CVE-2024-4358

🗓️ 29 May 2024 14:51:21Reported by ProgressSoftwareType

cve🔗 web.nvd.nist.gov📰️ 2 Media mentions👁 257 Views🌐 WEB

Telerik Report Server authentication bypass CVE-2024-4358

Reporter	Title	Published	Views	Family All 34
GithubExploit	Exploit for Authentication Bypass by Spoofing in Telerik Report_Server_2024	4 Jun 202411:32	–	githubexploit
GithubExploit	Exploit for Authentication Bypass by Spoofing in Telerik Report_Server_2024	4 Jun 202416:07	–	githubexploit
GithubExploit	Exploit for Authentication Bypass by Spoofing in Telerik Report_Server_2024	5 Jun 202401:05	–	githubexploit
GithubExploit	Exploit for Authentication Bypass by Spoofing in Telerik Report_Server_2024	3 Jun 202408:22	–	githubexploit
GithubExploit	Exploit for Authentication Bypass by Spoofing in Telerik Report_Server_2024	24 Aug 202410:09	–	githubexploit
GithubExploit	Exploit for Authentication Bypass by Spoofing in Telerik Report_Server_2024	9 Jun 202406:30	–	githubexploit
GithubExploit	Exploit for Authentication Bypass by Spoofing in Telerik Report_Server_2024	24 Aug 202410:09	–	githubexploit
0day.today	Telerik Report Server Authentication Bypass / Remote Code Execution Exploit	13 Jun 202400:00	–	zdt
ATTACKERKB	CVE-2024-4358	29 May 202400:00	–	attackerkb
Circl	CVE-2024-4358	30 May 202413:10	–	circl

NVD

Node

telerik report_server_2024Range≤10.0.24.305

[
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "Windows"
    ],
    "product": "Telerik Report Server",
    "vendor": "Progress Software Corporation",
    "versions": [
      {
        "lessThan": "10.1.24.514",
        "status": "affected",
        "version": "1.0.0",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
docs	www.docs.telerik.com/report-server/knowledge-base/registration-auth-bypass-cve-2024-4358
cisa	www.cisa.gov/known-exploited-vulnerabilities-catalog

Parameter	Position	Path	Description	CWE
reportName	request body	/api/reportserver/report	Upload of a crafted .trdp payload to trigger insecure deserialization and remote code execution during report processing	CWE-290
categoryName	request body	/api/reportserver/report	Upload of a crafted .trdp payload to trigger insecure deserialization and remote code execution during report processing	CWE-290
description	request body	/api/reportserver/report	Upload of a crafted .trdp payload to trigger insecure deserialization and remote code execution during report processing	CWE-290
reportContent	request body	/api/reportserver/report	Upload of a crafted .trdp payload to trigger insecure deserialization and remote code execution during report processing	CWE-290
extension	request body	/api/reportserver/report	Upload of a crafted .trdp payload to trigger insecure deserialization and remote code execution during report processing	CWE-290
timeStamp	request body	/api/reports/clients	Create a report client entry as part of the exploitation flow to obtain a clientId for subsequent steps	CWE-290
report	request body	/api/reports/clients/{clientId}/parameters	Set report parameters for the created report to complete the deserialization exploit chain	CWE-290
parameterValues	request body	/api/reports/clients/{clientId}/parameters	Set report parameters for the created report to complete the deserialization exploit chain	CWE-290

31 Oct 2025 21:57Current

9.9High risk

Vulners AI Score9.9

CVSS 3.19.8

EPSS0.94344

SSVC