In Progress® Telerik® Report Server versions prior to 2024 Q1 (10.0.24.130), a remote code execution attack is possible through an insecure deserialization vulnerability.
The vulnerability results from unsafe deserialization of user-supplied data (CWE-502). An attacker with an account in the application can submit a crafted payload that, during the server-side deserialization process, leads to arbitrary code execution. The network vector (AV:N) and low privilege requirements (PR:L) mean that the exploit can be performed remotely by an authenticated user without any user interaction on the victim's side. The scope of the attack extends beyond the component itself (S:C), suggesting the possibility of impacting other system resources.
Successful exploitation of this vulnerability allows an attacker to execute arbitrary code remotely (RCE) on the server, which can lead to complete system takeover, disclosure of sensitive data, and violation of service integrity and availability.
Progress Telerik Report Server must be urgently updated to version 2024 Q1 (10.0.24.130) or newer. Detailed information from the vendor is available at: https://docs.telerik.com/report-server/knowledge-base/deserialization-vulnerability-cve-2024-1800
Progress Telerik Report Server in all versions prior to 2024 Q1 (10.0.24.130)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HProgress Telerik Report Server
APPProgress< 10.0.24.130
Related vulnerabilities
RCE w Progress Telerik Report Server przez insecure type resolution
RCE przez insecure deserialization w Progress Telerik Report Server
In Progress® Telerik® Report Server, versions prior to 2025 Q1 (11.0.25.211) when using the older .NET Framewo...
In Progress® Telerik® Report Server versions prior to 2024 Q4 (10.3.24.1112), the encryption of local asset da...
In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), a credential stuffing attack is p...