Telerik recently announced a vulnerability in their controls, which AspDotNetStorefront uses for the WYSIWYG editor on several pages in the admin console. Store admins are stronglyrecommended to download and install the patch available at https://license.aspdotnetstorefront.com
NOTE: These instructions assume you are a subscriber to our Gold YRB benefits program. If you do not see the patch in your license portal 'Software Updates' tab (versions 9.5.1 - 10.0.4), then please check your eligibility with our ASPDNSF Help Desk . If you have onboarded to our preFIX model, then you don’t need to take any action – your store is always-up-to-date.
Installing the Telerik Patch
Uncustomized Sites (if you're unsure if the files below have been modified, contact your developer or whoever does the technical work on your site)
Backup your site files. Please contact your site host if necessary.
Execute the installation file locally by double-clicking the downloaded .exe file and run through the prompts, selecting an empty folder location on your computer.
Copy these files from the extracted files on your computer to your site, overwriting the existing files.
Web/App_Themes/Admin_Default/StyleSheet.css
Web/bin/ASPDNSFApplication.dll
Web/bin/Telerik.Web.UI.dll
Edit the Web.config file in the root of your site, adding this line:
When done, your file should look something like this:
NOTE: If your appSettings are encrypted, you will need to have your server host set read/write/modify permissions on the {root} where the web.config is located, then set your "Encrypt the Web.Config:" to NO in the admin Site Setup Wizard page. BE SURE to have your host set the permissions back once you have completed the change and re-encrypted the web.config file.
That's it! Your site will restart and the patch will be in place.
Customized Sites (this should only be done by a knowledgeable developer):
Follow the 'Uncustomized Sites' directions above, but also copy the new DLLs into the AssemblyReferences folder wherever you maintain the site's source code. This will ensure that the updated, patched version of the DLLs are pulled in when the site is rebuilt in the future.