Cross-site scripting (XSS) and the legacy Telerik Reporting ASP.NET WebForms Report Viewer

Environment

Product Versions	Up to R1 2017 SP2
Product	Progress® Telerik® Reporting
Report Viewer	Legacy ASP.NET WebForms Report Viewer

Cross-site scripting (XSS) with low impact is possible through the Telerik.ReportViewer.WebForms.dll in Telerik Reporting ASP.NET WebForms ReportViewer control before R1 2017 SP2 (11.0.17.406). The Telerik.ReportViewer.axd handler allows third parties to inject arbitrary web script or HTML through the bgColor parameter.

Telerik Reporting Engine does not expose the application's server information to the client. Reports are processed and rendered server-side, where the AXD handler delivers the produced content at the client – includes ready HTML and CSS.

MITRE has rated this vulnerability as medium-severity (CVSS3: 6.1; CVSS2: 4.3)

Solution

For customers on active maintenance, upgrade to Telerik Reporting version R1 2017 SP2 (11.0.17.406) or above.

Cross-site scripting (XSS) and the legacy Telerik Reporting ASP.NET WebForms Report Viewer

Environment

Description

Solution

Getting Started

Support Resources

Community

Product Bundles

DevCraft

Web

Mobile

Document Management

Desktop

Reporting & Mocking

Automated Testing

CMS

UI/UX Tools

Debugging

Free Tools

Support and Learning

Cross-site scripting (XSS) and the legacy Telerik Reporting ASP.NET WebForms Report Viewer

Environment

Description

Solution

Getting Started

Support Resources

Community