Cross-site scripting (XSS) and the legacy Telerik Reporting ASP.NET WebForms Report Viewer
Environment
| Product Versions | Up to R1 2017 SP2 |
| Product | Progress® Telerik® Reporting |
| Report Viewer | Legacy ASP.NET WebForms Report Viewer |
Description
Cross-site scripting (XSS) with low impact is possible through the Telerik.ReportViewer.WebForms.dll in Telerik Reporting ASP.NET WebForms ReportViewer control before R1 2017 SP2 (11.0.17.406). The Telerik.ReportViewer.axd handler allows third parties to inject arbitrary web script or HTML through the bgColor parameter.
Telerik Reporting Engine does not expose the application's server information to the client. Reports are processed and rendered server-side, where the AXD handler delivers the produced content at the client – includes ready HTML and CSS.
MITRE has rated this vulnerability as medium-severity (CVSS3: 6.1; CVSS2: 4.3)
Solution
For customers on active maintenance, upgrade to Telerik Reporting version R1 2017 SP2 (11.0.17.406) or above.