CVE-2024-7292: 
Telerik Report Server vulnerability analysis and mitigation

In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), a credential stuffing attack vulnerability was discovered due to improper restriction of excessive login attempts. The vulnerability, tracked as CVE-2024-7292, was disclosed on October 9, 2024, and received a CVSS v3.1 base score of 8.8 (HIGH) from NIST NVD and 7.5 (HIGH) from Progress Software Corporation (NVD, Vendor Advisory).

The vulnerability is classified as CWE-307 (Improper Restriction of Excessive Authentication Attempts). The CVSS vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H indicates that the vulnerability can be exploited remotely with low attack complexity, requires no privileges, but does need user interaction. The potential impact includes high severity ratings for confidentiality, integrity, and availability (NVD).

The vulnerability allows attackers to perform credential stuffing attacks against the Telerik Report Server. This could potentially lead to unauthorized access to the system, compromising sensitive information and system integrity (Security Online).

Progress Software has released version 2024 Q3 (10.2.24.806) to address this vulnerability. Users are strongly recommended to upgrade to this version or later to mitigate the risk (Vendor Advisory).