Progress Software has released patches for fixing four newly discovered vulnerabilities in their Telerik Report Server, ranging from credential stuffing and brute force attacks to a critical code execution flaw, pose serious risks to organizations using the tool.
The vulnerabilities, identified as CVE-2024-7292 (credential stuffing), CVE-2024-7293 (Brute force) , CVE-2024-7294 (DoS attack), and CVE-2024-8015 (Code execution), affect Telerik Report Server versions prior to 2024 Q3 (10.2.24.924).
The most critical flaws are tracked as CVE-2024-8015, with a CVSS score of 9.1 and could allow attackers to gain complete control of the Report Server.
Progress Software has urged all users to update their Report Server deployments to the latest version (10.2.24.924) immediately.
For organizations unable to immediately update the patched version, Progress Software recommends the following temporary mitigation of Changing the Report Server’s Application Pool user to one with limited permissions
