Telerik Report Server is a web-based application designed for creating, managing, and delivering reports in various formats. It provides tools for report design, scheduling, and secure delivery, allowing organizations to centralize their reporting processes. <\/p>\n\n\n\n
Progress Software addressed a critical remote code execution flaw, tracked as\u00a0CVE-2024-6327<\/a> (CVSS score of 9.9), in the Telerik Report Server that can be exploited to compromise vulnerable devices.<\/p>\n\n\n\n
“In Progress\u00ae Telerik\u00ae Report Server versions prior to 2024 Q2 (10.1.24.709), a remote code execution attack is possible through an insecure deserialization vulnerability.” reads the report<\/a> published by the company.<\/em> “Updating to Report Server\u00a02024 Q2 (10.1.24.709)<\/a>\u00a0or later is the only way to remove this vulnerability. The Progress Telerik team strongly recommends performing an upgrade to the latest version listed in the table below.”<\/em><\/p>\n\n\n\n
The critical flaw is due to deserialization of untrusted data\u00a0issue.<\/p>\n\n\n\n
The flaw impacts Report Server 2024 Q2 (10.1.24.514) and earlier, the version\u00a02024 Q2 (10.1.24.709)<\/a> addressed the vulnerability.<\/p>\n\n\n\n
In June, researchers published a proof-of-concept (PoC) exploit code for another authentication bypass vulnerability<\/a>, tracked CVE-2024-1800<\/a>\u00a0(CVSS score: 8.8), on Progress Telerik Report Servers.<\/p>\n\n\n\n
The researchers demonstrated how to create an admin account by exploiting the bypass flaw\u00a0CVE-2024-4358<\/a>.<\/p>\n\n\n\n
Follow me on Twitter: @securityaffairs<\/strong><\/a> and Facebook<\/strong><\/a> and Mastodon<\/strong><\/a><\/p>\n\n\n\n
Pierluigi Paganini<\/strong><\/a><\/p>\n\n\n\n
(<\/strong>SecurityAffairs<\/strong><\/a>\u00a0\u2013<\/strong>\u00a0hacking, Telerik Report Server)<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"