CVE-2024-4358
Registration Authentication Bypass Vulnerability
In short
An unauthenticated attacker can bypass login requirements on Telerik Report Server 2024 Q1 and earlier versions running on IIS, gaining unauthorized access to restricted features without needing valid credentials.
Technical detail
CWE-290 authentication bypass allows unauthenticated remote attackers to access restricted Telerik Report Server functionality on IIS deployments (version 10.0.24.305 and earlier). No authentication credentials are required to trigger the vulnerability, resulting in complete compromise of access controls.
Summary generated and translated by AI from the official description.
In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
Progress Software Corporation · Telerik Report Serverpublic PoCs found — 7
githubgithub.com/sinsinology/CVE-2024-4358★ 79githubgithub.com/Sk1dr0wz/CVE-2024-4358_Mass_Exploit★ 26githubgithub.com/verylazytech/CVE-2024-4358★ 12githubgithub.com/RevoltSecurities/CVE-2024-4358★ 5githubgithub.com/gh-ost00/CVE-2024-4358★ 4githubgithub.com/Harydhk7/CVE-2024-4358★ 0exploitdbwww.exploit-db.com/exploits/52103unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →