Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-7292

Summary
Assigner-ProgressSoftware
Assigner Org ID-f9fea0b6-671e-4eea-8fde-31911902ae05
Published At-09 Oct, 2024 | 14:47
Updated At-16 Oct, 2024 | 15:01
Rejected At-
Credits

Account Controller allows high count of login attempts

In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), a credential stuffing attack is possible through improper restriction of excessive login attempts.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:ProgressSoftware
Assigner Org ID:f9fea0b6-671e-4eea-8fde-31911902ae05
Published At:09 Oct, 2024 | 14:47
Updated At:16 Oct, 2024 | 15:01
Rejected At:
▼CVE Numbering Authority (CNA)
Account Controller allows high count of login attempts

In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), a credential stuffing attack is possible through improper restriction of excessive login attempts.

Affected Products
Vendor
Progress Software CorporationProgress Software Corporation
Product
Telerik Report Server
Default Status
unaffected
Versions
Affected
  • From 1.0.0 before 2024 Q3 (10.2.24.806) (custom)
Problem Types
TypeCWE IDDescription
CWECWE-307CWE-307 Improper Restriction of Excessive Authentication Attempts
Type: CWE
CWE ID: CWE-307
Description: CWE-307 Improper Restriction of Excessive Authentication Attempts
Metrics
VersionBase scoreBase severityVector
3.17.5HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-600CAPEC-600 Credential Stuffing
CAPEC ID: CAPEC-600
Description: CAPEC-600 Credential Stuffing
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://docs.telerik.com/report-server/knowledge-base/improper-restriction-of-excessive-login-attempts-cve-2024-7292
N/A
Hyperlink: https://docs.telerik.com/report-server/knowledge-base/improper-restriction-of-excessive-login-attempts-cve-2024-7292
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Vendor
Progress Software Corporationprogress_software
Product
telerik_report_server
CPEs
  • cpe:2.3:a:progress_software:telerik_report_server:1.0.0.0:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 1.0.0.0 before 2024 Q3\/10.2.24.806\/ (custom)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@progress.com
Published At:09 Oct, 2024 | 15:15
Updated At:15 Oct, 2024 | 14:50

In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), a credential stuffing attack is possible through improper restriction of excessive login attempts.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Secondary3.17.5HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Type: Primary
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CPE Matches
Progress Software Corporation
progress
>>telerik_report_server>>Versions before 10.2.24.806(exclusive)
cpe:2.3:a:progress:telerik_report_server:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-307Primarysecurity@progress.com
CWE ID: CWE-307
Type: Primary
Source: security@progress.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://docs.telerik.com/report-server/knowledge-base/improper-restriction-of-excessive-login-attempts-cve-2024-7292security@progress.com
Vendor Advisory
Hyperlink: https://docs.telerik.com/report-server/knowledge-base/improper-restriction-of-excessive-login-attempts-cve-2024-7292
Source: security@progress.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

7Records found
CVE-2024-7293
Matching Score-8
Assigner-Progress Software Corporation
ShareView Details
Matching Score-8
Assigner-Progress Software Corporation
CVSS Score-7.5||HIGH
EPSS-0.19% / 40.26%
||
7 Day CHG~0.00%
Published-09 Oct, 2024 | 14:43
Updated-15 Oct, 2024 | 14:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Password policy for new users is not strong enough

In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), a password brute forcing attack is possible through weak password requirements.

Action-Not Available
Vendor-Progress Software Corporation
Product-telerik_reportingTelerik Report Servertelerik_report_server
CWE ID-CWE-521
Weak Password Requirements
CVE-2024-7294
Matching Score-8
Assigner-Progress Software Corporation
ShareView Details
Matching Score-8
Assigner-Progress Software Corporation
CVSS Score-7.5||HIGH
EPSS-0.30% / 53.60%
||
7 Day CHG~0.00%
Published-09 Oct, 2024 | 14:45
Updated-15 Oct, 2024 | 14:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Uncontrolled resource consumption of anonymous endpoints

In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), an HTTP DoS attack is possible on anonymous endpoints without rate limiting.

Action-Not Available
Vendor-Progress Software Corporation
Product-telerik_reportingTelerik Report Servertelerik_report_server
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2024-1474
Matching Score-8
Assigner-Progress Software Corporation
ShareView Details
Matching Score-8
Assigner-Progress Software Corporation
CVSS Score-7.5||HIGH
EPSS-0.05% / 16.19%
||
7 Day CHG~0.00%
Published-21 Feb, 2024 | 15:33
Updated-02 Jan, 2025 | 13:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WS_FTP Server Reflected Cross-Site Scripting in Administrative Interface

In WS_FTP Server versions before 8.8.5, reflected cross-site scripting issues have been identified on various user supplied inputs on the WS_FTP Server administrative interface.

Action-Not Available
Vendor-Progress Software Corporation
Product-ws_ftp_serverWS_FTP Server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-0556
Matching Score-8
Assigner-Progress Software Corporation
ShareView Details
Matching Score-8
Assigner-Progress Software Corporation
CVSS Score-8.8||HIGH
EPSS-0.15% / 34.82%
||
7 Day CHG~0.00%
Published-12 Feb, 2025 | 15:11
Updated-20 Feb, 2025 | 20:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Telerik Report Server Clear Text Transmission of Agent Commands

In Progress® Telerik® Report Server, versions prior to 2025 Q1 (11.0.25.211) when using the older .NET Framework implementation, communication of non-sensitive information between the service agent process and app host process occurs over an unencrypted tunnel, which can be subjected to local network traffic sniffing.

Action-Not Available
Vendor-Progress Software Corporation
Product-telerik_report_serverTelerik Report Server
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2024-2449
Matching Score-8
Assigner-Progress Software Corporation
ShareView Details
Matching Score-8
Assigner-Progress Software Corporation
CVSS Score-7.5||HIGH
EPSS-3.32% / 87.37%
||
7 Day CHG~0.00%
Published-22 Mar, 2024 | 13:35
Updated-10 Feb, 2025 | 19:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LoadMaster Cross-Site Request Forgery (CSRF)

A cross-site request forgery vulnerability has been identified in LoadMaster.  It is possible for a malicious actor, who has prior knowledge of the IP or hostname of a specific LoadMaster, to direct an authenticated LoadMaster administrator to a third-party site. In such a scenario, the CSRF payload hosted on the malicious site would execute HTTP transactions on behalf of the LoadMaster administrator.

Action-Not Available
Vendor-Progress Software CorporationKemp
Product-loadmasterLoadMasterloadmaster
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2009-5140
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.48% / 65.25%
||
7 Day CHG~0.00%
Published-12 Feb, 2020 | 13:28
Updated-07 Aug, 2024 | 07:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The SIP implementation on the Linksys SPA2102 phone adapter provides hashed credentials in a response to an invalid authentication challenge, which makes it easier for remote attackers to obtain access via a brute-force attack, related to a "SIP Digest Leak" issue.

Action-Not Available
Vendor-n/aLinksys Holdings, Inc.
Product-spa2102spa2102_firmwaren/a
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2026-32025
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-7.5||HIGH
EPSS-0.09% / 25.81%
||
7 Day CHG~0.00%
Published-19 Mar, 2026 | 22:07
Updated-23 Mar, 2026 | 17:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenClaw < 2026.2.25 - Password Brute-Force via Browser-Origin WebSocket Authentication Bypass

OpenClaw versions prior to 2026.2.25 contain an authentication hardening gap in browser-origin WebSocket clients that allows attackers to bypass origin checks and auth throttling on loopback deployments. An attacker can trick a user into opening a malicious webpage and perform password brute-force attacks against the gateway to establish an authenticated operator session and invoke control-plane methods.

Action-Not Available
Vendor-OpenClaw
Product-openclawOpenClaw
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
Details not found