CVE-2024-12251

High

Published: 12 February 2025

Published

12 February 2025

Modified

28 March 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0013 32.6th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

In Progress® Telerik® UI for WinUI versions prior to 2025 Q1 (3.0.0), a command injection attack is possible through improper neutralization of hyperlink elements.

Security Summary

CVE-2024-12251 is a command injection vulnerability (CWE-77) in Progress Telerik UI for WinUI versions prior to 2025 Q1 (3.0.0), caused by improper neutralization of hyperlink elements. Published on 2025-02-12, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on affected systems.

A local attacker with no privileges can exploit this vulnerability by tricking a user into interacting with a malicious hyperlink, such as clicking it in a UI context. Successful exploitation enables command injection, allowing the attacker to achieve high levels of confidentiality, integrity, and availability impacts on the targeted system.

The Telerik security advisory at https://docs.telerik.com/devtools/winui/security/kb-security-command-injection-cve-2024-12251 provides details on mitigation, with the fix available in version 2025 Q1 (3.0.0) and later. Security practitioners should ensure upgrades for affected installations.

Details

CWE(s): CWE-77

Affected Products

telerik

ui for winui

2.0.0 — 3.0.0

References

https://docs.telerik.com/devtools/winui/security/kb-security-command-injection-cve-2024-12251
Vendor Advisory · security@progress.com