Unrestricted File Upload in RadAsyncUpload Problem Security vulnerabilities CVE-2014-2217 and CVE-2017-11317: weak encryption has been used in old versions of Telerik.Web.UI to encrypt data used by RadAsyncUpload. Description An exploit can result in arbitrary file uploads and/or remote code execution. Solutions Due to the .NET JavaScriptSerializer Deserialization (CVE-2019-18935) vulnerability, we strongly recommend upgrading to R1 2020 (version 2020.1.114) or later since the patches provided for CVE-2014-2217 and CVE-2017-11317 do not prevent it. Depreciated Solutions Introduction and mitigation paths for all versions. Instructions for versions between Q1 2011 (2011.1.315) and R3 2016 SP2 (2016.3.1027). Instructions for versions between R1 2017 (2017.1.118) and R2 2017 SP1 (2017.2.621). Instructions for versions between R2 2017 SP2 (2017.2.711) and R3 2019 (2019.3.917). Instructions for versions R3 2019 SP1 (2019.3.1023) and later. Recommendations for improved security. Notes We would like to thank Paul Taylor / Foregenix Ltd and Markus Wultange of Code White GmbH for assisting with making the information public. External References CVE-2014-2217 CVE-2017-11317 See Also Security Cryptographic Weakness Insecure Direct Object Reference Allows JavaScriptSerializer Deserialization Blue Mockingbird Vulnerability Picks up Steam—Telerik Guidance UploadedFiles.SaveAs Throws FileNotFoundException with Custom Handler Implications for Sitefinity websites