Speakerbus have been made aware of two vulnerabilities affecting the Telerek UI for ASP.NET AJAX tools, as used in the iManager Centralised Management System (iCMS) configuration portal.
This vulnerability only affects the iCMS solution.
Both CVEs relate to the Telerik ‘RadAsyncUpload’ function. This is used in the following iManager functionality:
- Importing corporate directory
- Importing user personal directory
- Uploading iSeries device feature keys file
These functions are behind a password protected login and are not publicly accessible. Speakerbus have evaluated the exploitation risk as Low. Speakerbus are currently developing a new release of iCMS which protects the Telerik function from exploitation in the future.
The new build is expected to be made available in January 2018.
For further information please contact your regional partner or our service desk. http://www.speakerbus.com/helpdesk/