New to Telerik Reporting? Download free 30-day trial

Cross-site scripting (XSS) and the legacy Telerik Reporting ASP.NET WebForms Report Viewer


Product Versions Up to R1 2017 SP2
Product Progress® Telerik® Reporting
Report Viewer Legacy ASP.NET WebForms Report Viewer


Cross-site scripting (XSS) with low impact is possible through the Telerik.ReportViewer.WebForms.dll in Telerik Reporting ASP.NET WebForms ReportViewer control before R1 2017 SP2 ( The Telerik.ReportViewer.axd handler allows third parties to inject arbitrary web script or HTML through the bgColor parameter.

Telerik Reporting Engine does not expose the application's server information to the client. Reports are processed and rendered server-side, where the AXD handler delivers the produced content at the client – includes ready HTML and CSS.

MITRE has rated this vulnerability as medium-severity (CVSS3: 6.1; CVSS2: 4.3) 


For customers on active maintenance, upgrade to Telerik Reporting version R1 2017 SP2 ( or above. 

In this article