Fixes have been issued by Progress Software for a critical insecure deserialization vulnerability impacting its Telerik Report Server, tracked as CVE-2024-6327, The Register reports.
All Telerik Report Server instances before version 10.1.24.709 are affected by the bug, which could be leveraged to facilitate remote code execution, according to Progress Software. Also addressed by the firm is a high-severity insecure type resolution issue in its Telerik Reporting tool, tracked as CVE-2024-6096, which could be exploited to result in object injection attack-enabled RCE. Such a development comes months after another Progress Software patched a critical authentication bypass flaw, tracked as CVE-2024-4358, which Summoning Team researcher Sina Kheirkhah noted to be potentially used along with a deserialization of untrusted data vulnerability, tracked as CVE-2024-1800, to enable complete RCE. Active exploitation of an older deserialization of untrusted data flaw in Telerik UI for ASP.NET AJAX, tracked as CVE-2019-18935, was previously reported by the Cybersecurity and Infrastructure Security Agency.
