CVE-2017-9140

Name of the Vulnerable Software and Affected Versions Telerik Reporting for ASP.NET WebForms Report Viewer control versions prior to 11.0.17.406

Description A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the bgColor parameter to "Telerik.ReportViewer.axd" API endpoint. This enables attackers to execute malicious scripts on the client-side.

Recommendations For versions prior to 11.0.17.406, update to version 11.0.17.406 or later to resolve the issue. As a temporary workaround, consider restricting access to the Telerik.ReportViewer.axd API endpoint to minimize the risk of exploitation. Avoid using the bgColor parameter in the affected API endpoint until the issue is resolved.