Progress Software’s has fixed two vulnerabilities in Telerik Reporting tools that could lead to full system compromise and allow attackers to remotely execute code or inject malicious objects into affected systems.
The first vulnerability tracked as CVE-2024-6327 with a CVSSv3.1 base score of 9.9, resides in Telerik Report Server, a popular solution for managing business reports. An attacker could exploit this flaw by sending specially crafted data to the server, triggering the deserialization of untrusted input. Successful exploitation could give the attacker the same level of control over the server as the application itself.
The second vulnerability tracked as CVE-2024-6096, affects Telerik Reporting, the underlying engine used in Report Server and other products. This vulnerability enables object injection due to unsafe type resolution. It poses a significant risk, allowing attackers to manipulate the application’s behavior.
Progress Software has released updates for both Report Server and Telerik Reporting, version 2024 Q2 (10.1.24.709 and 18.1.24.709 respectively). All users are strongly urged to update to these versions or later as soon as possible.
