Hi Telerik team,
the "Contrast Security" tool we use shows us a "Untrusted Deserialization" Vulnerability found on one of the ASPX (webForms) page where we utilize RadMultiSelect control. (Our current version is 2021.1.119.45).
Could you please suggest any options now to fix it, please?
Details:
Tracked the following data from "ctl00_Main_content_ddlMSelectMultipleStaff_ClientState...:
POST /vosnet/communications/scheduler/default.aspx
ctl00_Main_content_ddlMSelectMultipleStaff_ClientState={"enabled":true,"selectedItems":[],"deselectedItems":[],"value":[2613],"selectedDataItems":[{"text":"Skaggs","value":"2613","Lastname":"Skaggs","Userid":2613,"attributes":{"FullName":"Skaggs Kari","Color":"background-color:rgb(89,20,195);","ColorARGB":"5838019"}}]}&ctl00$textsize=.......SNIP...........
...which was accessed within the following code:
Telerik.Web.UI.RadMultiSelect.LoadPostData()
...and ended up being deserialized with code that looks like this:
m = serializer.Deserialize<M>("{"enabled":true,"selectedItems":[],"deselectedI...")