CVE-2019-19790 : What You Need to Know

A vulnerability in RadChart in Telerik UI for ASP.NET AJAX allows an attacker to access and delete image files on the server by sending malicious requests with specific file extensions.

Understanding CVE-2019-19790

This CVE involves a path traversal vulnerability in RadChart, affecting all versions of the software.

What is CVE-2019-19790?

This vulnerability in RadChart in Telerik UI for ASP.NET AJAX enables an external attacker to read and remove image files on the server by exploiting a specially crafted request with specific file extensions.

The Impact of CVE-2019-19790

Attackers can access and delete image files on the server, potentially leading to data loss or unauthorized access.
RadChart has been discontinued since 2014, and users are advised to switch to RadHtmlChart to avoid this vulnerability.

Technical Details of CVE-2019-19790

This section provides detailed technical information about the vulnerability.

Vulnerability Description

The vulnerability allows attackers to exploit RadChart in Telerik UI for ASP.NET AJAX to access and delete image files on the server by sending malicious requests with specific file extensions.

Affected Systems and Versions

All versions of RadChart are affected by this vulnerability.

Exploitation Mechanism

Attackers can exploit this vulnerability by sending malicious requests with file extensions such as .BMP, .EXIF, .GIF, .ICON, .JPEG, .PNG, .TIFF, or .WMF.

Mitigation and Prevention

To protect systems from CVE-2019-19790, the following steps should be taken:

Immediate Steps to Take

Remove RadChart's HTTP handler, identified as Telerik.Web.UI.ChartHttpHandler, from the web.config file.

Long-Term Security Practices

Transition to RadHtmlChart as RadChart has been discontinued.

Patching and Updates

Regularly update and patch software to prevent vulnerabilities like CVE-2019-19790.