CVE-2024-7840

Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)

Published: Oct 9, 2024 / Updated: 41d ago

010
CVSS 7.8EPSS 0.04%High
CVE info copied to clipboard

Summary

In Progress Telerik Reporting versions prior to 2024 Q3 (2024.3.924), a command injection attack is possible through improper neutralization of hyperlink elements.

Impact

This vulnerability allows for a command injection attack, which could lead to unauthorized execution of commands on the affected system. The impact is severe, with high potential for compromising confidentiality, integrity, and availability of the affected system. The CVSS base score is 7.8 (High), indicating a significant risk. The attack requires local access and user interaction, but no privileges are needed to exploit it.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability has been addressed in Progress Telerik Reporting version 2024 Q3 (2024.3.924) and later.

Mitigation

1. Update Progress Telerik Reporting to version 2024.3.924 or later as soon as possible. 2. If immediate patching is not feasible, implement strict input validation and sanitization for hyperlink elements. 3. Limit local access and enforce strong user authentication mechanisms. 4. Educate users about the risks of interacting with untrusted content or links. 5. Monitor systems for suspicious activities related to command execution. 6. Apply the principle of least privilege to minimize the potential impact of successful exploits.

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-7840

Oct 9, 2024 at 3:15 PM
CVSS

A CVSS base score of 7.8 has been assigned.

Oct 9, 2024 at 3:20 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-7840. See article

Oct 9, 2024 at 3:21 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 9, 2024 at 3:21 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.7%)

Oct 10, 2024 at 10:30 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (208748)

Oct 11, 2024 at 7:15 PM
Static CVE Timeline Graph

Affected Systems

Progress/telerik_reporting
+null more

Patches

docs.telerik.com
+null more

Attack Patterns

CAPEC-136: LDAP Injection
+null more

CVSS V3.1

Attack Vector:Local
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI