1 Answer, 1 is accepted
0
Hi Yuri,
Thank you for reaching out and for sharing your concern. Let me clarify the situation:
Version 2014.3.1024.45 of Telerik.Web.UI.dll is affected by the following two serious security issues:- CVE-2019-18935 (.NET JavaScriptSerializer Deserialization) affects versions from 2010 up to 2019.3.917, including 2014. The fix is to upgrade to 2020.1.114, which was released as a free security update. I have attached that version to your private support ticket.
- CVE-2025-3600 (Unsafe Reflection Vulnerability) affects versions from 2011.2.712 to 2025.1.218, including 2014. This issue is more recent and there is no free security patch available. To fully remediate this vulnerability, you would need to purchase a license for the latest Telerik UI for ASP.NET AJAX release and upgrade to it. If upgrading is not immediately possible, there are temporary mitigations 2 and 3 that do not require an upgrade.
Please note that applying mitigations 2 and 3 only reduces the risk – upgrading to the latest secure version remains the only complete solution.
Regarding licensing:
- The free update to 2020.1.114 (fix for CVE-2019-18935) does not require a paid license.
- For CVE-2025-3600, access to the patched and supported version requires a valid Telerik UI for ASP.NET AJAX license.
Regards,
Rumen
Progress Telerik
Stay tuned by visiting our public roadmap and feedback portal pages! Or perhaps, if you are new to our Telerik family, check out our getting started resources!