{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-6671", "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "state": "PUBLISHED", "assignerShortName": "ProgressSoftware", "dateReserved": "2024-07-10T19:45:28.296Z", "datePublished": "2024-08-29T22:06:19.291Z", "dateUpdated": "2024-09-06T14:26:41.000Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "modules": ["API Endpoint"], "platforms": ["Windows"], "product": "WhatsUp Gold", "vendor": "Progress Software Corporation", "versions": [{"lessThan": "2024.0.0", "status": "affected", "version": "2023.1.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "In WhatsUp Gold versions released before 2024.0.0, if the application is configured with only a single user, <span style=\"background-color: var(--wht);\">a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.</span>\n\n<br>\n\n<br><br>"}], "value": "In WhatsUp Gold versions released before 2024.0.0, if the application is configured with only a single user, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password."}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "shortName": "ProgressSoftware", "dateUpdated": "2024-08-29T22:06:19.291Z"}, "references": [{"tags": ["product"], "url": "https://www.progress.com/network-monitoring"}, {"tags": ["vendor-advisory"], "url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024"}], "source": {"discovery": "UNKNOWN"}, "title": "WhatsUp Gold GetStatisticalMonitorList SQL Injection Authentication Bypass Vulnerability", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "progress", "product": "whatsupgold", "cpes": ["cpe:2.3:a:progress:whatsupgold:*:*:*:*:*:*:*:*"], "defaultStatus": "affected", "versions": [{"version": "2023.1.0", "status": "affected", "lessThan": "2024.0.0", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-06T03:55:11.410728Z", "id": "CVE-2024-6671", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-06T14:26:41.000Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-6671", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-09-06T03:55:11.410728Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:progress:whatsupgold:*:*:*:*:*:*:*:*"], "vendor": "progress", "product": "whatsupgold", "versions": [{"status": "affected", "version": "2023.1.0", "lessThan": "2024.0.0", "versionType": "semver"}], "defaultStatus": "affected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-30T13:46:19.585Z"}}], "cna": {"title": "WhatsUp Gold GetStatisticalMonitorList SQL Injection Authentication Bypass Vulnerability", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative"}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Progress Software Corporation", "modules": ["API Endpoint"], "product": "WhatsUp Gold", "versions": [{"status": "affected", "version": "2023.1.0", "lessThan": "2024.0.0", "versionType": "semver"}], "platforms": ["Windows"], "defaultStatus": "affected"}], "references": [{"url": "https://www.progress.com/network-monitoring", "tags": ["product"]}, {"url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "In WhatsUp Gold versions released before 2024.0.0, if the application is configured with only a single user, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.", "supportingMedia": [{"type": "text/html", "value": "In WhatsUp Gold versions released before 2024.0.0, if the application is configured with only a single user, <span style=\"background-color: var(--wht);\">a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.</span>\n\n<br>\n\n<br><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "shortName": "ProgressSoftware", "dateUpdated": "2024-08-29T22:06:19.291Z"}}}, "cveMetadata": {"cveId": "CVE-2024-6671", "state": "PUBLISHED", "dateUpdated": "2024-09-06T14:26:41.000Z", "dateReserved": "2024-07-10T19:45:28.296Z", "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "datePublished": "2024-08-29T22:06:19.291Z", "assignerShortName": "ProgressSoftware"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:progress:whatsup_gold:*:*:*:*:*:*:*:*", "matchCriteriaId": "3459EC7F-4718-4AFE-809C-AFCB6B660869", "versionEndExcluding": "24.0", "versionStartIncluding": "23.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In WhatsUp Gold versions released before 2024.0.0, if the application is configured with only a single user, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password."}, {"lang": "es", "value": "En las versiones de WhatsUp Gold lanzadas antes de 2024.0.0, si la aplicaci\u00f3n est\u00e1 configurada con un solo usuario, una vulnerabilidad de inyecci\u00f3n SQL permite que un atacante no autenticado recupere la contrase\u00f1a cifrada del usuario."}], "id": "CVE-2024-6671", "lastModified": "2024-09-04T15:53:07.733", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@progress.com", "type": "Secondary"}]}, "published": "2024-08-29T22:15:05.767", "references": [{"source": "security@progress.com", "tags": ["Vendor Advisory"], "url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024"}, {"source": "security@progress.com", "tags": ["Product"], "url": "https://www.progress.com/network-monitoring"}], "sourceIdentifier": "security@progress.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "security@progress.com", "type": "Secondary"}]}

{}