Progress Telerik UI for ASP.NET Core
Moderate fix1 remedy
cpe:2.3:a:telerik:ui_for_asp.net_core:*:*:*:*:*:*:*
Moderate fix1 remedy
- >= v2024.4.1112, <= v2025.2.520
Telerik and Kendo UI Products PdfViewer Component Cross-Site Scripting Vulnerability
Vulnerability
Patched
A Cross-Site Scripting (XSS) vulnerability has been identified in the PdfViewer component of various Telerik and Kendo UI products, including ASP.NET Core, ASP.NET MVC, Blazor, Angular, jQuery, and React. This vulnerability affects specific versions of these products and can be exploited if a specially-crafted document is loaded and the user interacts with a tool that requires the DOM to be re-rendered.
Impact
Exploitation of this vulnerability allows for Cross-Site Scripting (XSS) attacks, where an attacker can execute arbitrary JavaScript in the context of the user's session. This could lead to data theft or other malicious actions.
Remediation
Users are advised to upgrade to the latest version of the Telerik or Kendo UI product they are using. Specific version recommendations vary by product: For ASP.NET Core and MVC, upgrade to version 2025.2.702 or later. For Kendo UI for Angular, upgrade to version 19.2.0 or later. For Kendo UI for jQuery, also upgrade to version 2025.2.702 or later. For KendoReact, upgrade to version 11.2.0 or later.
Added: Jul 2, 2025, 3:20 PM
Updated: Jul 2, 2025, 3:20 PM
Vulnerability Rating
Custom Algorithm
spread
4.2impact
1.7exploitability
4.4remediation
7.7relevance
0.2threat
0.0urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.