docs: added 4 CVE KBs

knowledge-base/improper-restriction-of-excessive-login-attempts-cve-2024-7292.md

@@ -0,0 +1,46 @@
+---
+title: Improper Restriction of Excessive Login Attempts
+description: "How to mitigate CVE-2024-7292, an improper restriction of excessive login attempts vulnerability."
+slug: improper-restriction-of-excessive-login-attempts-cve-2024-7292
+res_type: kb
+---
+
+## Description
+
+Product Alert – September 2024 - [CVE-2024-7292](https://www.cve.org/CVERecord?id=CVE-2024-7292)
+
+- Telerik Report Server 2024 Q3 (10.2.24.709) or earlier.
+
+## Issue
+
+CWE-307 Improper Restriction of Excessive Authentication Attempts
+
+### What Are the Impacts
+
+In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), a credential stuffing attack is possible through improper restriction of excessive login attempts.
+
+## Solution
+
+We have addressed the issue and the Progress® Telerik® team recommends performing an upgrade to the version listed in the table below.
+
+| Current Version | Guidance |
+|-----------------|----------|
+| 2024 Q3 (10.2.24.709) or earlier | Update to 2024 Q3 (10.2.24.806) ([update instructions](({%slug upgrade%}))) |
+
+All customers who have a Telerik Report Server license can access the downloads here [Product Downloads | Your Account](https://www.telerik.com/account/downloads/product-download?product=REPSERVER).
+
+## Notes
+
+- You can check what version you are running by:
+  1. Go to your Report Server web UI and log in using an account with administrator rights.
+  1. Open the Configuration page (`~/Configuration/Index`).
+  1. Select the About tab, the version number is displayed in the pane on the right.
+- If you have any questions or concerns related to this issue, open a new Technical Support case in [Your Account | Support Center](https://www.telerik.com/account/support-center/contact-us/). Technical Support is available to Telerik customers with an active support plan.
+
+## External References
+
+[CVE-2024-7292](https://www.cve.org/CVERecord?id=CVE-2024-7292) (HIGH)
+
+**CVSS:** 7.5
+
+In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), a credential stuffing attack is possible through improper restriction of excessive login attempts.

knowledge-base/insecure-type-resolution-cve-2024-8015.md

@@ -0,0 +1,55 @@
+---
+title: Insecure Type Resolution Vulnerability
+description: "How to mitigate CVE-2024-8015, an insecure type resolution vulnerability."
+slug: insecure-type-resolution-cve-2024-8015
+res_type: kb
+---
+
+## Description
+
+Product Alert – September 2024 - [CVE-2024-8015](https://www.cve.org/CVERecord?id=CVE-2024-8015)
+
+- Telerik Reporting 2024 Q3 (10.2.24.806) or earlier.
+
+## Issue
+
+CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
+
+### What Are the Impacts
+
+In Progress® Telerik® Report Server, versions 2024 Q3 (10.2.24.806) or earlier, a code execution attack is possible through an insecure type resolution vulnerability.
+
+## Solution
+
+We have addressed the issue and the Progress® Telerik® team recommends performing an upgrade to the version listed in the table below.
+
+| Current Version | Guidance |
+|-----------------|----------|
+| 2024 Q3 (10.2.24.806) or earlier | Update to 2024 Q3 (10.2.24.924) ([update instructions](({%slug upgrade%}))) |
+
+All customers who have a Telerik Reporting license can access the downloads here [Product Downloads | Your Account](https://www.telerik.com/account/downloads/product-download?product=REPSERVER).
+
+## Temporary Mitigation
+
+You can mitigate this vulnerability by changing Report Server’s Application Pool user to one with limited permissions.
+
+If you do not already have a procedure for creating a dedicated App Pool user, you can reference our [How To Change IIS User for Report Server](https://docs.telerik.com/report-server/knowledge-base/how-to-change-report-server-iis-user) KB article for additional assistance.
+
+## Notes
+
+- You can check what version you are running by:
+  1. Go to your Report Server web UI and log in using an account with administrator rights.
+  1. Open the Configuration page (`~/Configuration/Index`).
+  1. Select the About tab, the version number is displayed in the pane on the right.
+- If you have any questions or concerns related to this issue, open a new Technical Support case in [Your Account | Support Center](https://www.telerik.com/account/support-center/contact-us/). Technical Support is available to Telerik customers with an active support plan.
+- We would like to thank Markus Wulftange with CODE WHITE GmbH for their responsible disclosure and cooperation with CVE-2024-8014.
+
+## External References
+
+[CVE-2024-8015](https://www.cve.org/CVERecord?id=CVE-2024-8015) (CRITICAL)
+
+**CVSS:** 9.1
+
+In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.924), a code execution attack is possible through object injection via an insecure type resolution vulnerability.
+
+Discoverer Credit: Markus Wulftange with CODE WHITE GmbH

knowledge-base/uncontrolled-resource-consumption-cve-2024-7294.md

@@ -0,0 +1,46 @@
+---
+title: Uncontrolled Resource Consumption
+description: "How to mitigate CVE-2024-7294, an anonymous endpoints DoS vulnerability."
+slug: uncontrolled-resource-consumption-cve-2024-7294
+res_type: kb
+---
+
+## Description
+
+Product Alert – September 2024 - [CVE-2024-7294](https://www.cve.org/CVERecord?id=CVE-2024-7294)
+
+- Telerik Report Server 2024 Q3 (10.2.24.709) or earlier.
+
+## Issue
+
+CWE-400 Uncontrolled Resource Consumption
+
+### What Are the Impacts
+
+In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), an HTTP DoS attack is possible on anonymous endpoints without rate limiting.
+
+## Solution
+
+We have addressed the issue and the Progress® Telerik® team recommends performing an upgrade to the version listed in the table below.
+
+| Current Version | Guidance |
+|-----------------|----------|
+| 2024 Q3 (10.2.24.709) or earlier | Update to 2024 Q3 (10.2.24.806) ([update instructions](({%slug upgrade%}))) |
+
+All customers who have a Telerik Report Server license can access the downloads here [Product Downloads | Your Account](https://www.telerik.com/account/downloads/product-download?product=REPSERVER).
+
+## Notes
+
+- You can check what version you are running by:
+  1. Go to your Report Server web UI and log in using an account with administrator rights.
+  1. Open the Configuration page (`~/Configuration/Index`).
+  1. Select the About tab, the version number is displayed in the pane on the right.
+- If you have any questions or concerns related to this issue, open a new Technical Support case in [Your Account | Support Center](https://www.telerik.com/account/support-center/contact-us/). Technical Support is available to Telerik customers with an active support plan.
+
+## External References
+
+[CVE-2024-7294](https://www.cve.org/CVERecord?id=CVE-2024-7294) (HIGH)
+
+**CVSS:** 7.5
+
+In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), an HTTP DoS attack is possible on anonymous endpoints without rate limiting.

knowledge-base/weak-password-requirement-cve-2024-7293.md

@@ -0,0 +1,46 @@
+---
+title: Weak Password Requirement
+description: "How to mitigate CVE-2024-7293, a weak password requirement vulnerability."
+slug: weak-password-requirement-cve-2024-7293
+res_type: kb
+---
+
+## Description
+
+Product Alert – September 2024 - [CVE-2024-7293](https://www.cve.org/CVERecord?id=CVE-2024-7293)
+
+- Telerik Report Server 2024 Q3 (10.2.24.709) or earlier.
+
+## Issue
+
+CWE-521 Weak Password Requirements
+
+### What Are the Impacts
+
+In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), a password brute forcing attack is possible through weak password requirements enforced by Report Server.
+
+## Solution
+
+We have addressed the issue and the Progress® Telerik® team recommends performing an upgrade to the version listed in the table below.
+
+| Current Version | Guidance |
+|-----------------|----------|
+| 2024 Q3 (10.2.24.709) or earlier | Update to 2024 Q3 (10.2.24.806) ([update instructions](({%slug upgrade%}))) |
+
+All customers who have a Telerik Report Server license can access the downloads here [Product Downloads | Your Account](https://www.telerik.com/account/downloads/product-download?product=REPSERVER).
+
+## Notes
+
+- You can check what version you are running by:
+  1. Go to your Report Server web UI and log in using an account with administrator rights.
+  1. Open the Configuration page (`~/Configuration/Index`).
+  1. Select the About tab, the version number is displayed in the pane on the right.
+- If you have any questions or concerns related to this issue, open a new Technical Support case in [Your Account | Support Center](https://www.telerik.com/account/support-center/contact-us/). Technical Support is available to Telerik customers with an active support plan.
+
+## External References
+
+[CVE-2024-7293](https://www.cve.org/CVERecord?id=CVE-2024-7293) (HIGH)
+
+**CVSS:** 7.5
+
+In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), a password brute forcing attack is possible through weak password requirements.