The security vulnerability affects all 2.X versions of nopCommerce. We won’t share the issue details because people need a chance to update or fix their installations. The upgrade is HIGHLY recommended. If you don’t have an opportunity to upgrade to version 3.00, then please follow the next steps to fix your 2.X version. Open web.config file in the root of your site and remove the following three lines of code:
<add verb="GET,HEAD" path="asset.axd" validate="false" type="Telerik.Web.Mvc.WebAssetHttpHandler, Telerik.Web.Mvc" />
<remove name="asset" />
<add name="asset" preCondition="integratedMode" verb="GET,HEAD" path="asset.axd" type="Telerik.Web.Mvc.WebAssetHttpHandler, Telerik.Web.Mvc" />
Once it's done it's highly recommended to change your passwords (database, payment gateways, etc).
As you can see it was caused by a third-party library (Telerik MVC Extensions), but we apologize for the inconvenience that this security vulnerability has caused.