Progress Patches Critical Vulnerability in Telerik Report Server
04-June-24
A critical vulnerability (CVE-2024-4358) in Progress Software’s Telerik Report Server, with a CVSS score of 9.8, allows unauthenticated attackers to bypass authentication and create an administrator user. This vulnerability, caused by the Register method’s failure to validate the current installation step, enables attackers to supply specific parameters to gain admin access. Exploitation can lead to remote code execution (RCE) via an insecure deserialization flaw (CVE-2024-1800) in the ObjectReader class, addressed in version 2024 Q1 (10.0.24.130) of the Report Server. Users are urged to update their instances immediately, as proof-of-concept code is available.
