Merge pull request #648 from telerik/dkrastev/m-Add_KB-vulnerability

nade7o · web-flow · commit eadfd45509a2 · 2024-11-13T14:05:20.000+02:00
Dkrastev/m add kb vulnerability
diff --git a/controls/editors/timeonlypicker/properties-and-events.md b/controls/editors/timeonlypicker/properties-and-events.md
@@ -35,7 +35,6 @@ position: 4
 |__MinValue__|Get or set the minimal time value assigned to the control.|
 |__RowHeight__|Gets or sets the height of the rows in the hour/minutes tables in the drop down.|
 |__Culture__|Determines the language of the drop down and the editable area. From here you can control if the format is 12 ("en-US") or 24 hours ("en-UK").|
-|__CloseButtonText__|Gets or sets the text of the button in the drop down|
 |__TimeOnlyPickerElement__|Gives access the RadTimeOnlyPickerElement.|
  
 ## Events
diff --git a/knowledge-base/unsafe-deserialization-cve-2024-10013.md b/knowledge-base/unsafe-deserialization-cve-2024-10013.md
@@ -0,0 +1,47 @@
+---
+title: Unsafe Deserialization Vulnerability (10013)
+description: "How to mitigate CVE-2024-10013, an unsafe deserialization vulnerability."
+slug: unsafe-deserialization-vulnerability-cve-2024-10013
+tags: common, vulnerability
+res_type: kb
+---
+
+## Description
+
+Product Alert – November 2024 - [CVE-2024-10013](https://www.cve.org/CVERecord?id=CVE-2024-10013)
+
+- Telerik UI for WinForms 2024 Q3 (2024.3.924) or earlier.
+
+## Issue
+
+CWE-502: Deserialization of Untrusted Data
+
+### What Are the Impacts
+
+In Progress® Telerik® UI for WinForms versions prior to 2024 Q4 (2024.4.1113), a code execution attack is possible through an insecure deserialization vulnerability when loading external document styles for RichTextBox.
+
+## Solution
+
+We have addressed the issue and the Progress Telerik team strongly recommends performing an upgrade to the latest version listed in the table below.
+
+| Current Version | Guidance |
+|-----------------|----------|
+| 2024 Q3 (2024.3.924) or earlier | Update to 2024 Q4 (2024.4.1113) ([update instructions](({%slug how-to-upgrade-a-project%}))) |
+
+All customers who have a Telerik UI for WinForms license can access the downloads here [Product Downloads | Your Account](https://www.telerik.com/account/downloads/product-download?product=RCWF).
+
+## Notes
+
+- If a project is not using the RichTextBox, the application is not affected by this vulnerability.
+- To check your version of Telerik UI for WinForms
+  - Via source code: Inspect the Version property of any of the `Telerik.WinControls.*` assembly references in the project.
+  - Via deployed application: Locate any `Telerik.WinControls.*.dll` file in the application's directory, right-click, select Properties and view the Version in the Details tab.
+- If you have any questions or concerns related to this issue, open a new Technical Support case in [Your Account | Support Center](https://www.telerik.com/account/support-center/contact-us/). Technical Support is available to Telerik customers with an active support plan.
+
+## External References
+
+[CVE-2024-10013](https://www.cve.org/CVERecord?id=CVE-2024-10013) (HIGH)
+
+**CVSS:** 7.8
+
+In Progress® Telerik® UI for WinForms versions prior to 2024 Q4 (2024.4.1113), a code execution attack is possible through an insecure deserialization vulnerability.
