Vulnerability Description
Cross-site scripting (XSS) vulnerability in Telerik.ReportViewer.WebForms.dll in Telerik Reporting for ASP.NET WebForms Report Viewer control before R1 2017 SP2 (11.0.17.406) allows remote attackers to inject arbitrary web script or HTML via the bgColor parameter to Telerik.ReportViewer.axd.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Progress | Telerik Reporting | < 11.0.17.406 |
| Progress | Sitefinity Cms | >= 4.2, <= 11.0 |
Related Weaknesses (CWE)
References
- http://www.telerik.com/support/whats-new/reporting/release-history/telerik-repor
- https://knowledgebase.progress.com/articles/Article/Security-Advisory-for-ResolvThird Party Advisory
- https://www.veracode.com/blog/research/anatomy-cross-site-scripting-flaw-telerikThird Party Advisory
- http://www.telerik.com/support/whats-new/reporting/release-history/telerik-repor
- https://knowledgebase.progress.com/articles/Article/Security-Advisory-for-ResolvThird Party Advisory
- https://www.veracode.com/blog/research/anatomy-cross-site-scripting-flaw-telerikThird Party Advisory
FAQ
What is CVE-2017-9140?
CVE-2017-9140 is a vulnerability with a CVSS score of 6.1 (MEDIUM). Cross-site scripting (XSS) vulnerability in Telerik.ReportViewer.WebForms.dll in Telerik Reporting for ASP.NET WebForms Report Viewer control before R1 2017 SP2 (11.0.17.406) allows remote attackers t...
How severe is CVE-2017-9140?
CVE-2017-9140 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-9140?
Check the references section above for vendor advisories and patch information. Affected products include: Progress Telerik Reporting, Progress Sitefinity Cms.