Mehul Harry's DevExpress Blog

This Blog


Mehul Harry is the DevExpress Web Program Manager. Follow him on twitter: @Mehulharry

Subscribe (RSS, Email)


ASP.NET AJAX Control Toolkit - v17.1.1 - Security Improved and Issues Fixed

As part of our continuous effort to find and patch security issues, we recently discovered a few vulnerabilities in the ASP.NET AJAX Control Toolkit library.

We have fixed and patched these vulnerabilities along with a few public issues in the v17.1.1 release that is now available.

I recommend that you upgrade to the latest ASP.NET AJAX Control Toolkit release as soon as possible.

Security Vulnerabilities

We discovered and fixed the following three major vulnerabilities:

  • Uploading a file with an arbitrary extension
  • A DoS attack on the server where AjaxFileUpload control is located
  • It is possible to obtain info about files outside the temporary upload folder

To protect those websites that may not have upgraded to the latest release, we have not published the details of these vulnerabilities on GitHub.

Bug fixes

We've also patched three issues that were reported to us on GitHub:

AjaxFileUpload Issue

  • Item 327 - AjaxFileUpload events have an invalid sender

HtmlEditorExtender Issues

  • Item 320 - HtmlEditorExtender generates an extra "br" tag
  • Item 324 - HtmlEditor does not show toolbar images when EnablePartialRendering=true

Update to v17.1.1 (or higher)

Please upgrade your ASP.NET AJAX Control Toolkit version to the latest version. You can download our useful installer here:

Or use the Nuget libraries:

ASP.NET AJAX Control Toolkit Nuget packages

Then give us your feedback on GitHub.

Try DevExpress ASP.NET

We’d like to thank you for installing the DevExpress Edition of the AJAX Control Toolkit and look forward to your feedback as you begin using it.

When we took over the fabulous ASP.NET AJAX Control Toolkit, our goal was to reach those web developers who want to use great web user interface controls for their web projects and DevExpress ASP.NET provides that and much more.

Try the free DevExpress 30 day trial.


Twitter: @mehulharry

Your Next Great .NET App Starts Here

Year after year, .NET developers such as yourself consistently vote DevExpress products #1.

Experience the DevExpress difference for yourself and download a free 30-day trial of all our products today: (free support is included during your evaluation).

Published May 26 2017, 12:45 PM by
Filed under:
Bookmark and Share


No Comments

About Mehul Harry (DevExpress)

Mehul Harry is an ASP.NET technical evangelist at Developer Express. You can reach him directly at You can also follow him on Twitter:

Chat is one of the many ways you can contact members of the DevExpress Team.
We are available Monday-Friday between 7:30am and 4:30pm Pacific Time.

If you need additional product information, write to us at or call us at +1 (818) 844-3383


DevExpress engineers feature-complete Presentation Controls, IDE Productivity Tools, Business Application Frameworks, and Reporting Systems for Visual Studio, Delphi, HTML5 or iOS & Android development. Whether using WPF, ASP.NET, WinForms, HTML5 or Windows 10, DevExpress tools help you build and deliver your best in the shortest time possible.

Copyright © 1998-2018 Developer Express Inc.
All trademarks or registered trademarks are property of their respective owners