ASP.NET AJAX Control Toolkit - v17.1.1 - Security Improved and Issues Fixed

ASP.NET Team Blog
26 May 2017

As part of our continuous effort to find and patch security issues, we recently discovered a few vulnerabilities in the ASP.NET AJAX Control Toolkit library.

We have fixed and patched these vulnerabilities along with a few public issues in the v17.1.1 release that is now available.

I recommend that you upgrade to the latest ASP.NET AJAX Control Toolkit release as soon as possible.

Security Vulnerabilities

We discovered and fixed the following three major vulnerabilities:

  • Uploading a file with an arbitrary extension
  • A DoS attack on the server where AjaxFileUpload control is located
  • It is possible to obtain info about files outside the temporary upload folder

To protect those websites that may not have upgraded to the latest release, we have not published the details of these vulnerabilities on GitHub.

Bug fixes

We've also patched three issues that were reported to us on GitHub:

AjaxFileUpload Issue

  • Item 327 - AjaxFileUpload events have an invalid sender

HtmlEditorExtender Issues

  • Item 320 - HtmlEditorExtender generates an extra "br" tag
  • Item 324 - HtmlEditor does not show toolbar images when EnablePartialRendering=true

Update to v17.1.1 (or higher)

Please upgrade your ASP.NET AJAX Control Toolkit version to the latest version. You can download our useful installer here:

Or use the Nuget libraries:

ASP.NET AJAX Control Toolkit Nuget packages

Then give us your feedback on GitHub.

Try DevExpress ASP.NET

We’d like to thank you for installing the DevExpress Edition of the AJAX Control Toolkit and look forward to your feedback as you begin using it.

When we took over the fabulous ASP.NET AJAX Control Toolkit, our goal was to reach those web developers who want to use great web user interface controls for their web projects and DevExpress ASP.NET provides that and much more.

Try the free DevExpress 30 day trial.


Twitter: @mehulharry

Your Next Great .NET App Starts Here

Year after year, .NET developers such as yourself consistently vote DevExpress products #1.

Experience the DevExpress difference for yourself and download a free 30-day trial of all our products today:

Free DevExpress Products - Get Your Copy Today

The following free DevExpress product offers remain available. Should you have any questions about the free offers below, please submit a ticket via the DevExpress Support Center at your convenience. We'll be happy to follow-up.
No Comments

Please login or register to post comments.