--- title: Insecure Expression Evaluation Vulnerability description: "How to mitigate CVE-2024-8048, an insecure expression evaluation vulnerability in the standalone Report Designer." slug: insecure-expression-evaluation-cve-2024-8048 res_type: kb --- ## Description Product Alert – September 2024 - [CVE-2024-8048](https://www.cve.org/CVERecord?id=CVE-2024-8048) - Telerik Reporting 2024 Q3 (18.2.24.806) or earlier. ## Issue CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') ### What Are the Impacts In Progress® Telerik® Reporting, versions 2024 Q3 (18.2.24.806) or earlier, an insecure expression evaluation weakness is available in the desktop (standalone) Report Designer. ## Solution We have addressed the issue and the Progress® Telerik® team recommends performing an upgrade to the version listed in the table below. | Current Version | Guidance | |-----------------|----------| | 2024 Q3 (18.2.24.806) or earlier | Update to 2024 Q3 (18.2.24.924) ([update instructions](({%slug telerikreporting/upgrade/overview%}))) | All customers who have a Telerik Reporting license can access the downloads here [Product Downloads | Your Account](https://www.telerik.com/account/downloads/product-download?product=REPORTING). ## Notes - This issue only affects the Windows desktop standalone Report Designer, it does not affect Reporting's processing engine or REST services. - To check your current version of Telerik Reporting, there are two primary options: + If you’re using the REST service, you can visit the `/api/reports/version/` endpoint (e.g., https://demos.telerik.com/reporting/api/reports/version). + If you’re only using the desktop tooling, check **PC Settings** > **Installed Apps** > expand **Telerik Reporting** item for details. - If you have any questions or concerns related to this issue, open a new Technical Support case in [Your Account | Support Center](https://www.telerik.com/account/support-center/contact-us/). Technical Support is available to Telerik customers with an active support plan. - We would like to thank Markus Wulftange with CODE WHITE GmbH for their responsible disclosure and cooperation. ## External References [CVE-2024-8048](https://www.cve.org/CVERecord?id=CVE-2024-8048) (HIGH) **CVSS:** 7.8 In Progress® Telerik® Reporting versions prior to 2024 Q3 (18.2.24.924), a code execution attack is possible using object injection via insecure expression evaluation. Discoverer Credit: Markus Wulftange with CODE WHITE GmbH.