CVE-2024-4358

critical

Description

In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.

From the Tenable Blog

CVE-2024-4358, CVE-2024-1800: Exploit Code Available for Critical Exploit Chain in Progress Telerik Report Server

CVE-2024-4358, CVE-2024-1800: Exploit Code Available for Critical Exploit Chain in Progress Telerik Report Server

Published: 2024-06-04

Researchers have released an exploit chain to achieve remote code execution on unpatched instances of Progress Telerik Report Server. Immediate patching is recommended.

References

https://www.helpnetsecurity.com/2024/07/26/cve-2024-6327/

https://www.tenable.com/blog/cve-2024-4358-cve-2024-1800-exploit-code-available-for-critical-exploit-chain

https://www.bleepingcomputer.com/news/security/exploit-for-critical-progress-telerik-auth-bypass-released-patch-now/

https://docs.telerik.com/report-server/knowledge-base/registration-auth-bypass-cve-2024-4358

Details

Source: Mitre, NVD

Published: 2024-05-29

Updated: 2024-06-14

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical