Critical Telerik Report Server Security Vulnerability Fixed

Progress Software has released patches for a critical deserialization vulnerability affecting its Telerik reporting server, identified as CVE-2024-6327, The Register reports.

All Telerik Report Server instances prior to version 10.1.24.709 are affected by a bug that could be exploited to facilitate remote code execution, according to Progress Software. The company has also addressed a serious issue with an unsafe type of solution in its Telerik Reporting tool, tracked as CVE-2024-6096, that could be exploited to perform an object injection RCE attack. This development comes months after another Progress Software patched a critical security flaw, tracked as CVE-2024-4358, that Summoning Team researcher Sina Kheirkhah noted could potentially be exploited in conjunction with a deserialization of insecure data vulnerability, tracked as CVE-2024-1800, to enable full RCE. Active exploitation of the legacy Telerik UI for ASP.NET AJAX untrusted data deserialization vulnerability, identified as CVE-2019-18935, was previously reported by the Cybersecurity and Infrastructure Security Agency.