Security News > 2024 > July > Progress discloses second critical flaw in Telerik Report Server in as many months
Progress Software's latest security advisory warns customers about the second critical vulnerability targeting its Telerik Report Server in as many months.
Some of you may remember CVE-2019-18935, another deserialization of untrusted data vulnerability affecting Telerik UI for ASP.NET AJAX. It was used by multiple attackers including an unspecified Advanced Persistent Threat group to successfully target US federal agencies in 2023, despite being added to CISA's Known Exploited Vulnerability catalog in 2021.
The disclosure of the vulnerability makes it the second near-maximum severity bug in Telerik Report Server in as many months.
Sina Kheirkhah, security researcher at Summoning Team, discovered the flaw and demonstrated how it could be chained with yet another deserialization of untrusted data bug in Telerik Report Server from April to achieve full RCE. Double trouble.
Progress also disclosed a second vulnerability, CVE-2024-6096, affecting Telerik Reporting - its.
It's an insecure type resolution vulnerability that could lead to RCE via an object injection attack if exploited.
News URL
Related news
- Progress warns of critical RCE bug in Telerik Report Server (source)
- Progress fixes critical RCE flaw in Telerik Report Server, upgrade ASAP! (CVE-2024-6327) (source)
- Critical Flaw in Telerik Report Server Poses Remote Code Execution Risk (source)
- Exploit for critical Progress Telerik auth bypass released, patch now (source)
- Telerik Report Server Flaw Could Let Attackers Create Rogue Admin Accounts (source)
- Critical RCE flaws in vCenter Server fixed (CVE-2024-37079, CVE-2024-37080) (source)
- Week in review: CDK Global cyberattack, critical vCenter Server RCE fixed (source)
- Ollama drama as 'easy-to-exploit' critical flaw found in open source AI server (source)
- Critical Exim Mail Server Vulnerability Exposes Millions to Malicious Attachments (source)
- Critical Exim bug bypasses security filters on 1.5 million mail servers (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-07-24 | CVE-2024-6096 | Unsafe Reflection vulnerability in Progress Telerik Reporting In Progress® Telerik® Reporting versions prior to 18.1.24.709, a code execution attack is possible through object injection via an insecure type resolution vulnerability. | 9.8 |
| 2019-12-11 | CVE-2019-18935 | Deserialization of Untrusted Data vulnerability in Telerik UI for Asp.Net Ajax Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. | 9.8 |