Cross-site scripting (XSS) and the legacy Telerik Reporting ASP.NET WebForms Report Viewer

Environment

Product Versions Up to R1 2017 SP2
Product Progress® Telerik® Reporting
Report Viewer Legacy ASP.NET WebForms Report Viewer

Description

Cross-site scripting (XSS) with low impact is possible through the Telerik.ReportViewer.WebForms.dll in Telerik Reporting ASP.NET WebForms ReportViewer control before R1 2017 SP2 (11.0.17.406). The Telerik.ReportViewer.axd handler allows third parties to inject arbitrary web script or HTML through the bgColor parameter.

Telerik Reporting Engine does not expose the application's server information to the client. Reports are processed and rendered server-side, where the AXD handler delivers the produced content at the client – includes ready HTML and CSS.

MITRE has rated this vulnerability as medium-severity (CVSS3: 6.1; CVSS2: 4.3) 
 

Solution

For customers on active maintenance, upgrade to Telerik Reporting version R1 2017 SP2 (11.0.17.406) or above. 

In this article
Not finding the help you need? Improve this article