CVE-2024-7295: 
Telerik Report Server vulnerability analysis and mitigation

In Progress® Telerik® Report Server versions prior to 2024 Q4 (10.3.24.1112), a vulnerability was identified where the encryption of local asset data utilized an older algorithm. This security issue is tracked as CVE-2024-7295 and was disclosed in November 2024 (Vendor Advisory).

The vulnerability is classified as CWE-798 (Use of Hard-coded Credentials). The issue has been assigned a CVSS v3.1 score of 7.1 HIGH with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N, indicating local access, low attack complexity, no privileges required, and high confidentiality impact (NVD).

The vulnerability could allow a sophisticated actor to decrypt local asset data stored by the Report Server. This poses a significant confidentiality risk as it may expose sensitive information stored within the system (Vendor Advisory).

Progress Telerik recommends upgrading to version 2024 Q4 (10.3.24.1112) or later to address this vulnerability. Users can verify their current version by logging into the Report Server web UI with administrator rights, navigating to the Configuration page, and selecting the About tab (Vendor Advisory).