CVE-2024-4358

Description

In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.

References

https://www.rapid7.com/blog/post/2024/06/14/metasploit-weekly-wrap-up-06-14-2024/

https://thecyberthrone.in/2024/06/14/cisa-kev-catalog-update-part-ii-june-2024/

https://securityaffairs.com/164525/security/cisa-adds-android-pixel-microsoft-windows-progress-telerik-report-server-known-exploited-vulnerabilities-catalog.html

https://securityaffairs.com/164292/security/security-affairs-newsletter-round-475-by-pierluigi-paganini-international-edition.html

https://medium.com/@arafatx90n/cve-2024-4358-critical-flaw-found-in-progress-telerik-report-server-0f379f844819?source=rss------bug_bounty-5

https://medium.com/@verylazytech/authentication-bypass-vulnerability-cve-2024-4358-telerik-report-server-2024-388a8ddcf257?source=rss------hacking-5

https://medium.com/@verylazytech/authentication-bypass-vulnerability-cve-2024-4358-telerik-report-server-2024-388a8ddcf257?source=rss------exploit-5

https://www.tenable.com/blog/cve-2024-4358-cve-2024-1800-exploit-code-available-for-critical-exploit-chain

https://www.tenable.com/blog/cve-2024-4358-cve-2024-1800-exploit-code-available-for-critical-exploit-chain

https://securityaffairs.com/164114/hacking/progress-telerik-report-servers-poc.html

https://www.bleepingcomputer.com/news/security/exploit-for-critical-progress-telerik-auth-bypass-released-patch-now/

https://thecyberthrone.in/2024/05/31/progress-telerik-fixes-cve-2024-4358/

https://docs.telerik.com/report-server/knowledge-base/registration-auth-bypass-cve-2024-4358

https://docs.telerik.com/report-server/knowledge-base/registration-auth-bypass-cve-2024-4358

https://docs.telerik.com/report-server/knowledge-base/registration-auth-bypass-cve-2024-4358

Details

Source: Mitre, NVD

Risk Information

CVSS v2

CVSS v3