CVE-2017-9140

MEDIUM NUCLEI

Telerik Report Viewer <R1 2017 SP2 - XSS

Title source: llm

Description

Cross-site scripting (XSS) vulnerability in Telerik.ReportViewer.WebForms.dll in Telerik Reporting for ASP.NET WebForms Report Viewer control before R1 2017 SP2 (11.0.17.406) allows remote attackers to inject arbitrary web script or HTML via the bgColor parameter to Telerik.ReportViewer.axd.

Nuclei Templates (1)

Reflected XSS - Telerik Reporting Module

MEDIUMby dhiyaneshDk

References (3)

[Various Sources] http://www.telerik.com/support/whats-new/reporting/release-history/telerik-reporting-r1-2017-sp2-%28version-11-0-17-406%29

[Third Party Advisory] https://knowledgebase.progress.com/articles/Article/Security-Advisory-for-Resolving-Security-vulnerabilities-September-2018

[Third Party Advisory] https://www.veracode.com/blog/research/anatomy-cross-site-scripting-flaw-telerik-reporting-module

Scores

CVSS v3 6.1

EPSS 0.0513

EPSS Percentile 89.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (3)

progress/telerik_reporting < 11.0.17.406

progress/sitefinity_cms < 11.0

n/a/n/a

Published May 22, 2017

Tracked Since Feb 18, 2026