Security News > 2024 > July > Critical Flaw in Telerik Report Server Poses Remote Code Execution Risk
Progress Software is urging users to update their Telerik Report Server instances following the discovery of a critical security flaw that could result in remote code execution.
The vulnerability, tracked as CVE-2024-6327, impacts Report Server version 2024 Q2 and earlier.
"In Progress Telerik Report Server versions prior to 2024 Q2, a remote code execution attack is possible through an insecure deserialization vulnerability," the company said in an advisory.
Deserialization flaws occur when an application reconstructs untrusted data that an attacker has control over without adequate validation in place, resulting in the execution of unauthorized commands.
As temporary mitigation, it's recommended to change the user for the Report Server Application Pool to one with limited permission.
The disclosure comes nearly two months after the company patched another critical shortcoming in the same software that could be abused by a remote attacker to bypass authentication and create rogue administrator users.
News URL
https://thehackernews.com/2024/07/critical-flaw-in-telerik-report-server.html
Related news
- Sophos Firewall vulnerable to critical remote code execution flaw (source)
- Sophos discloses critical Firewall remote code execution flaw (source)
- Week in review: Fortinet patches critical FortiManager 0-day, VMware fixes vCenter Server RCE (source)
- OvrC Platform Vulnerabilities Expose IoT Devices to Remote Attacks and Code Execution (source)
- Critical RCE bug in VMware vCenter Server now exploited in attacks (source)
- Critical WordPress Anti-Spam Plugin Flaws Expose 200,000+ Sites to Remote Attacks (source)
- Critical Flaw in ProjectSend Under Active Exploitation Against Public-Facing Servers (source)
- New critical Apache Struts flaw exploited to find vulnerable servers (source)
- BeyondTrust fixes critical vulnerability in remote access, support solutions (CVE-2024-12356) (source)
- Hackers Exploiting Critical Fortinet EMS Vulnerability to Deploy Remote Access Tools (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-07-24 | CVE-2024-6327 | Deserialization of Untrusted Data vulnerability in Progress Telerik Report Server In Progress® Telerik® Report Server versions prior to 2024 Q2 (10.1.24.709), a remote code execution attack is possible through an insecure deserialization vulnerability. | 9.8 |