Cross-site scripting (XSS) and the legacy Telerik Reporting ASP.NET WebForms Report Viewer
|Product Versions||Up to R1 2017 SP2|
|Product||Progress® Telerik® Reporting|
|Report Viewer||Legacy ASP.NET WebForms Report Viewer|
Cross-site scripting (XSS) with low impact is possible through the Telerik.ReportViewer.WebForms.dll in Telerik Reporting ASP.NET WebForms ReportViewer control before R1 2017 SP2 (220.127.116.116). The Telerik.ReportViewer.axd handler allows third parties to inject arbitrary web script or HTML through the bgColor parameter.
Telerik Reporting Engine does not expose the application's server information to the client. Reports are processed and rendered server-side, where the AXD handler delivers the produced content at the client – includes ready HTML and CSS.
MITRE has rated this vulnerability as medium-severity (CVSS3: 6.1; CVSS2: 4.3)
For customers on active maintenance, upgrade to Telerik Reporting version R1 2017 SP2 (18.104.22.1686) or above.