CVE-2021-28141: 
Telerik UI for ASP.NET AJAX vulnerability analysis and mitigation

An issue was discovered in Progress Telerik UI for ASP.NET AJAX 2021.1.224 that allows unauthorized access to MicrosoftAjax.js through the Telerik.Web.UI.WebResource.axd file. This vulnerability has been assigned CVE-2021-28141 and was initially disclosed on March 11, 2021. The vulnerability is currently marked as DISPUTED, as the vendor states that this is not a vulnerability (NVD).

The vulnerability involves unauthorized access through the Telerik.Web.UI.WebResource.axd file using the parameter TSMHiddenField_ with an injected command at the end of the URI. The vulnerability has received a CVSS v3.1 Base Score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. It is classified under CWE-862 (Missing Authorization) (NVD).

According to the initial assessment, this vulnerability could potentially allow an attacker to gain unauthorized access to the server and execute code. However, the vendor disputes this claim, stating that the request's output does not indicate that a true command was executed on the server, and the request's output does not leak any private source code or data from the server (NVD).

As this is a disputed vulnerability with the vendor stating it is not a security issue, no official patches or mitigations have been published. The vendor maintains that the request's output does not indicate successful command execution or data leakage (NVD).