docs: added CVE KBs (#1501)

CVEs:
- 2024-7840
- 2024-8014
- 2024-8048

knowledge-base/command-injection-cve-2024-7840.md

@@ -0,0 +1,45 @@
+---
+title: Command Injection Vulnerability
+description: "How to mitigate CVE-2024-7840, a command injection vulnerability for hyperlink content."
+slug: command-injection-vulnerability-cve-2024-7840
+res_type: kb
+---
+
+## Description
+
+Product Alert – September 2024 - [CVE-2024-7840](https://www.cve.org/CVERecord?id=CVE-2024-7840)
+
+- Telerik Reporting 2024 Q3 (18.2.24.806) or earlier.
+
+## Issue
+
+CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
+
+### What Are the Impacts
+
+In Progress® Telerik® Reporting, versions 2024 Q3 (18.2.24.806) or earlier, hyperlinks were permitted in the desktop Report Viewers and Standalone Report Designer applications to contain custom commands to interact with additional applications.
+
+## Solution
+
+We have addressed the issue and the Progress® Telerik® team recommends performing an upgrade to the version listed in the table below.
+
+| Current Version | Guidance |
+|-----------------|----------|
+| 2024 Q3 (18.2.24.806) or earlier | Update to 2024 Q3 (18.2.24.924) ([update instructions](({%slug telerikreporting/upgrade/overview%}))) |
+
+All customers who have a Telerik Reporting license can access the downloads here [Product Downloads | Your Account](https://www.telerik.com/account/downloads/product-download?product=REPORTING).
+
+## Notes
+
+- To check your current version of Telerik Reporting, there are two primary options:
+	+ If you’re using the REST service, you can visit the `/api/reports/version/` endpoint (e.g., https://demos.telerik.com/reporting/api/reports/version).
+	+ If you’re only using the desktop tooling, check **PC Settings** > **Installed Apps** > expand **Telerik Reporting** item for details.
+- If you have any questions or concerns related to this issue, open a new Technical Support case in [Your Account | Support Center](https://www.telerik.com/account/support-center/contact-us/). Technical Support is available to Telerik customers with an active support plan.
+
+## External References
+
+[CVE-2024-7840](https://www.cve.org/CVERecord?id=CVE-2024-7840) (HIGH)
+
+**CVSS:** 7.7
+
+In Progress® Telerik® Reporting versions prior to 2024 Q3 (18.2.24.924), a command injection attack is possible through improper neutralization of hyperlink elements.

knowledge-base/insecure-expression-evaluation-cve-2024-8048.md

@@ -0,0 +1,49 @@
+---
+title: Insecure Expression Evaluation Vulnerability
+description: "How to mitigate CVE-2024-8048, an insecure expression evaluation vulnerability in the standalone Report Designer."
+slug: insecure-expression-evaluation-cve-2024-8048
+res_type: kb
+---
+
+## Description
+
+Product Alert – September 2024 - [CVE-2024-8048](https://www.cve.org/CVERecord?id=CVE-2024-8048)
+
+- Telerik Reporting 2024 Q3 (18.2.24.806) or earlier.
+
+## Issue
+
+CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
+
+### What Are the Impacts
+
+In Progress® Telerik® Reporting, versions 2024 Q3 (18.2.24.806) or earlier, an insecure expression evaluation weakness is available in the desktop (standalone) Report Designer.
+
+## Solution
+
+We have addressed the issue and the Progress® Telerik® team recommends performing an upgrade to the version listed in the table below.
+
+| Current Version | Guidance |
+|-----------------|----------|
+| 2024 Q3 (18.2.24.806) or earlier | Update to 2024 Q3 (18.2.24.924) ([update instructions](({%slug telerikreporting/upgrade/overview%}))) |
+
+All customers who have a Telerik Reporting license can access the downloads here [Product Downloads | Your Account](https://www.telerik.com/account/downloads/product-download?product=REPORTING).
+
+## Notes
+
+- This issue only affects the Windows desktop standalone Report Designer, it does not affect Reporting's processing engine or REST services.
+- To check your current version of Telerik Reporting, there are two primary options:
+	+ If you’re using the REST service, you can visit the `/api/reports/version/` endpoint (e.g., https://demos.telerik.com/reporting/api/reports/version).
+	+ If you’re only using the desktop tooling, check **PC Settings** > **Installed Apps** > expand **Telerik Reporting** item for details.
+- If you have any questions or concerns related to this issue, open a new Technical Support case in [Your Account | Support Center](https://www.telerik.com/account/support-center/contact-us/). Technical Support is available to Telerik customers with an active support plan.
+- We would like to thank Markus Wulftange with CODE WHITE GmbH for their responsible disclosure and cooperation.
+
+## External References
+
+[CVE-2024-8048](https://www.cve.org/CVERecord?id=CVE-2024-8048) (HIGH)
+
+**CVSS:** 7.8
+
+In Progress® Telerik® Reporting versions prior to 2024 Q3 (18.2.24.924), a code execution attack is possible using object injection via insecure expression evaluation.
+
+Discoverer Credit: Markus Wulftange with CODE WHITE GmbH.

knowledge-base/insecure-type-resolution-cve-2024-8014.md

@@ -0,0 +1,48 @@
+---
+title: Insecure Type Resolution Vulnerability
+description: "How to mitigate CVE-2024-8014, an insecure type resolution vulnerability."
+slug: insecure-type-resolution-cve-2024-8014
+res_type: kb
+---
+
+## Description
+
+Product Alert – September 2024 - [CVE-2024-8014](https://www.cve.org/CVERecord?id=CVE-2024-8014)
+
+- Telerik Reporting 2024 Q3 (18.2.24.806) or earlier.
+
+## Issue
+
+CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
+
+### What Are the Impacts
+
+In Progress® Telerik® Reporting, versions 2024 Q3 (18.2.24.806) or earlier, a code execution attack is possible through an insecure type resolution vulnerability.
+
+## Solution
+
+We have addressed the issue and the Progress® Telerik® team recommends performing an upgrade to the version listed in the table below.
+
+| Current Version | Guidance |
+|-----------------|----------|
+| 2024 Q3 (18.2.24.806) or earlier | Update to 2024 Q3 (18.2.24.924) ([update instructions](({%slug telerikreporting/upgrade/overview%}))) |
+
+All customers who have a Telerik Reporting license can access the downloads here [Product Downloads | Your Account](https://www.telerik.com/account/downloads/product-download?product=REPORTING).
+
+## Notes
+
+- To check your current version of Telerik Reporting, there are two primary options:
+	+ If you’re using the REST service, you can visit the `/api/reports/version/` endpoint (e.g., https://demos.telerik.com/reporting/api/reports/version).
+	+ If you’re only using the desktop tooling, check **PC Settings** > **Installed Apps** > expand **Telerik Reporting** item for details.
+- If you have any questions or concerns related to this issue, open a new Technical Support case in [Your Account | Support Center](https://www.telerik.com/account/support-center/contact-us/). Technical Support is available to Telerik customers with an active support plan.
+- We would like to thank Markus Wulftange with CODE WHITE GmbH for their responsible disclosure and cooperation.
+
+## External References
+
+[CVE-2024-8014](https://www.cve.org/CVERecord?id=CVE-2024-8014) (HIGH)
+
+**CVSS:** 8.8
+
+In Progress® Telerik® Reporting versions prior to 2024 Q3 (18.2.24.924), a code execution attack is possible through object injection via an insecure type resolution vulnerability.
+
+Discoverer Credit: Markus Wulftange with CODE WHITE GmbH