Exploitation Summary
CVE-2017-9140 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.
Description
Cross-site scripting (XSS) vulnerability in Telerik.ReportViewer.WebForms.dll in Telerik Reporting for ASP.NET WebForms Report Viewer control before R1 2017 SP2 (11.0.17.406) allows remote attackers to inject arbitrary web script or HTML via the bgColor parameter to Telerik.ReportViewer.axd.
Nuclei Templates (1)
Reflected XSS - Telerik Reporting Module
MEDIUMby dhiyaneshDk
References (3)
Core 3
Core References
Various Sources x_refsource_confirm
http://www.telerik.com/support/whats-new/reporting/release-history/telerik-reporting-r1-2017-sp2-%28version-11-0-17-406%29
Third Party Advisory x_refsource_confirm
https://knowledgebase.progress.com/articles/Article/Security-Advisory-for-Resolving-Security-vulnerabilities-September-2018
Third Party Advisory x_refsource_misc
https://www.veracode.com/blog/research/anatomy-cross-site-scripting-flaw-telerik-reporting-module
Scores
CVSS v3
6.1
EPSS
0.0484
EPSS Percentile
89.6%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (2)
progress/sitefinity_cms
4.2 - 11.0
progress/telerik_reporting
< 11.0.17.406
Published
May 22, 2017
Tracked Since
Feb 18, 2026