CVE-2018-17060
Description
All versions of the obsolete Telerik Extensions for ASP.NET MVC allow remote attackers to read arbitrary files inside the server's web directory due to a missing request whitelist.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
All versions of the obsolete Telerik Extensions for ASP.NET MVC allow remote attackers to read arbitrary files inside the server's web directory due to a missing request whitelist.
Vulnerability
The Telerik Extensions for ASP.NET MVC, now obsolete since June 2013, fails to implement a request whitelist in all versions. This allows a remote attacker to bypass intended access controls and read arbitrary files located inside the server's web directory [1]. No version is exempt; the product is end-of-life.
Exploitation
A remote attacker needs only network access to the web application. No authentication is required. The attacker sends crafted HTTP requests to the vulnerable application, which processes them without verifying the target path against an allowed list, thereby serving files from the web directory [1].
Impact
Successful exploitation leads to unauthorized disclosure of files from the web root. This may include sensitive configuration files, source code, or other data that should not be publicly accessible, resulting in a confidentiality breach [1][2].
Mitigation
The Telerik Extensions for ASP.NET MVC product has been obsolete since June 2013 and no security patches are available. The vendor recommends migrating to the current Telerik UI for ASP.NET MVC suite, which does not contain this vulnerability [2]. There is no workaround for the affected product.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
TelerikMvcExtensionsNuGet | <= 2013.1.219 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-8h7p-qjv8-9mp4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-17060ghsaADVISORY
- www.telerik.com/support/code-library/security-alert-for-the-obsolete-telerik-extensions-for-asp-net-mvcghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.