Topic
Security scan might find a high risk vulnerability in the Telerik.Web.UI (version 2015.3.930.40) assembly located [INSTALLDIR]BinControlPack ControlsTelerik.Web.UI
Additional Information
Although we are using a vulnerable version of Telerik, we have done in-depth analysis of the vulnerabilities and how we use the Telerik assembly and there is currently no security risk by us using this version of the control as the methods that are vulnerable are not in use. Using the following URLs, [k2site]/Runtime/Telerik.Web.UI.WebResource.axd and [k2site]/Runtime/Telerik.Web.UI.DialogHandler.aspx results in a 404 server error which means that it can't be reached which also means the vulnerability can't be reached.
In addition to this, we do not register any of the Telerik handlers in the web.config of the site and can be proven by searching for "telerik" in the file. Telerik is only used for UI rendering and is not used in any way for Client (browser) to Server communications.
Upgrading to the latest version of the Telerik control is currently not an option for due to technical and license restrictions"
In summary, while a vulnerable version of Telerik is in use, we do not use any of the methods that are vulnerable in the Product which can be tested by attempting to load the following example URLS, which will resulting in a 404:
[k2site]/Runtime/Telerik.Web.UI.WebResource.axd
[k2site]/Runtime/Telerik.Web.UI.DialogHandler.aspx
