2014-4958-stored-attribute-based-cross-site-scripting-xss-vulnerability-in-telerik-ui-for-asp-net-ajax-radeditor-control/>).\n\n\u201cTechnically speaking, this is a massive hole in how existing input validation security filters work in unison,\u201d McNamara said in an email Thursday to Threatpost regarding the vulnerability.\n\nThe editor, which allows users to input rich-text, is used to varying degrees in Microsoft products like [MSDN, CodePlex, TechNet, and MCMS, along with some Sharepoint and ASP.NET implementations](<http://demos.telerik.com/aspnet-ajax/editor/examples/overview/defaultcs.aspx>).\n\n\u201cIt\u2019s a silent killer, too, because at least one commercial penetration-testing tool failed to find it\u201d McNamara said, \u201cYou just get a false negative.\u201d\n\nMcNamara initially found the vulnerability (CVE-2014-4958) in a 2009 version (2009.3.1208.20) of the product on Internet Explorer along with a 2014 version but suggests it could have existed in previous iterations of the editor.\n\n\u201cI just had a hunch and followed it obsessively, manually,\u201d McNamara said of his search for the bug, which he first dug up on July 9.\n\nFrom there it took about two months of going back and forth with the company.\n\nWhen he first contacted Telerik\u2019s Customer Support department, it insisted the bug had already been fixed. To prove his case McNamara forwarded the company his exploit code. When Telerik still wouldn\u2019t put him in touch with anyone in charge of security, McNamara ultimately had to go through what he calls \u201cunofficial channels,\u201d by sending a personal email to a Telerik employee\u2019s Gmail account in late August, to finally get the ball rolling.\n\nIt wasn\u2019t until earlier this month that the researcher and the company agreed to coordinate a disclosure. Yet after two weeks of radio silence from Telerik \u2013 McNamara claims he made multiple phone calls, emails, requests to high-level account managers \u2013 he decided to disclose the bug independently \u2014 only to have the company release its information \u201cout of the blue,\u201d hours before he was planning on releasing his, last Wednesday.\n\n\u201cResolving this politely was tough,\u201d McNamara admits, claiming the issue lasted as long as it did due to a lapse in responsibility.\n\n\u201cThis is a technical product sold to technical developers, and Telerik wanted the developers to share the responsibility of security. The developers probably didn\u2019t know that,\u201d McNamara said.\n\nWhile RadEditor\u2019s filters cover some attack vectors \u2013 namely the RemoveScripts filter to strip out script tags \u2013 the attack technique that McNamara used \u201cis not your typical XSS.\u201d\n\n\u201cBy using lesser-known attacks I found a way through,\u201d McNamara said, adding that he put to use some old research by WhiteHat Security\u2019s Jeremiah Grossman to help dig up the vulnerability.\n\nSpecifically the vulnerability employs attribute-based cross-site scripting without relying on JavaScript tags. It\u2019s also harder to detect because the web editor has to process many different obfuscated elements, notably dynamic properties like CSS Expressions, used in older builds of IE, in addition to JavaScript.\n\nIn a blog entry Telerik [posted on Wednesday](<http://blogs.telerik.com/blogs/14-09-24/securing-radeditor-content-and-preventing-xss-attacks>) the company addressed the issue and gave credit to McNamara but stood pat on its stance that the responsibility of sanitizing content to prevent threats should fall to the developer.\n\n\u201cIt is always the duty of the developer to implement the necessary content validation,\u201d Nikodim Lazarov, one of the company\u2019s senior software developers wrote.\n\nThe company is slated to push out a patch for the issue but not until it updates the Q3 edition of its controls, in late October. In the meantime Telerik is [giving users a workaround](<http://feedback.telerik.com/Project/108/Feedback/Details/137364-prevent-possible-xss-attack-in-radeditor-using-malicious-content-in-ie>) that it\u2019s strongly recommending users follow until its patch is pushed.\n\nMcNamara, who works as an application security engineer at the IT services provider CGI, says that he\u2019s planning to do further research in his spare time on other rich text editors like RadEditor to see if he can find similar problems.\n\n\u201cMost of the company\u2019s user base is likely unaware that they silently integrated a high-risk vulnerability into their site,\u201d McNamara says of bug in closing, \u201cSystem owners signed off on this without knowing.\u201d\n", "modified": "2014-10-01T19:22:03", "published": "2014-09-29T12:15:03", "id": "THREATPOST:DDF98CD337434196370FDCA7D39C0ED0", "href": "https://threatpost.com/radeditor-web-editor-vulnerable-to-xss-attacks/108594/", "type": "threatpost", "title": "Web Editor Vulnerable To XSS Attacks", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "ics": [{"lastseen": "2022-04-26T21:45:47", "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 9.8**\n * **ATTENTION: **Exploitable remotely/low skill level to exploit\n * **Vendor:** Hitachi ABB Power Grids\n * **Equipment: **eSOMS Telerik\n * **Vulnerabilities:** Path Traversal, Deserialization of Untrusted Data, Improper Input Validation, Inadequate Encryption Strength, Insufficiently Protected Credentials, Path Traversal\n\n## 2\\. RISK EVALUATION\n\nSuccessful exploitation of these vulnerabilities could allow an attacker to upload malicious files to the server, discover sensitive information, or execute arbitrary code.\n\n## 3\\. TECHNICAL DETAILS\n\n### 3.1 AFFECTED PRODUCTS\n\nHitachi ABB Power Grids reports the vulnerabilities affect the following eSOMS products: \n\n * eSOMS, all versions prior to 6.3 using a version of Telerik software \n\n### 3.2 VULNERABILITY OVERVIEW\n\n#### 3.2.1 [PATH TRAVERSAL CWE-22](<https://cwe.mitre.org/data/definitions/22.html>)\n\nPath traversal in RadChart in Telerik UI for ASP.NET AJAX allows a remote attacker to read and delete an image with extension .BMP, .EXIF, .GIF, .ICON, .JPEG, .PNG, .TIFF, or .WMF on the server through a specially crafted request. \n\n[CVE-2019-19790](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-19790>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 3.2.2 [DESERIALIZATION OF UNTRUSTED DATA CWE-502](<https://cwe.mitre.org/data/definitions/502.html>)\n\nProgress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known. \n\n[CVE-2019-18935](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-18935>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 3.2.3 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nProgress Telerik UI for ASP.NET AJAX before R2 2017 SP2 does not properly restrict user input to RadAsyncUpload, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code. \n\n[CVE-2017-11357](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11357>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 3.2.4 [INADEQUATE ENCRYPTION STRENGTH CWE-326](<https://cwe.mitre.org/data/definitions/326.html>)\n\nTelerik.Web.UI in Progress Telerik UI for ASP.NET AJAX before R1 2017 and R2 before R2 2017 SP2 uses weak RadAsyncUpload encryption, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code. \n\n[CVE-2017-11317](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11317>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 3.2.5 [INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522](<https://cwe.mitre.org/data/definitions/522.html>)\n\nTelerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote attackers to defeat cryptographic protection mechanisms, leading to a MachineKey leak, arbitrary file uploads or downloads, XSS, or ASP.NET ViewState compromise. \n\n[CVE-2017-9248](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9248>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 3.2.6 [PATH TRAVERSAL CWE-22](<https://cwe.mitre.org/data/definitions/22.html>)\n\nAbsolute path traversal vulnerability in the RadAsyncUpload control in the RadControls in Telerik UI for ASP.NET AJAX before Q3 2012 SP2 allows remote attackers to write to arbitrary files, and consequently execute arbitrary code, via a full pathname in the UploadID metadata value. \n\n[CVE-2014-2217](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2217>) has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.7 [PATH TRAVERSAL CWE-22](<https://cwe.mitre.org/data/definitions/22.html>)\n\nCross-site scripting (XSS) vulnerability in Telerik UI for ASP.NET AJAX RadEditor control 2014.1.403.35, 2009.3.1208.20, and other versions allows remote attackers to inject arbitrary web script or HTML via CSS expressions in style attributes. \n\n[CVE-2014-4958](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4958>) has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N>)).\n\n### 3.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS:** Energy\n * **COUNTRIES/AREAS DEPLOYED: **Worldwide\n * **COMPANY HEADQUARTERS LOCATION: **Switzerland\n\n### 3.4 RESEARCHER\n\nHitachi ABB Power Grids reported these vulnerabilities to CISA.\n\n## 4\\. MITIGATIONS\n\nHitachi ABB Power Grids has published an [advisory for eSOMS Telerik](<https://search.abb.com/library/Download.aspx?DocumentID=9AKK107991A8943&LanguageCode=en&DocumentPartId=&Action=Launch>) and advises users to update to eSOMS Version 6.3 as soon as possible. \n\nFor additional information and support, contact a product provider or Hitachi ABB Power Grids service organization. For contact information, visit [Hitachi ABB Power Grids contact-centers](<https://www.hitachiabb-powergrids.com/contact-us/>).\n\nRecommended security practices and firewall configurations can help protect a process control network from attacks that originate from outside the network. Such practices include ensuring applications and servers are physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, are separated from other networks by means of a firewall system that has a minimal number of ports exposed, and others that must be evaluated case by case. Sensitive application servers should not be used for Internet surfing, instant messaging, or receiving e-mails. Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system.\n\nCISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nCISA also provides a section for [control systems security recommended practices](<https://us-cert.cisa.gov/ics/recommended-practices>) on the ICS webpage on [us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B>). \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n\nNo known public exploits specifically target these vulnerabilities.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/icsa-21-077-03>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-18T00:00:00", "type": "ics", "title": "Hitachi ABB Power Grids eSOMS Telerik", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2217", "CVE-2014-4958", "CVE-2017-11317", "CVE-2017-11357", "CVE-2017-9248", "CVE-2019-18935", "CVE-2019-19790"], "modified": "2021-03-18T00:00:00", "id": "ICSA-21-077-03", "href": "https://www.us-cert.gov/ics/advisories/icsa-21-077-03", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}