Security

    New to Telerik UI for WinUI? Download free 30-day trial

    Description

    Product Alert - February 2025 - CVE-2024-12251

    • Telerik UI for WinUI 2022 R2 (2.0.0) to 2024 Q4 (2.11.0)

    Issue

    CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

    What Are the Impacts

    In Progress® Telerik® UI for WinUI versions prior to 2025 Q1 (3.0.0), a command injection attack is possible through improper neutralization of hyperlink elements.

    Solution

    Updating to at least version UI for WinUI 2025 Q1 (3.0.0) is the only way to remove this vulnerability. We have addressed the issue and the Progress Telerik team recommends performing an upgrade to the version listed in the table below.

    Current Version Guidance
    2022 R2 (2.0.0) to 2024 Q4 (2.11.0) Update to 2025 Q1 (3.0.0) (update instructions)

    All customers who have a Telerik UI for WinUI license can access the downloads here Product Downloads | Your Account.

    Notes

    • If a PdfViewer is not used in the application, it is not affected by this issue.
    • To check your version of Telerik UI for WinUI
      • Via source code: Inspect the Version property of any of the Telerik.UI.for.WinUI.* NuGet package reference(s) in the project.
      • Via deployed application: Locate any Telerik.WinUI.* DLL file in the application's directory and view the Properties > Details > Version.
    • If you have any questions or concerns related to this issue, open a new Technical Support case in Your Account | Support Center. Technical Support is available to Telerik customers with an active support plan.

    External References

    CVE-2024-12251 (HIGH)

    CVSS: 7.8

    In Progress® Telerik® UI for WinUI versions prior to 2025 Q1 (3.0.0), a command injection attack is possible through improper neutralization of hyperlink elements.

    In this article
    Related articles
    Not finding the help you need?