Sitefinity Security Vulnerability - CRITICAL UPDATE

by Julie Cunningham - Director of Client Care | Sep 13, 2017

On Friday, September 1, 2017, Sitefinity notified all clients of a security vulnerability discovered in the RadAsyncUpload control, which is distributed with Sitefinity CMS as part of the Telerik UI for ASP.NET AJAX controls (Telerik.Web.UI.dll), that may put your website at risk.

As a result of our further investigation into the matter, Sitefinity has discovered that all Sitefinity websites are at risk for arbitrary file uploads to the server and/or remote code execution, regardless if they use RadAsycUpload control or not. This is a critical vulnerability and to ensure effective remediation, we urge you to update your website encryption keys in addition to applying the security patch for Telerik.Web.UI.dll assembly distributed with your Sitefinity version.

Please see the Knowledge Base article for full instructions on how to update the security and apply the patch.
Sitefinity KB 82407

If you require assistance for this update, please email Iciniti Support.
Support will open ticket and complete the update. If you are on a Priority Support Plan, this will be included in your annual cases. All other tickets will be billed for the time spent to complete the update on your behalf.

If you have any questions or concerns, please contact me

Thank you.