CRITICAL🇵🇱 Wersja polska

CVE-2024-1800

CVSS 9.9v3.1pub. 2024-03-20upd. 2025-01-16

In Progress® Telerik® Report Server versions prior to 2024 Q1 (10.0.24.130), a remote code execution attack is possible through an insecure deserialization vulnerability.

🤖 AI Analysis
How it works

The vulnerability results from unsafe deserialization of user-supplied data (CWE-502). An attacker with an account in the application can submit a crafted payload that, during the server-side deserialization process, leads to arbitrary code execution. The network vector (AV:N) and low privilege requirements (PR:L) mean that the exploit can be performed remotely by an authenticated user without any user interaction on the victim's side. The scope of the attack extends beyond the component itself (S:C), suggesting the possibility of impacting other system resources.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary code remotely (RCE) on the server, which can lead to complete system takeover, disclosure of sensitive data, and violation of service integrity and availability.

Mitigation & patch

Progress Telerik Report Server must be urgently updated to version 2024 Q1 (10.0.24.130) or newer. Detailed information from the vendor is available at: https://docs.telerik.com/report-server/knowledge-base/deserialization-vulnerability-cve-2024-1800

Who is affected

Progress Telerik Report Server in all versions prior to 2024 Q1 (10.0.24.130)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Progress Telerik Report Server

    APP
    Progress
    < 10.0.24.130
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEDeserialization
CWE
References

Related vulnerabilities

CVE-2024-8015CRITICAL9.1PL ✓ten sam produkt

RCE w Progress Telerik Report Server przez insecure type resolution

CVE-2024-6327CRITICAL9.9PL ✓ten sam produkt

RCE przez insecure deserialization w Progress Telerik Report Server

CVE-2025-0556HIGH8.8ten sam produkt

In Progress® Telerik® Report Server, versions prior to 2025 Q1 (11.0.25.211) when using the older .NET Framewo...

CVE-2024-7295HIGH7.1ten sam produkt

In Progress® Telerik® Report Server versions prior to 2024 Q4 (10.3.24.1112), the encryption of local asset da...

CVE-2024-7292HIGH7.5ten sam produkt

In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), a credential stuffing attack is p...