Filtered by vendor Progress
Subscriptions
Total
147 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2024-4883 | 1 Progress | 1 Whatsup Gold | 2024-09-06 | 9.8 Critical |
In WhatsUp Gold versions released before 2023.1.3, a Remote Code Execution issue exists in Progress WhatsUp Gold. This vulnerability allows an unauthenticated attacker to achieve the RCE as a service account through NmApi.exe. | ||||
CVE-2024-4884 | 1 Progress | 1 Whatsup Gold | 2024-09-06 | 9.8 Critical |
In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerability in Progress WhatsUpGold. The Apm.UI.Areas.APM.Controllers.CommunityController allows execution of commands with iisapppool\nmconsole privileges. | ||||
CVE-2024-4885 | 1 Progress | 1 Whatsup Gold | 2024-09-06 | 9.8 Critical |
In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerability in Progress WhatsUpGold. The WhatsUp.ExportUtilities.Export.GetFileWithoutZip allows execution of commands with iisapppool\nmconsole privileges. | ||||
CVE-2024-5008 | 1 Progress | 1 Whatsup Gold | 2024-09-06 | 8.8 High |
In WhatsUp Gold versions released before 2023.1.3, an authenticated user with certain permissions can upload an arbitrary file and obtain RCE using Apm.UI.Areas.APM.Controllers.Api.Applications.AppProfileImportController. | ||||
CVE-2024-5009 | 1 Progress | 1 Whatsup Gold | 2024-09-06 | 8.4 High |
In WhatsUp Gold versions released before 2023.1.3, an Improper Access Control vulnerability in Wug.UI.Controllers.InstallController.SetAdminPassword allows local attackers to modify admin's password. | ||||
CVE-2024-5010 | 2 Progress, Progress Software | 2 Whatsup Gold, Whatsup Gold | 2024-09-06 | 7.5 High |
In WhatsUp Gold versions released before 2023.1.3, a vulnerability exists in the TestController functionality. A specially crafted unauthenticated HTTP request can lead to a disclosure of sensitive information. | ||||
CVE-2024-5011 | 1 Progress | 1 Whatsup Gold | 2024-09-06 | 7.5 High |
In WhatsUp Gold versions released before 2023.1.3, an uncontrolled resource consumption vulnerability exists. A specially crafted unauthenticated HTTP request to the TestController Chart functionality can lead to denial of service. | ||||
CVE-2024-6670 | 1 Progress | 2 Whatsup Gold, Whatsupgold | 2024-09-06 | 9.8 Critical |
In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password. | ||||
CVE-2024-6671 | 1 Progress | 2 Whatsup Gold, Whatsupgold | 2024-09-06 | 9.8 Critical |
In WhatsUp Gold versions released before 2024.0.0, if the application is configured with only a single user, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password. | ||||
CVE-2024-7345 | 1 Progress | 1 Openedge | 2024-09-05 | 8.3 High |
Local ABL Client bypass of the required PASOE security checks may allow an attacker to commit unauthorized code injection into Multi-Session Agents on supported OpenEdge LTS platforms up to OpenEdge LTS 11.7.18 and LTS 12.2.13 on all supported release platforms | ||||
CVE-2024-7346 | 1 Progress | 1 Openedge | 2024-09-05 | 7.2 High |
Host name validation for TLS certificates is bypassed when the installed OpenEdge default certificates are used to perform the TLS handshake for a networked connection. This has been corrected so that default certificates are no longer capable of overriding host name validation and will need to be replaced where full TLS certificate validation is needed for network security. The existing certificates should be replaced with CA-signed certificates from a recognized certificate authority that contain the necessary information to support host name validation. | ||||
CVE-2024-7654 | 1 Progress | 1 Openedge | 2024-09-05 | 8.3 High |
An ActiveMQ Discovery service was reachable by default from an OpenEdge Management installation when an OEE/OEM auto-discovery feature was activated. Unauthorized access to the discovery service's UDP port allowed content injection into parts of the OEM web interface making it possible for other types of attack that could spoof or deceive web interface users. Unauthorized use of the OEE/OEM discovery service was remediated by deactivating the discovery service by default. | ||||
CVE-2024-7745 | 1 Progress | 1 Ws Ftp Server | 2024-09-04 | 6.5 Medium |
In WS_FTP Server versions before 8.8.8 (2022.0.8), a Missing Critical Step in Multi-Factor Authentication of the Web Transfer Module allows users to skip the second-factor verification and log in with username and password only. | ||||
CVE-2024-7744 | 1 Progress | 1 Ws Ftp Server | 2024-09-04 | 6.5 Medium |
In WS_FTP Server versions before 8.8.8 (2022.0.8), an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in the Web Transfer Module allows File Discovery, Probe System Files, User-Controlled Filename, Path Traversal. An authenticated file download flaw has been identified where a user can craft an API call that allows them to download a file from an arbitrary folder on the drive where that user host's root folder is located (by default this is C:) | ||||
CVE-2023-42659 | 1 Progress | 1 Ws Ftp Server | 2024-09-04 | 9.1 Critical |
In WS_FTP Server versions prior to 8.7.6 and 8.8.4, an unrestricted file upload flaw has been identified. An authenticated Ad Hoc Transfer user has the ability to craft an API call which allows them to upload a file to a specified location on the underlying operating system hosting the WS_FTP Server application. | ||||
CVE-2024-6672 | 1 Progress | 2 Whatsup Gold, Whatsupgold | 2024-09-04 | 8.8 High |
In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an authenticated low-privileged attacker to achieve privilege escalation by modifying a privileged user's password. | ||||
CVE-2023-40052 | 1 Progress | 2 Openedge, Openedge Innovation | 2024-08-29 | 7.5 High |
This issue affects Progress Application Server (PAS) for OpenEdge in versions 11.7 prior to 11.7.18, 12.2 prior to 12.2.13, and innovation releases prior to 12.8.0 . An attacker who can produce a malformed web request may cause the crash of a PASOE agent potentially disrupting the thread activities of many web application clients. Multiple of these DoS attacks could lead to the flooding of invalid requests as compared to the server’s remaining ability to process valid requests. | ||||
CVE-2015-6004 | 1 Progress | 1 Whatsup Gold | 2024-08-27 | N/A |
Multiple SQL injection vulnerabilities in IPSwitch WhatsUp Gold before 16.4 allow remote attackers to execute arbitrary SQL commands via (1) the UniqueID (aka sUniqueID) parameter to WrFreeFormText.asp in the Reports component or (2) the Find Device parameter. | ||||
CVE-2015-8261 | 1 Progress | 1 Whatsup Gold | 2024-08-27 | N/A |
The DroneDeleteOldMeasurements implementation in Ipswitch WhatsUp Gold before 16.4 does not properly validate serialized XML objects, which allows remote attackers to conduct SQL injection attacks via a crafted SOAP request. | ||||
CVE-2022-29847 | 1 Progress | 1 Whatsup Gold | 2024-08-27 | 7.5 High |
In Progress Ipswitch WhatsUp Gold 21.0.0 through 21.1.1, and 22.0.0, it is possible for an unauthenticated attacker to invoke an API transaction that would allow them to relay encrypted WhatsUp Gold user credentials to an arbitrary host. |