CVE-2024-11628

Medium

Published: 12 February 2025

Published

12 February 2025

Modified

27 June 2025

KEV Added

—

Patch

—

CVSS Score 4.1 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0007 20.7th percentile

Risk Priority 8 60% EPSS · 20% KEV · 20% CVSS

Description

In Progress® Telerik® Kendo UI for Vue versions v2.4.0 through v6.0.1, an attacker can introduce or modify properties within the global prototype chain which can result in denial of service or command injection.

Security Summary

CVE-2024-11628 is a prototype pollution vulnerability (CWE-1321) in Progress Telerik Kendo UI for Vue, affecting versions v2.4.0 through v6.0.1. The issue allows an attacker to introduce or modify properties within the global prototype chain, which can lead to denial of service or command injection. It received a CVSS v3.1 base score of 4.1 (AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L), indicating low overall severity with network accessibility but high complexity and privilege requirements.

Exploitation is possible by an attacker with high privileges over the network, requiring high attack complexity and no user interaction. Successful exploitation can achieve limited impacts, including low confidentiality, integrity, and availability effects, manifesting as denial of service or command injection through prototype chain manipulation.

Mitigation details are provided in the Telerik knowledge base article at https://www.telerik.com/kendo-vue-ui/components/knowledge-base/kb-security-protoype-pollution-2024-11628.

Details

CWE(s): CWE-1321

Affected Products

progress

kendo ui for vue

2.4.0 — 6.1.0

References

https://www.telerik.com/kendo-vue-ui/components/knowledge-base/kb-security-protoype-pollution-2024-11628
Vendor Advisory · security@progress.com