From 77015a3c504f9cfe6a4dde96e006115a3321d7ba Mon Sep 17 00:00:00 2001
From: Dinko Krastev <dinko.krastev@progress.com>
Date: Wed, 25 Sep 2024 13:04:45 +0300
Subject: [PATCH] KB: Command Injection Cve

---
 .../command-injection-cve-2024-7679.md        | 46 +++++++++++++++++++
 1 file changed, 46 insertions(+)
 create mode 100644 knowledge-base/command-injection-cve-2024-7679.md

diff --git a/knowledge-base/command-injection-cve-2024-7679.md b/knowledge-base/command-injection-cve-2024-7679.md
new file mode 100644
index 000000000..5cfd729c2
--- /dev/null
+++ b/knowledge-base/command-injection-cve-2024-7679.md
@@ -0,0 +1,46 @@
+---
+title: Command Injection Vulnerability
+description: "How to mitigate CVE-2024-7679, a command injection vulnerability when using hyperlinks."
+slug: command-injection-vulnerability-cve-2024-7679
+res_type: kb
+---
+
+## Description
+
+Product Alert – September 2024 - [CVE-2024-7679](https://www.cve.org/CVERecord?id=CVE-2024-7679)
+
+- Telerik UI for WinForms 2024 Q3 (2024.3.806) or earlier.
+
+## Issue
+
+CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
+
+### What Are the Impacts
+
+In Progress Telerik UI for WinForms versions prior to 2024 Q3 (2024.3.924), a command injection attack is possible through improper neutralization of hyperlink elements.
+
+## Solution
+
+We have addressed the issue and the Progress Telerik team recommends performing an upgrade to the version listed in the table below.
+
+| Current Version | Guidance |
+|-----------------|----------|
+| 2024 Q3 (2024.3.806) or earlier | Update to 2024 Q3 (2024.3.924) ([update instructions](({%slug how-to-upgrade-a-project%}))) |
+
+All customers who have a Telerik UI for WinForms license can access the downloads here [Product Downloads | Your Account](https://www.telerik.com/account/downloads/product-download?product=RCWPF).
+
+## Notes
+
+- If a RichTextBox, PdfViewer, or Spreadsheet is not used in the project, the application is not affected by this issue.
+- To check your version of Telerik UI for WinForms
+  - Via source code: Inspect the Version property of any of the Telerik.WinControls.* assembly references in the project.
+  - Via deployed application: Locate any Telerik.WinControls.* DLL file in the application's directory and view the Properties > Details > Version.
+- If you have any questions or concerns related to this issue, open a new Technical Support case in [Your Account | Support Center](https://www.telerik.com/account/support-center/contact-us/). Technical Support is available to Telerik customers with an active support plan.
+
+## External References
+
+[CVE-2024-7679](https://www.cve.org/CVERecord?id=CVE-2024-7679) (HIGH)
+
+**CVSS:** 7.8
+
+In Progress Telerik UI for WinForms versions prior to 2024 Q3 (2024.3.924), a command injection attack is possible through improper neutralization of hyperlink elements.
\ No newline at end of file