Merge pull request #630 from telerik/dkrastev/kb-command-injection-cve

icom85 · web-flow · commit 0a9228a17fe3 · 2024-09-25T13:06:43.000+03:00
Dkrastev/kb command injection CVE
diff --git a/knowledge-base/command-injection-cve-2024-7679.md b/knowledge-base/command-injection-cve-2024-7679.md
@@ -0,0 +1,46 @@
+---
+title: Command Injection Vulnerability
+description: "How to mitigate CVE-2024-7679, a command injection vulnerability when using hyperlinks."
+slug: command-injection-vulnerability-cve-2024-7679
+res_type: kb
+---
+
+## Description
+
+Product Alert – September 2024 - [CVE-2024-7679](https://www.cve.org/CVERecord?id=CVE-2024-7679)
+
+- Telerik UI for WinForms 2024 Q3 (2024.3.806) or earlier.
+
+## Issue
+
+CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
+
+### What Are the Impacts
+
+In Progress Telerik UI for WinForms versions prior to 2024 Q3 (2024.3.924), a command injection attack is possible through improper neutralization of hyperlink elements.
+
+## Solution
+
+We have addressed the issue and the Progress Telerik team recommends performing an upgrade to the version listed in the table below.
+
+| Current Version | Guidance |
+|-----------------|----------|
+| 2024 Q3 (2024.3.806) or earlier | Update to 2024 Q3 (2024.3.924) ([update instructions](({%slug how-to-upgrade-a-project%}))) |
+
+All customers who have a Telerik UI for WinForms license can access the downloads here [Product Downloads | Your Account](https://www.telerik.com/account/downloads/product-download?product=RCWPF).
+
+## Notes
+
+- If a RichTextBox, PdfViewer, or Spreadsheet is not used in the project, the application is not affected by this issue.
+- To check your version of Telerik UI for WinForms
+  - Via source code: Inspect the Version property of any of the Telerik.WinControls.* assembly references in the project.
+  - Via deployed application: Locate any Telerik.WinControls.* DLL file in the application's directory and view the Properties > Details > Version.
+- If you have any questions or concerns related to this issue, open a new Technical Support case in [Your Account | Support Center](https://www.telerik.com/account/support-center/contact-us/). Technical Support is available to Telerik customers with an active support plan.
+
+## External References
+
+[CVE-2024-7679](https://www.cve.org/CVERecord?id=CVE-2024-7679) (HIGH)
+
+**CVSS:** 7.8
+
+In Progress Telerik UI for WinForms versions prior to 2024 Q3 (2024.3.924), a command injection attack is possible through improper neutralization of hyperlink elements.
