CVE-2024-11628

Medium

Published: 12 February 2025

Published

12 February 2025

Modified

27 June 2025

KEV Added

—

Patch

—

CVSS Score 4.1 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0007 20.8th percentile

Risk Priority 8 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11628 is a medium-severity Prototype Pollution (CWE-1321) vulnerability in Progress Kendo Ui For Vue. Its CVSS base score is 4.1 (Medium).

Operationally, ranked at the 20.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely identification, reporting, and correction of software flaws like the prototype pollution in CVE-2024-11628 affecting Telerik Kendo UI for Vue.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Enables automated and periodic vulnerability scanning to identify deployments of vulnerable Telerik Kendo UI for Vue versions subject to CVE-2024-11628.

SI-10 Information Input Validation partial match

prevent

Mitigates prototype pollution attacks by requiring validation and sanitization of untrusted inputs that could introduce or modify global prototype chain properties.

NVD Description

In Progress® Telerik® Kendo UI for Vue versions v2.4.0 through v6.0.1, an attacker can introduce or modify properties within the global prototype chain which can result in denial of service or command injection.

Deeper analysisAI

CVE-2024-11628 is a prototype pollution vulnerability (CWE-1321) in Progress Telerik Kendo UI for Vue, affecting versions v2.4.0 through v6.0.1. The issue allows an attacker to introduce or modify properties within the global prototype chain, which can lead to denial of service or command injection. It received a CVSS v3.1 base score of 4.1 (AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L), indicating low overall severity with network accessibility but high complexity and privilege requirements.

Exploitation is possible by an attacker with high privileges over the network, requiring high attack complexity and no user interaction. Successful exploitation can achieve limited impacts, including low confidentiality, integrity, and availability effects, manifesting as denial of service or command injection through prototype chain manipulation.

Mitigation details are provided in the Telerik knowledge base article at https://www.telerik.com/kendo-vue-ui/components/knowledge-base/kb-security-protoype-pollution-2024-11628.

Details

CWE(s): CWE-1321

Affected Products

progress

kendo ui for vue

2.4.0 — 6.1.0

CVEs Like This One

CVE-2024-12629Same vendor: Progress

CVE-2024-56133Same vendor: Progress

CVE-2026-4670Same vendor: Progress

CVE-2025-11235Same vendor: Progress

CVE-2024-11627Same vendor: Progress

CVE-2025-13444Same vendor: Progress

CVE-2026-3518Same vendor: Progress

CVE-2024-56134Same vendor: Progress

CVE-2026-3517Same vendor: Progress

CVE-2025-0556Same vendor: Progress

References

https://www.telerik.com/kendo-vue-ui/components/knowledge-base/kb-security-protoype-pollution-2024-11628
Vendor Advisory · security@progress.com