A vulnerability (CVE-2019-18935) has been identified in Telerik.Web.UI, a third-party library that ships with Geocortex Essentials. This library is used to display a file browser within the Geocortex Essentials Manager application.
The vulnerability applies to Geocortex Essentials versions 4.13.3 and older. To exploit this vulnerability, an attacker must have a valid sign-in to Geocortex Essentials Manager.
We recommend upgrading to Geocortex Essentials 4.14 to address this vulnerability. If upgrading is not an option the following workarounds will also address the vulnerability.
Note: If a machine has multiple instances of Geocortex Essentials you need to patch each instance separately.
Other Geocortex products do not use Telerik.Web.UI and are not affected by this vulnerability. For more information about the vulnerability please refer to Telerik's website: https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization .
The vulnerability applies to Geocortex Essentials versions 4.13.3 and older. To exploit this vulnerability, an attacker must have a valid sign-in to Geocortex Essentials Manager.
We recommend upgrading to Geocortex Essentials 4.14 to address this vulnerability. If upgrading is not an option the following workarounds will also address the vulnerability.
- Geocortex Essentials 4.14.0 or newer
- No action required
- Geocortex Essentials versions 4.9.0 through 4.13.3
- Open C:\Program Files (x86)\Latitude Geographics\Geocortex Essentials\<instance>\REST Elements\Manager\Web.config in a text editor
- Add the following app setting to the <appSettings> element
-
<add key="Telerik.Web.DisableAsyncUploadHandler" value="true" />
-
- Geocortex Essentials versions 4.0.0 through 4.8.2
- Download Geocortex-Essentials-Patch-CVE-2019-18935.zip from the Files section below this article.
- If you don't see the Files section, please Sign In to the Community.
- Overwrite C:\Program Files (x86)\Latitude Geographics\Geocortex Essentials\<instance>\REST Elements\Manager\bin\Telerik.Web.UI.dll with the Telerik.Web.UI.dll file included in the patch
- Open C:\Program Files (x86)\Latitude Geographics\Geocortex Essentials\<instance>\REST Elements\Manager\Web.config in a text editor
- Add the following app setting to the <appSettings> element
-
<add key="Telerik.Web.DisableAsyncUploadHandler" value="true" />
-
- Download Geocortex-Essentials-Patch-CVE-2019-18935.zip from the Files section below this article.
Note: If a machine has multiple instances of Geocortex Essentials you need to patch each instance separately.
Other Geocortex products do not use Telerik.Web.UI and are not affected by this vulnerability. For more information about the vulnerability please refer to Telerik's website: https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization .
Comments
0 comments
Article is closed for comments.