CVE-2024-3892 - Vulnerability Details - OpenCVE

A local code execution vulnerability is possible in Telerik UI for WinForms beginning in v2021.1.122 but prior to v2024.2.514. This vulnerability could allow an untrusted theme assembly to execute arbitrary code on the local Windows system.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Progress	Telerik Ui For Winforms

Configuration 1 [-]

cpe:2.3:a:progress:telerik_ui_for_winforms:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://docs.telerik.com/devtools/winforms/knowledge-base/local-code-execution-vulnerability-cve-2024-3892

History

Thu, 03 Jul 2025 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Progress Progress telerik Ui For Winforms
CPEs	cpe:2.3:a:telerik:ui_for_winforms::::::::	cpe:2.3:a:progress:telerik_ui_for_winforms::::::::
Vendors & Products	Telerik Telerik ui For Winforms	Progress Progress telerik Ui For Winforms

Tue, 28 Jan 2025 17:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Telerik Telerik ui For Winforms
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:telerik:ui_for_winforms::::::::
Vendors & Products		Telerik Telerik ui For Winforms

MITRE

Status: PUBLISHED

Assigner: ProgressSoftware

Published: 2024-05-15T16:43:36.426Z

Updated: 2024-08-01T20:26:57.172Z

Reserved: 2024-04-16T17:34:16.147Z

Link: CVE-2024-3892

Vulnrichment

Updated: 2024-08-01T20:26:57.172Z

NVD

Status : Analyzed

Published: 2024-05-15T17:15:14.470

Modified: 2025-07-03T18:30:06.820

Link: CVE-2024-3892

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-3892", "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "state": "PUBLISHED", "assignerShortName": "ProgressSoftware", "dateReserved": "2024-04-16T17:34:16.147Z", "datePublished": "2024-05-15T16:43:36.426Z", "dateUpdated": "2024-08-01T20:26:57.172Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Windows"], "product": "Telerik UI for WinForms", "vendor": "Progress Software Corporation", "versions": [{"lessThan": "v2024.2.514", "status": "affected", "version": "v2021.1.122", "versionType": "semver"}]}], "datePublic": "2024-05-15T14:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A local code execution vulnerability is possible in Telerik UI for WinForms beginning in v2021.1.122 but prior to v2024.2.514. This vulnerability could allow an untrusted theme assembly to execute arbitrary code on the local Windows system."}], "value": "A local code execution vulnerability is possible in Telerik UI for WinForms beginning in v2021.1.122 but prior to v2024.2.514. This vulnerability could allow an untrusted theme assembly to execute arbitrary code on the local Windows system."}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "CAPEC-242: Code Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": "CWE-94 : Improper Control of Generation of Code ('Code Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "shortName": "ProgressSoftware", "dateUpdated": "2024-05-15T16:43:36.426Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://docs.telerik.com/devtools/winforms/knowledge-base/local-code-execution-vulnerability-cve-2024-3892"}], "source": {"discovery": "INTERNAL"}, "title": "Local code execution vulnerability in Telerik UI for WinForms", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-3892", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-15T20:05:15.347511Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:progress:telerik_ui:2021.1.122:*:*:*:*:*:*:*"], "vendor": "progress", "product": "telerik_ui", "versions": [{"status": "affected", "version": "2021.1.122", "lessThan": "2024.2.514", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:32:00.740Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:26:57.172Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://docs.telerik.com/devtools/winforms/knowledge-base/local-code-execution-vulnerability-cve-2024-3892"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://docs.telerik.com/devtools/winforms/knowledge-base/local-code-execution-vulnerability-cve-2024-3892", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:26:57.172Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-3892", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-15T20:05:15.347511Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:progress:telerik_ui:2021.1.122:*:*:*:*:*:*:*"], "vendor": "progress", "product": "telerik_ui", "versions": [{"status": "affected", "version": "2021.1.122", "lessThan": "2024.2.514", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-15T20:10:07.980Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "Local code execution vulnerability in Telerik UI for WinForms", "source": {"discovery": "INTERNAL"}, "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "CAPEC-242: Code Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Progress Software Corporation", "product": "Telerik UI for WinForms", "versions": [{"status": "affected", "version": "v2021.1.122", "lessThan": "v2024.2.514", "versionType": "semver"}], "platforms": ["Windows"], "defaultStatus": "unaffected"}], "datePublic": "2024-05-15T14:00:00.000Z", "references": [{"url": "https://docs.telerik.com/devtools/winforms/knowledge-base/local-code-execution-vulnerability-cve-2024-3892", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "A local code execution vulnerability is possible in Telerik UI for WinForms beginning in v2021.1.122 but prior to v2024.2.514. This vulnerability could allow an untrusted theme assembly to execute arbitrary code on the local Windows system.", "supportingMedia": [{"type": "text/html", "value": "A local code execution vulnerability is possible in Telerik UI for WinForms beginning in v2021.1.122 but prior to v2024.2.514. This vulnerability could allow an untrusted theme assembly to execute arbitrary code on the local Windows system.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 : Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "shortName": "ProgressSoftware", "dateUpdated": "2024-05-15T16:43:36.426Z"}}}, "cveMetadata": {"cveId": "CVE-2024-3892", "state": "PUBLISHED", "dateUpdated": "2024-08-01T20:26:57.172Z", "dateReserved": "2024-04-16T17:34:16.147Z", "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "datePublished": "2024-05-15T16:43:36.426Z", "assignerShortName": "ProgressSoftware"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:progress:telerik_ui_for_winforms:*:*:*:*:*:*:*:*", "matchCriteriaId": "06332468-FDC3-43D0-8CC7-9557304B011A", "versionEndExcluding": "2024.2.514", "versionStartIncluding": "2021.1.122", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A local code execution vulnerability is possible in Telerik UI for WinForms beginning in v2021.1.122 but prior to v2024.2.514. This vulnerability could allow an untrusted theme assembly to execute arbitrary code on the local Windows system."}, {"lang": "es", "value": "Es posible una vulnerabilidad de ejecuci\u00f3n de c\u00f3digo local en la interfaz de usuario de Telerik para WinForms a partir de v2021.1.122 pero antes de v2024.2.514. Esta vulnerabilidad podr\u00eda permitir que un ensamblado de temas que no sea de confianza ejecute c\u00f3digo arbitrario en el sistema Windows local."}], "id": "CVE-2024-3892", "lastModified": "2025-07-03T18:30:06.820", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.6, "impactScore": 6.0, "source": "security@progress.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-05-15T17:15:14.470", "references": [{"source": "security@progress.com", "tags": ["Vendor Advisory"], "url": "https://docs.telerik.com/devtools/winforms/knowledge-base/local-code-execution-vulnerability-cve-2024-3892"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://docs.telerik.com/devtools/winforms/knowledge-base/local-code-execution-vulnerability-cve-2024-3892"}], "sourceIdentifier": "security@progress.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@progress.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}