5 results (0.014 seconds)

CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0

In Progress Telerik Reporting versions prior to 2024 Q3 (2024.3.924), a command injection attack is possible through improper neutralization of hyperlink elements. In Progress Telerik Reporting versions prior to 2024 Q3 (18.2.24.924), a command injection attack is possible through improper neutralization of hyperlink elements. • https://docs.telerik.com/reporting/knowledge-base/command-injection-cve-2024-7840 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •

CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0

In Progress Telerik Reporting versions prior to 2024 Q3 (18.2.24.924), a code execution attack is possible using object injection via insecure expression evaluation. • https://docs.telerik.com/reporting/knowledge-base/insecure-expression-evaluation-cve-2024-8048 • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

In Progress Telerik Reporting versions prior to 2024 Q3 (18.2.24.924), a code execution attack is possible through object injection via an insecure type resolution vulnerability. • https://docs.telerik.com/reporting/knowledge-base/insecure-type-resolution-cve-2024-8014 • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') •

CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0

In Progress® Telerik® Reporting versions prior to 2024 Q1 (18.0.24.130), a code execution attack is possible by a remote threat actor through an insecure deserialization vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Progress Software Telerik Reporting. Authentication is required to exploit this vulnerability. The specific flaw exists within the ObjectReader class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. • https://docs.telerik.com/reporting/knowledge-base/deserialization-vulnerability-cve-2024-1801-cve-2024-1856 https://www.telerik.com/products/reporting.aspx • CWE-502: Deserialization of Untrusted Data •

CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0

In Progress® Telerik® Reporting versions prior to 2024 Q1 (18.0.24.130), a code execution attack is possible by a local threat actor through an insecure deserialization vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Progress Software Telerik Reporting. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the ObjectReader class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. • https://docs.telerik.com/reporting/knowledge-base/deserialization-vulnerability-cve-2024-1801-cve-2024-1856 https://www.telerik.com/products/reporting.aspx • CWE-502: Deserialization of Untrusted Data •