Critical Flaw in Telerik Report Server Poses Remote Code Execution Risk

Cyber Security

Products You May Like

Jul 26, 2024NewsroomSoftware Security / Vulnerability

Progress Software is urging users to update their Telerik Report Server instances following the discovery of a critical security flaw that could result in remote code execution.

The vulnerability, tracked as CVE-2024-6327 (CVSS score: 9.9), impacts Report Server version 2024 Q2 (10.1.24.514) and earlier.

“In Progress Telerik Report Server versions prior to 2024 Q2 (10.1.24.709), a remote code execution attack is possible through an insecure deserialization vulnerability,” the company said in an advisory.

Deserialization flaws occur when an application reconstructs untrusted data that an attacker has control over without adequate validation in place, resulting in the execution of unauthorized commands.

Progress Software said the flaw has been addressed in version 10.1.24.709. As temporary mitigation, it’s recommended to change the user for the Report Server Application Pool to one with limited permission.

Cybersecurity

Administrators can check if their servers are vulnerable to attacks by going through these steps –

  • Go to the Report Server web UI and log in using an account with administrator rights
  • Open the Configuration page (~/Configuration/Index).
  • Select the About tab and the version number will be displayed in the pane on the right.

The disclosure comes nearly two months after the company patched another critical shortcoming in the same software (CVE-2024-4358, CVSS score: 9.8) that could be abused by a remote attacker to bypass authentication and create rogue administrator users.

On June 13, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation in the wild.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Products You May Like

Articles You May Like

Redmi 14C With 6.88-Inch LCD Screen, MediaTek Helio G81 Chipset Launched: Price, Specifications
OpenAI and Anthropic agree to let U.S. AI Safety Institute test and evaluate new models
Realme 13 Pro+ 5G Monet Purple Colour Variant Launched in India: Availability, Offers
Apple Music Playlists Can Now Be Transferred to YouTube Music: See Transfer Process, Supported Playlists
APT-C-60 Group Exploit WPS Office Flaw to Deploy SpyGlace Backdoor

Leave a Reply

Your email address will not be published. Required fields are marked *