CVE-2024-7293: 
Progress Telerik Reporting vulnerability analysis and mitigation

In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), a password brute forcing attack is possible through weak password requirements. The vulnerability, identified as CVE-2024-7293, was discovered and disclosed in October 2024, affecting the authentication mechanism of the Telerik Report Server software (Vendor Advisory).

The vulnerability is classified as CWE-521 (Weak Password Requirements) and has received a CVSS v3.1 base score of 7.5 (HIGH) from Progress Software Corporation, with a vector string of CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. The National Vulnerability Database (NVD) has assigned a higher CVSS score of 8.8 (HIGH) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows attackers to conduct password brute forcing attacks against user accounts due to insufficient password requirements in the system. This could potentially lead to unauthorized access to the Report Server and compromise of sensitive information (Security Online).

Progress Software has released version 2024 Q3 (10.2.24.806) to address this vulnerability. Organizations using affected versions of Telerik Report Server are strongly advised to upgrade to the patched version. Users can verify their current version by logging into the Report Server web UI with administrator rights, navigating to the Configuration page, and checking the About tab (Vendor Advisory).