Security News > 2024 > July > Progress discloses second critical flaw in Telerik Report Server in as many months

Progress discloses second critical flaw in Telerik Report Server in as many months
2024-07-26 13:32

Progress Software's latest security advisory warns customers about the second critical vulnerability targeting its Telerik Report Server in as many months.

Some of you may remember CVE-2019-18935, another deserialization of untrusted data vulnerability affecting Telerik UI for ASP.NET AJAX. It was used by multiple attackers including an unspecified Advanced Persistent Threat group to successfully target US federal agencies in 2023, despite being added to CISA's Known Exploited Vulnerability catalog in 2021.

The disclosure of the vulnerability makes it the second near-maximum severity bug in Telerik Report Server in as many months.

Sina Kheirkhah, security researcher at Summoning Team, discovered the flaw and demonstrated how it could be chained with yet another deserialization of untrusted data bug in Telerik Report Server from April to achieve full RCE. Double trouble.

Progress also disclosed a second vulnerability, CVE-2024-6096, affecting Telerik Reporting - its.

It's an insecure type resolution vulnerability that could lead to RCE via an object injection attack if exploited.


News URL

https://go.theregister.com/feed/www.theregister.com/2024/07/26/critical_vulnerability_progress_telerik/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2024-07-24 CVE-2024-6096 Unsafe Reflection vulnerability in Progress Telerik Reporting
In Progress® Telerik® Reporting versions prior to 18.1.24.709, a code execution attack is possible through object injection via an insecure type resolution vulnerability.
network
low complexity
progress CWE-470
critical
9.8
2019-12-11 CVE-2019-18935 Deserialization of Untrusted Data vulnerability in Telerik UI for Asp.Net Ajax
Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function.
network
low complexity
telerik CWE-502
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Progress 28 3 53 45 25 126
Telerik 10 0 5 4 8 17