A security vulnerability has been identified in the old Telerik Extensions for ASP.NET MVC that have been discontinued since June 2013. It applies to all versions of the product and allows unrestricted file reading that can allow access to files inside server's web directory. This vulnerability has the following CVE identification: CVE-2018-17060.
This issue is not present in any version of the current Telerik UI for ASP.NET MVC or Telerik UI for ASP.NET Core product suites.
Our sincere thanks to Arseniy Sharoglazov (Kaspersky Lab) who found and reported this vulnerability.