CVE-2024-7840: 
Progress Telerik Reporting vulnerability analysis and mitigation

In Progress Telerik Reporting versions prior to 2024 Q3 (18.2.24.924), a command injection attack vulnerability was discovered through improper neutralization of hyperlink elements. The vulnerability was assigned CVE-2024-7840 and was disclosed in October 2024. The issue affects Telerik Reporting desktop Report Viewers and Standalone Report Designer applications where hyperlinks could contain custom commands to interact with additional applications (Telerik Advisory).

The vulnerability is classified as CWE-77 (Improper Neutralization of Special Elements used in a Command 'Command Injection'). It received a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows command injection attacks through hyperlink elements in the desktop Report Viewers and Standalone Report Designer applications, potentially enabling interaction with additional applications on the system (Telerik Advisory).

Progress Telerik has addressed the issue and recommends upgrading to version 2024 Q3 (18.2.24.924). Users can verify their current version either by checking the REST service endpoint /api/reports/version/ or by examining PC Settings > Installed Apps > Telerik Reporting details (Telerik Advisory).