Search

Find a vulnerability

Search criteria

    14 vulnerabilities found for Telerik Report Server by Progress Software Corporation

    CVE-2024-7295 (GCVE-0-2024-7295)

    Vulnerability from nvd – Published: 2024-11-13 15:22 – Updated: 2024-11-13 19:13
    VLAI
    Title
    Hard-coded credentials used for temporary and cache data encryption
    Summary
    In Progress® Telerik® Report Server versions prior to 2024 Q4 (10.3.24.1112), the encryption of local asset data used an older algorithm which may allow a sophisticated actor to decrypt this information.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-798 - Use of Hard-coded Credentials
    Assigner
    References
    Impacted products
    Vendor Product Version
    Progress Software Corporation Telerik Report Server Affected: 1.0.0 , < 10.3.24.1112 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-7295",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-13T19:13:23.002020Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-13T19:13:33.110Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Telerik Report Server",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThan": "10.3.24.1112",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In Progress\u00ae Telerik\u00ae Report Server versions prior to 2024 Q4 (10.3.24.1112), the encryption of local asset data used an older algorithm which may allow a sophisticated actor to decrypt this information."
                }
              ],
              "value": "In Progress\u00ae Telerik\u00ae Report Server versions prior to 2024 Q4 (10.3.24.1112), the encryption of local asset data used an older algorithm which may allow a sophisticated actor to decrypt this information."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-155",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-155 Screen Temporary Files for Sensitive Information"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-798",
                  "description": "CWE-798 Use of Hard-coded Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-13T15:22:28.781Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://docs.telerik.com/report-server/knowledge-base/encryption-weakness-cve-2024-7295"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Hard-coded credentials used for temporary and cache data encryption",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-7295",
        "datePublished": "2024-11-13T15:22:28.781Z",
        "dateReserved": "2024-07-30T14:58:15.367Z",
        "dateUpdated": "2024-11-13T19:13:33.110Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-7294 (GCVE-0-2024-7294)

    Vulnerability from nvd – Published: 2024-10-09 14:45 – Updated: 2024-10-09 16:17
    VLAI
    Title
    Uncontrolled resource consumption of anonymous endpoints
    Summary
    In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), an HTTP DoS attack is possible on anonymous endpoints without rate limiting.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    Impacted products
    Vendor Product Version
    Progress Software Corporation Telerik Report Server Affected: 1.0.0 , < 10.2.24.806 (custom)
    Create a notification for this product.
    progress telerik_report_server Affected: 1.0.0 , < 10.2.24.806 (custom)
        cpe:2.3:a:progress:telerik_report_server:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:progress:telerik_report_server:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "telerik_report_server",
                "vendor": "progress",
                "versions": [
                  {
                    "lessThan": "10.2.24.806",
                    "status": "affected",
                    "version": "1.0.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-7294",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-09T16:14:59.336463Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-09T16:17:21.325Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Telerik Report Server",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThan": "10.2.24.806",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In Progress\u00ae Telerik\u00ae Report Server versions prior to 2024 Q3 (10.2.24.806), an HTTP DoS attack is possible on anonymous endpoints without rate limiting."
                }
              ],
              "value": "In Progress\u00ae Telerik\u00ae Report Server versions prior to 2024 Q3 (10.2.24.806), an HTTP DoS attack is possible on anonymous endpoints without rate limiting."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-469",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-469 HTTP DoS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-10-09T14:45:30.445Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "url": "https://docs.telerik.com/report-server/knowledge-base/uncontrolled-resource-consumption-cve-2024-7294"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Uncontrolled resource consumption of anonymous endpoints",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-7294",
        "datePublished": "2024-10-09T14:45:30.445Z",
        "dateReserved": "2024-07-30T14:58:14.413Z",
        "dateUpdated": "2024-10-09T16:17:21.325Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-7293 (GCVE-0-2024-7293)

    Vulnerability from nvd – Published: 2024-10-09 14:43 – Updated: 2024-10-09 16:18
    VLAI
    Title
    Password policy for new users is not strong enough
    Summary
    In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), a password brute forcing attack is possible through weak password requirements.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-521 - Weak Password Requirements
    Assigner
    Impacted products
    Vendor Product Version
    Progress Software Corporation Telerik Report Server Affected: 1.0.0 , < 10.2.24.806 (custom)
    Create a notification for this product.
    progress telerik_report_server Affected: 1.0.0 , < 10.2.24.806 (custom)
        cpe:2.3:a:progress:telerik_report_server:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:progress:telerik_report_server:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "telerik_report_server",
                "vendor": "progress",
                "versions": [
                  {
                    "lessThan": "10.2.24.806",
                    "status": "affected",
                    "version": "1.0.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-7293",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-09T16:15:09.795827Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-09T16:18:01.674Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Telerik Report Server",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThan": "10.2.24.806",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In Progress\u00ae Telerik\u00ae Report Server versions prior to 2024 Q3 (10.2.24.806), a password brute forcing attack is possible through weak password requirements."
                }
              ],
              "value": "In Progress\u00ae Telerik\u00ae Report Server versions prior to 2024 Q3 (10.2.24.806), a password brute forcing attack is possible through weak password requirements."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-49",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-49 Password Brute Forcing"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-521",
                  "description": "CWE-521 Weak Password Requirements",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-10-09T14:43:28.711Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "url": "https://docs.telerik.com/report-server/knowledge-base/weak-password-requirement-cve-2024-7293"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Password policy for new users is not strong enough",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-7293",
        "datePublished": "2024-10-09T14:43:28.711Z",
        "dateReserved": "2024-07-30T14:58:13.290Z",
        "dateUpdated": "2024-10-09T16:18:01.674Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-7292 (GCVE-0-2024-7292)

    Vulnerability from nvd – Published: 2024-10-09 14:47 – Updated: 2024-10-16 15:01
    VLAI
    Title
    Account Controller allows high count of login attempts
    Summary
    In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), a credential stuffing attack is possible through improper restriction of excessive login attempts.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-307 - Improper Restriction of Excessive Authentication Attempts
    Assigner
    Impacted products
    Vendor Product Version
    Progress Software Corporation Telerik Report Server Affected: 1.0.0 , < 2024 Q3 (10.2.24.806) (custom)
    Create a notification for this product.
    progress_software telerik_report_server Affected: 1.0.0.0 , < 2024 Q3\/10.2.24.806\/ (custom)
        cpe:2.3:a:progress_software:telerik_report_server:1.0.0.0:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:progress_software:telerik_report_server:1.0.0.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "telerik_report_server",
                "vendor": "progress_software",
                "versions": [
                  {
                    "lessThan": "2024 Q3\\/10.2.24.806\\/",
                    "status": "affected",
                    "version": "1.0.0.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-7292",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-09T16:09:43.887611Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-16T15:01:22.209Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Telerik Report Server",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThan": "2024 Q3 (10.2.24.806)",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In Progress\u00ae Telerik\u00ae Report Server versions prior to 2024 Q3 (10.2.24.806), a credential stuffing attack is possible through improper restriction of excessive login attempts."
                }
              ],
              "value": "In Progress\u00ae Telerik\u00ae Report Server versions prior to 2024 Q3 (10.2.24.806), a credential stuffing attack is possible through improper restriction of excessive login attempts."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-600",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-600 Credential Stuffing"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-307",
                  "description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-10-09T14:47:10.831Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "url": "https://docs.telerik.com/report-server/knowledge-base/improper-restriction-of-excessive-login-attempts-cve-2024-7292"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Account Controller allows high count of login attempts",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-7292",
        "datePublished": "2024-10-09T14:47:10.831Z",
        "dateReserved": "2024-07-30T14:58:12.050Z",
        "dateUpdated": "2024-10-16T15:01:22.209Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-6327 (GCVE-0-2024-6327)

    Vulnerability from nvd – Published: 2024-07-24 13:57 – Updated: 2024-08-01 21:33
    VLAI
    Title
    Progress Telerik Report Server Deserialization
    Summary
    In Progress® Telerik® Report Server versions prior to 2024 Q2 (10.1.24.709), a remote code execution attack is possible through an insecure deserialization vulnerability.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    References
    Impacted products
    Vendor Product Version
    Progress Software Corporation Telerik Report Server Affected: 1.00 , < 2024 Q2 (10.1.24.709) (semver)
    Create a notification for this product.
    progress telerik_reporting Affected: 0 , < 10.1.24.709 (semver)
        cpe:2.3:a:progress:telerik_reporting:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:progress:telerik_reporting:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "telerik_reporting",
                "vendor": "progress",
                "versions": [
                  {
                    "lessThan": "10.1.24.709",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-6327",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-24T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-25T03:55:23.541Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T21:33:05.307Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "product",
                  "x_transferred"
                ],
                "url": "https://www.telerik.com/report-server"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://docs.telerik.com/report-server/knowledge-base/deserialization-vulnerability-cve-2024-6327"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Telerik Report Server",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThan": "2024 Q2 (10.1.24.709)",
                  "status": "affected",
                  "version": "1.00",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eIn Progress\u00ae Telerik\u00ae Report Server versions prior to 2024 Q2 (10.1.24.709), a remote code execution attack is possible through an insecure deserialization vulnerability.\u003c/p\u003e"
                }
              ],
              "value": "In Progress\u00ae Telerik\u00ae Report Server versions prior to 2024 Q2 (10.1.24.709), a remote code execution attack is possible through an insecure deserialization vulnerability."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-586",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-586 Object Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502 Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-24T13:57:07.165Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://www.telerik.com/report-server"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://docs.telerik.com/report-server/knowledge-base/deserialization-vulnerability-cve-2024-6327"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Progress Telerik Report Server Deserialization",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-6327",
        "datePublished": "2024-07-24T13:57:07.165Z",
        "dateReserved": "2024-06-25T15:14:46.772Z",
        "dateUpdated": "2024-08-01T21:33:05.307Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-4358 (GCVE-0-2024-4358)

    Vulnerability from nvd – Published: 2024-05-29 14:51 – Updated: 2025-10-21 23:05
    Title
    Registration Authentication Bypass Vulnerability
    Summary
    In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.
    SSVC
    Exploitation: active Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-290 - Authentication Bypass by Spoofing
    Assigner
    Impacted products
    Vendor Product Version
    Progress Software Corporation Telerik Report Server Affected: 1.0.0 , < 10.1.24.514 (semver)
    Create a notification for this product.
    progress_software telerik_report_server Affected: 1.0.0.0 , < 10.1.24.514 (custom)
        cpe:2.3:a:progress_software:telerik_report_server:1.0.0.0:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-05-29 14:00
    Credits
    Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:progress_software:telerik_report_server:1.0.0.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "telerik_report_server",
                "vendor": "progress_software",
                "versions": [
                  {
                    "lessThan": "10.1.24.514",
                    "status": "affected",
                    "version": "1.0.0.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-4358",
                    "options": [
                      {
                        "Exploitation": "active"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-14T13:56:10.408308Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              },
              {
                "other": {
                  "content": {
                    "dateAdded": "2024-06-13",
                    "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-4358"
                  },
                  "type": "kev"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-21T23:05:17.218Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "government-resource"
                ],
                "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-4358"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2024-06-13T00:00:00.000Z",
                "value": "CVE-2024-4358 added to CISA KEV"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:40:46.999Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://docs.telerik.com/report-server/knowledge-base/registration-auth-bypass-cve-2024-4358"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows"
              ],
              "product": "Telerik Report Server",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThan": "10.1.24.514",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative"
            }
          ],
          "datePublic": "2024-05-29T14:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability."
                }
              ],
              "value": "In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-290",
                  "description": "CWE-290 Authentication Bypass by Spoofing",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-29T14:51:21.612Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "url": "https://docs.telerik.com/report-server/knowledge-base/registration-auth-bypass-cve-2024-4358"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Registration Authentication Bypass Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-4358",
        "datePublished": "2024-05-29T14:51:21.612Z",
        "dateReserved": "2024-04-30T17:34:38.695Z",
        "dateUpdated": "2025-10-21T23:05:17.218Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-1800 (GCVE-0-2024-1800)

    Vulnerability from nvd – Published: 2024-03-20 13:11 – Updated: 2024-08-01 18:48
    VLAI
    Title
    Progress Telerik Report Server Deserialization
    Summary
    In Progress® Telerik® Report Server versions prior to 2024 Q1 (10.0.24.130), a remote code execution attack is possible through an insecure deserialization vulnerability.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    References
    Impacted products
    Vendor Product Version
    Progress Software Corporation Telerik Report Server Affected: 1.00 , < 2024 Q1 (10.0.24.130) (semver)
    Create a notification for this product.
    progress_software telerik_report_server Affected: 1.0.0.0 , < 10.0.24.130 (custom)
        cpe:2.3:a:progress_software:telerik_report_server:1.0.0.0:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    HackerOne: 07842c0e165d4d2d8733dd4eab48b3ed0f7afe38 working with Trend Micro Zero Day Initiative
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:progress_software:telerik_report_server:1.0.0.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "affected",
                "product": "telerik_report_server",
                "vendor": "progress_software",
                "versions": [
                  {
                    "lessThan": "10.0.24.130",
                    "status": "affected",
                    "version": "1.0.0.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-1800",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-13T03:55:08.602515Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-13T14:30:50.592Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T18:48:22.048Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "product",
                  "x_transferred"
                ],
                "url": "https://www.telerik.com/report-server"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://docs.telerik.com/report-server/knowledge-base/deserialization-vulnerability-cve-2024-1800"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Telerik Report Server",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThan": "2024 Q1 (10.0.24.130)",
                  "status": "affected",
                  "version": "1.00",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "HackerOne: 07842c0e165d4d2d8733dd4eab48b3ed0f7afe38 working with Trend Micro Zero Day Initiative"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIn Progress\u00ae Telerik\u00ae Report Server versions prior to 2024 Q1\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e (10.0.24.130)\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e, \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ea remote code execution attack is possible through \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ea\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003en insecure deserialization vulnerability.\u003c/span\u003e"
                }
              ],
              "value": "\nIn Progress\u00ae Telerik\u00ae Report Server versions prior to 2024 Q1 (10.0.24.130), a remote code execution attack is possible through an insecure deserialization vulnerability."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-586",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-586 Object Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502 Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-03-20T13:11:41.461Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://www.telerik.com/report-server"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://docs.telerik.com/report-server/knowledge-base/deserialization-vulnerability-cve-2024-1800"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Progress Telerik Report Server Deserialization",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-1800",
        "datePublished": "2024-03-20T13:11:41.461Z",
        "dateReserved": "2024-02-22T20:41:23.940Z",
        "dateUpdated": "2024-08-01T18:48:22.048Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-7295 (GCVE-0-2024-7295)

    Vulnerability from cvelistv5 – Published: 2024-11-13 15:22 – Updated: 2024-11-13 19:13
    VLAI
    Title
    Hard-coded credentials used for temporary and cache data encryption
    Summary
    In Progress® Telerik® Report Server versions prior to 2024 Q4 (10.3.24.1112), the encryption of local asset data used an older algorithm which may allow a sophisticated actor to decrypt this information.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-798 - Use of Hard-coded Credentials
    Assigner
    References
    Impacted products
    Vendor Product Version
    Progress Software Corporation Telerik Report Server Affected: 1.0.0 , < 10.3.24.1112 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-7295",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-13T19:13:23.002020Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-13T19:13:33.110Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Telerik Report Server",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThan": "10.3.24.1112",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In Progress\u00ae Telerik\u00ae Report Server versions prior to 2024 Q4 (10.3.24.1112), the encryption of local asset data used an older algorithm which may allow a sophisticated actor to decrypt this information."
                }
              ],
              "value": "In Progress\u00ae Telerik\u00ae Report Server versions prior to 2024 Q4 (10.3.24.1112), the encryption of local asset data used an older algorithm which may allow a sophisticated actor to decrypt this information."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-155",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-155 Screen Temporary Files for Sensitive Information"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-798",
                  "description": "CWE-798 Use of Hard-coded Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-13T15:22:28.781Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://docs.telerik.com/report-server/knowledge-base/encryption-weakness-cve-2024-7295"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Hard-coded credentials used for temporary and cache data encryption",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-7295",
        "datePublished": "2024-11-13T15:22:28.781Z",
        "dateReserved": "2024-07-30T14:58:15.367Z",
        "dateUpdated": "2024-11-13T19:13:33.110Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-7292 (GCVE-0-2024-7292)

    Vulnerability from cvelistv5 – Published: 2024-10-09 14:47 – Updated: 2024-10-16 15:01
    VLAI
    Title
    Account Controller allows high count of login attempts
    Summary
    In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), a credential stuffing attack is possible through improper restriction of excessive login attempts.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-307 - Improper Restriction of Excessive Authentication Attempts
    Assigner
    Impacted products
    Vendor Product Version
    Progress Software Corporation Telerik Report Server Affected: 1.0.0 , < 2024 Q3 (10.2.24.806) (custom)
    Create a notification for this product.
    progress_software telerik_report_server Affected: 1.0.0.0 , < 2024 Q3\/10.2.24.806\/ (custom)
        cpe:2.3:a:progress_software:telerik_report_server:1.0.0.0:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:progress_software:telerik_report_server:1.0.0.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "telerik_report_server",
                "vendor": "progress_software",
                "versions": [
                  {
                    "lessThan": "2024 Q3\\/10.2.24.806\\/",
                    "status": "affected",
                    "version": "1.0.0.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-7292",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-09T16:09:43.887611Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-16T15:01:22.209Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Telerik Report Server",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThan": "2024 Q3 (10.2.24.806)",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In Progress\u00ae Telerik\u00ae Report Server versions prior to 2024 Q3 (10.2.24.806), a credential stuffing attack is possible through improper restriction of excessive login attempts."
                }
              ],
              "value": "In Progress\u00ae Telerik\u00ae Report Server versions prior to 2024 Q3 (10.2.24.806), a credential stuffing attack is possible through improper restriction of excessive login attempts."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-600",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-600 Credential Stuffing"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-307",
                  "description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-10-09T14:47:10.831Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "url": "https://docs.telerik.com/report-server/knowledge-base/improper-restriction-of-excessive-login-attempts-cve-2024-7292"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Account Controller allows high count of login attempts",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-7292",
        "datePublished": "2024-10-09T14:47:10.831Z",
        "dateReserved": "2024-07-30T14:58:12.050Z",
        "dateUpdated": "2024-10-16T15:01:22.209Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-7294 (GCVE-0-2024-7294)

    Vulnerability from cvelistv5 – Published: 2024-10-09 14:45 – Updated: 2024-10-09 16:17
    VLAI
    Title
    Uncontrolled resource consumption of anonymous endpoints
    Summary
    In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), an HTTP DoS attack is possible on anonymous endpoints without rate limiting.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    Impacted products
    Vendor Product Version
    Progress Software Corporation Telerik Report Server Affected: 1.0.0 , < 10.2.24.806 (custom)
    Create a notification for this product.
    progress telerik_report_server Affected: 1.0.0 , < 10.2.24.806 (custom)
        cpe:2.3:a:progress:telerik_report_server:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:progress:telerik_report_server:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "telerik_report_server",
                "vendor": "progress",
                "versions": [
                  {
                    "lessThan": "10.2.24.806",
                    "status": "affected",
                    "version": "1.0.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-7294",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-09T16:14:59.336463Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-09T16:17:21.325Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Telerik Report Server",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThan": "10.2.24.806",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In Progress\u00ae Telerik\u00ae Report Server versions prior to 2024 Q3 (10.2.24.806), an HTTP DoS attack is possible on anonymous endpoints without rate limiting."
                }
              ],
              "value": "In Progress\u00ae Telerik\u00ae Report Server versions prior to 2024 Q3 (10.2.24.806), an HTTP DoS attack is possible on anonymous endpoints without rate limiting."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-469",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-469 HTTP DoS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-10-09T14:45:30.445Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "url": "https://docs.telerik.com/report-server/knowledge-base/uncontrolled-resource-consumption-cve-2024-7294"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Uncontrolled resource consumption of anonymous endpoints",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-7294",
        "datePublished": "2024-10-09T14:45:30.445Z",
        "dateReserved": "2024-07-30T14:58:14.413Z",
        "dateUpdated": "2024-10-09T16:17:21.325Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-7293 (GCVE-0-2024-7293)

    Vulnerability from cvelistv5 – Published: 2024-10-09 14:43 – Updated: 2024-10-09 16:18
    VLAI
    Title
    Password policy for new users is not strong enough
    Summary
    In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), a password brute forcing attack is possible through weak password requirements.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-521 - Weak Password Requirements
    Assigner
    Impacted products
    Vendor Product Version
    Progress Software Corporation Telerik Report Server Affected: 1.0.0 , < 10.2.24.806 (custom)
    Create a notification for this product.
    progress telerik_report_server Affected: 1.0.0 , < 10.2.24.806 (custom)
        cpe:2.3:a:progress:telerik_report_server:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:progress:telerik_report_server:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "telerik_report_server",
                "vendor": "progress",
                "versions": [
                  {
                    "lessThan": "10.2.24.806",
                    "status": "affected",
                    "version": "1.0.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-7293",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-09T16:15:09.795827Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-09T16:18:01.674Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Telerik Report Server",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThan": "10.2.24.806",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In Progress\u00ae Telerik\u00ae Report Server versions prior to 2024 Q3 (10.2.24.806), a password brute forcing attack is possible through weak password requirements."
                }
              ],
              "value": "In Progress\u00ae Telerik\u00ae Report Server versions prior to 2024 Q3 (10.2.24.806), a password brute forcing attack is possible through weak password requirements."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-49",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-49 Password Brute Forcing"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-521",
                  "description": "CWE-521 Weak Password Requirements",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-10-09T14:43:28.711Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "url": "https://docs.telerik.com/report-server/knowledge-base/weak-password-requirement-cve-2024-7293"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Password policy for new users is not strong enough",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-7293",
        "datePublished": "2024-10-09T14:43:28.711Z",
        "dateReserved": "2024-07-30T14:58:13.290Z",
        "dateUpdated": "2024-10-09T16:18:01.674Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-6327 (GCVE-0-2024-6327)

    Vulnerability from cvelistv5 – Published: 2024-07-24 13:57 – Updated: 2024-08-01 21:33
    VLAI
    Title
    Progress Telerik Report Server Deserialization
    Summary
    In Progress® Telerik® Report Server versions prior to 2024 Q2 (10.1.24.709), a remote code execution attack is possible through an insecure deserialization vulnerability.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    References
    Impacted products
    Vendor Product Version
    Progress Software Corporation Telerik Report Server Affected: 1.00 , < 2024 Q2 (10.1.24.709) (semver)
    Create a notification for this product.
    progress telerik_reporting Affected: 0 , < 10.1.24.709 (semver)
        cpe:2.3:a:progress:telerik_reporting:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:progress:telerik_reporting:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "telerik_reporting",
                "vendor": "progress",
                "versions": [
                  {
                    "lessThan": "10.1.24.709",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-6327",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-24T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-25T03:55:23.541Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T21:33:05.307Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "product",
                  "x_transferred"
                ],
                "url": "https://www.telerik.com/report-server"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://docs.telerik.com/report-server/knowledge-base/deserialization-vulnerability-cve-2024-6327"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Telerik Report Server",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThan": "2024 Q2 (10.1.24.709)",
                  "status": "affected",
                  "version": "1.00",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eIn Progress\u00ae Telerik\u00ae Report Server versions prior to 2024 Q2 (10.1.24.709), a remote code execution attack is possible through an insecure deserialization vulnerability.\u003c/p\u003e"
                }
              ],
              "value": "In Progress\u00ae Telerik\u00ae Report Server versions prior to 2024 Q2 (10.1.24.709), a remote code execution attack is possible through an insecure deserialization vulnerability."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-586",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-586 Object Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502 Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-24T13:57:07.165Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://www.telerik.com/report-server"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://docs.telerik.com/report-server/knowledge-base/deserialization-vulnerability-cve-2024-6327"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Progress Telerik Report Server Deserialization",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-6327",
        "datePublished": "2024-07-24T13:57:07.165Z",
        "dateReserved": "2024-06-25T15:14:46.772Z",
        "dateUpdated": "2024-08-01T21:33:05.307Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-4358 (GCVE-0-2024-4358)

    Vulnerability from cvelistv5 – Published: 2024-05-29 14:51 – Updated: 2025-10-21 23:05
    Title
    Registration Authentication Bypass Vulnerability
    Summary
    In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.
    SSVC
    Exploitation: active Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-290 - Authentication Bypass by Spoofing
    Assigner
    Impacted products
    Vendor Product Version
    Progress Software Corporation Telerik Report Server Affected: 1.0.0 , < 10.1.24.514 (semver)
    Create a notification for this product.
    progress_software telerik_report_server Affected: 1.0.0.0 , < 10.1.24.514 (custom)
        cpe:2.3:a:progress_software:telerik_report_server:1.0.0.0:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-05-29 14:00
    Credits
    Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:progress_software:telerik_report_server:1.0.0.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "telerik_report_server",
                "vendor": "progress_software",
                "versions": [
                  {
                    "lessThan": "10.1.24.514",
                    "status": "affected",
                    "version": "1.0.0.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-4358",
                    "options": [
                      {
                        "Exploitation": "active"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-14T13:56:10.408308Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              },
              {
                "other": {
                  "content": {
                    "dateAdded": "2024-06-13",
                    "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-4358"
                  },
                  "type": "kev"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-21T23:05:17.218Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "government-resource"
                ],
                "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-4358"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2024-06-13T00:00:00.000Z",
                "value": "CVE-2024-4358 added to CISA KEV"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:40:46.999Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://docs.telerik.com/report-server/knowledge-base/registration-auth-bypass-cve-2024-4358"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows"
              ],
              "product": "Telerik Report Server",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThan": "10.1.24.514",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative"
            }
          ],
          "datePublic": "2024-05-29T14:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability."
                }
              ],
              "value": "In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-290",
                  "description": "CWE-290 Authentication Bypass by Spoofing",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-29T14:51:21.612Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "url": "https://docs.telerik.com/report-server/knowledge-base/registration-auth-bypass-cve-2024-4358"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Registration Authentication Bypass Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-4358",
        "datePublished": "2024-05-29T14:51:21.612Z",
        "dateReserved": "2024-04-30T17:34:38.695Z",
        "dateUpdated": "2025-10-21T23:05:17.218Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-1800 (GCVE-0-2024-1800)

    Vulnerability from cvelistv5 – Published: 2024-03-20 13:11 – Updated: 2024-08-01 18:48
    VLAI
    Title
    Progress Telerik Report Server Deserialization
    Summary
    In Progress® Telerik® Report Server versions prior to 2024 Q1 (10.0.24.130), a remote code execution attack is possible through an insecure deserialization vulnerability.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    References
    Impacted products
    Vendor Product Version
    Progress Software Corporation Telerik Report Server Affected: 1.00 , < 2024 Q1 (10.0.24.130) (semver)
    Create a notification for this product.
    progress_software telerik_report_server Affected: 1.0.0.0 , < 10.0.24.130 (custom)
        cpe:2.3:a:progress_software:telerik_report_server:1.0.0.0:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    HackerOne: 07842c0e165d4d2d8733dd4eab48b3ed0f7afe38 working with Trend Micro Zero Day Initiative
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:progress_software:telerik_report_server:1.0.0.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "affected",
                "product": "telerik_report_server",
                "vendor": "progress_software",
                "versions": [
                  {
                    "lessThan": "10.0.24.130",
                    "status": "affected",
                    "version": "1.0.0.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-1800",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-13T03:55:08.602515Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-13T14:30:50.592Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T18:48:22.048Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "product",
                  "x_transferred"
                ],
                "url": "https://www.telerik.com/report-server"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://docs.telerik.com/report-server/knowledge-base/deserialization-vulnerability-cve-2024-1800"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Telerik Report Server",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThan": "2024 Q1 (10.0.24.130)",
                  "status": "affected",
                  "version": "1.00",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "HackerOne: 07842c0e165d4d2d8733dd4eab48b3ed0f7afe38 working with Trend Micro Zero Day Initiative"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIn Progress\u00ae Telerik\u00ae Report Server versions prior to 2024 Q1\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e (10.0.24.130)\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e, \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ea remote code execution attack is possible through \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ea\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003en insecure deserialization vulnerability.\u003c/span\u003e"
                }
              ],
              "value": "\nIn Progress\u00ae Telerik\u00ae Report Server versions prior to 2024 Q1 (10.0.24.130), a remote code execution attack is possible through an insecure deserialization vulnerability."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-586",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-586 Object Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502 Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-03-20T13:11:41.461Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://www.telerik.com/report-server"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://docs.telerik.com/report-server/knowledge-base/deserialization-vulnerability-cve-2024-1800"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Progress Telerik Report Server Deserialization",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-1800",
        "datePublished": "2024-03-20T13:11:41.461Z",
        "dateReserved": "2024-02-22T20:41:23.940Z",
        "dateUpdated": "2024-08-01T18:48:22.048Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }