Progress Software urges users to update their instances of Telerik Report Server after discovering a critical security flaw that could lead to remote code execution.
Vulnerability, tracked as CVE-2024-6327 (CVSS score: 9.9), affects Report Server version 2024 Q2 (10.1.24.514) and earlier.
“Remote code execution attacks are possible in versions of the Progress Telerik Report Server prior to Q2 2024 (10.1.24.709) via a dangerous deserialization vulnerability,” the company said in a statement. said in the consulting room.
Deserialization errors occur during use reconstructs unreliable data over which an attacker has control without proper validation, resulting in the execution of unauthorized commands.
Progress Software said the flaw was fixed in version 10.1.24.709. As a temporary mitigation, it is recommended that you change the user for the report server application pool to a user with limited permissions.
Admins can check if their servers are vulnerable by following these steps –
- Go to the report server web interface and log in using an account with administrator rights
- Open the configuration page (~/Configuration/Index).
- Select the “About” tab and the version number will be displayed in the panel on the right.
The disclosure comes nearly two months after the company patched another critical flaw in the same software (CVE-2024-4358CVSS score: 9.8) that could be used by a remote attacker to bypass authentication and create fake admin users.
