{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-7654", "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "state": "PUBLISHED", "assignerShortName": "ProgressSoftware", "dateReserved": "2024-08-09T18:27:48.920Z", "datePublished": "2024-09-03T14:48:00.539Z", "dateUpdated": "2024-09-03T15:09:51.475Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["OpenEdge Explorer", "OpenEdge Management"], "platforms": ["Windows", "Linux", "x86", "64 bit", "32 bit"], "product": "OpenEdge", "vendor": "Progress", "versions": [{"lessThan": "11.7.19", "status": "affected", "version": "11.7.0", "versionType": "custom"}, {"lessThan": "12.2.15", "status": "affected", "version": "12.2.0", "versionType": "custom"}, {"lessThan": "12.8.2", "status": "affected", "version": "12.8.0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An ActiveMQ Discovery service was reachable by default from an OpenEdge Management installation when an OEE/OEM auto-discovery feature was activated.&nbsp; Unauthorized access to the discovery service's UDP port allowed content injection into parts of the OEM web interface making it possible for other types of attack that could spoof or deceive web interface users.&nbsp;&nbsp; Unauthorized use of the OEE/OEM discovery service was remediated by deactivating the discovery service by default.&nbsp; <br>"}], "value": "An ActiveMQ Discovery service was reachable by default from an OpenEdge Management installation when an OEE/OEM auto-discovery feature was activated.\u00a0 Unauthorized access to the discovery service's UDP port allowed content injection into parts of the OEM web interface making it possible for other types of attack that could spoof or deceive web interface users.\u00a0\u00a0 Unauthorized use of the OEE/OEM discovery service was remediated by deactivating the discovery service by default."}], "impacts": [{"capecId": "CAPEC-18", "descriptions": [{"lang": "en", "value": "CAPEC-18: XSS Targeting Non-Script Elements"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "shortName": "ProgressSoftware", "dateUpdated": "2024-09-03T14:48:00.539Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://community.progress.com/s/article/Unauthenticated-Content-Injection-in-OpenEdge-Management-web-interface-via-ActiveMQ-discovery-service"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Use the 12.8.3 or above LTS release where the vulnerability does not exist\n\n<br>"}], "value": "Use the 12.8.3 or above LTS release where the vulnerability does not exist"}, {"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Use the 12.2 LTS release at the 12.2.15 Update level or above\n\n\n\n<br>"}], "value": "Use the 12.2 LTS release at the 12.2.15 Update level or above"}, {"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Use the 11.7 LTS release at the 11.7.20 Update level or above\n\n\n\n\n\n<br>"}], "value": "Use the 11.7 LTS release at the 11.7.20 Update level or above"}], "source": {"discovery": "UNKNOWN"}, "title": "Unauthenticated Content Injection in OpenEdge Management web interface via ActiveMQ discovery service", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "progress", "product": "openedge", "cpes": ["cpe:2.3:a:progress:openedge:*:*:*:*:*:*:*:*"], "defaultStatus": "affected", "versions": [{"version": "11.7.0", "status": "affected", "lessThan": "11.7.19", "versionType": "custom"}, {"version": "12.2.0", "status": "affected", "lessThan": "12.2.15", "versionType": "custom"}, {"version": "12.8.0", "status": "affected", "lessThan": "12.8.2", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-03T15:08:38.821486Z", "id": "CVE-2024-7654", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-03T15:09:51.475Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-7654", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-09-03T15:08:38.821486Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:progress:openedge:*:*:*:*:*:*:*:*"], "vendor": "progress", "product": "openedge", "versions": [{"status": "affected", "version": "11.7.0", "lessThan": "11.7.19", "versionType": "custom"}, {"status": "affected", "version": "12.2.0", "lessThan": "12.2.15", "versionType": "custom"}, {"status": "affected", "version": "12.8.0", "lessThan": "12.8.2", "versionType": "custom"}], "defaultStatus": "affected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-03T15:09:45.035Z"}}], "cna": {"title": "Unauthenticated Content Injection in OpenEdge Management web interface via ActiveMQ discovery service", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-18", "descriptions": [{"lang": "en", "value": "CAPEC-18: XSS Targeting Non-Script Elements"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Progress", "modules": ["OpenEdge Explorer", "OpenEdge Management"], "product": "OpenEdge", "versions": [{"status": "affected", "version": "11.7.0", "lessThan": "11.7.19", "versionType": "custom"}, {"status": "affected", "version": "12.2.0", "lessThan": "12.2.15", "versionType": "custom"}, {"status": "affected", "version": "12.8.0", "lessThan": "12.8.2", "versionType": "custom"}], "platforms": ["Windows", "Linux", "x86", "64 bit", "32 bit"], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Use the 12.8.3 or above LTS release where the vulnerability does not exist", "supportingMedia": [{"type": "text/html", "value": "Use the 12.8.3 or above LTS release where the vulnerability does not exist\n\n<br>", "base64": false}]}, {"lang": "en", "value": "Use the 12.2 LTS release at the 12.2.15 Update level or above", "supportingMedia": [{"type": "text/html", "value": "Use the 12.2 LTS release at the 12.2.15 Update level or above\n\n\n\n<br>", "base64": false}]}, {"lang": "en", "value": "Use the 11.7 LTS release at the 11.7.20 Update level or above", "supportingMedia": [{"type": "text/html", "value": "Use the 11.7 LTS release at the 11.7.20 Update level or above\n\n\n\n\n\n<br>", "base64": false}]}], "references": [{"url": "https://community.progress.com/s/article/Unauthenticated-Content-Injection-in-OpenEdge-Management-web-interface-via-ActiveMQ-discovery-service", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "An ActiveMQ Discovery service was reachable by default from an OpenEdge Management installation when an OEE/OEM auto-discovery feature was activated.\u00a0 Unauthorized access to the discovery service's UDP port allowed content injection into parts of the OEM web interface making it possible for other types of attack that could spoof or deceive web interface users.\u00a0\u00a0 Unauthorized use of the OEE/OEM discovery service was remediated by deactivating the discovery service by default.", "supportingMedia": [{"type": "text/html", "value": "An ActiveMQ Discovery service was reachable by default from an OpenEdge Management installation when an OEE/OEM auto-discovery feature was activated.&nbsp; Unauthorized access to the discovery service's UDP port allowed content injection into parts of the OEM web interface making it possible for other types of attack that could spoof or deceive web interface users.&nbsp;&nbsp; Unauthorized use of the OEE/OEM discovery service was remediated by deactivating the discovery service by default.&nbsp; <br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "shortName": "ProgressSoftware", "dateUpdated": "2024-09-03T14:48:00.539Z"}}}, "cveMetadata": {"cveId": "CVE-2024-7654", "state": "PUBLISHED", "dateUpdated": "2024-09-03T15:09:51.475Z", "dateReserved": "2024-08-09T18:27:48.920Z", "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "datePublished": "2024-09-03T14:48:00.539Z", "assignerShortName": "ProgressSoftware"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:progress:openedge:*:*:*:*:*:*:*:*", "matchCriteriaId": "148C3BEA-FD57-492F-9214-38FF9C128B67", "versionEndIncluding": "11.7.19", "vulnerable": true}, {"criteria": "cpe:2.3:a:progress:openedge:*:*:*:*:lts:*:*:*", "matchCriteriaId": "21FD77B2-FC6C-4C65-8080-3884F2C10048", "versionEndIncluding": "12.2.14", "versionStartIncluding": "12.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:progress:openedge:*:*:*:*:lts:*:*:*", "matchCriteriaId": "A8DFC42C-6EBE-4770-B59C-B2C3B294FD8C", "versionEndExcluding": "12.8.3", "versionStartIncluding": "12.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An ActiveMQ Discovery service was reachable by default from an OpenEdge Management installation when an OEE/OEM auto-discovery feature was activated.\u00a0 Unauthorized access to the discovery service's UDP port allowed content injection into parts of the OEM web interface making it possible for other types of attack that could spoof or deceive web interface users.\u00a0\u00a0 Unauthorized use of the OEE/OEM discovery service was remediated by deactivating the discovery service by default."}, {"lang": "es", "value": "Se pod\u00eda acceder a un servicio ActiveMQ Discovery de forma predeterminada desde una instalaci\u00f3n de OpenEdge Management cuando se activaba una funci\u00f3n de descubrimiento autom\u00e1tico de OEE/OEM. El acceso no autorizado al puerto UDP del servicio de descubrimiento permiti\u00f3 la inyecci\u00f3n de contenido en partes de la interfaz web de OEM, lo que posibilit\u00f3 otros tipos de ataques que podr\u00edan suplantar o enga\u00f1ar a los usuarios de la interfaz web. El uso no autorizado del servicio de descubrimiento de OEE/OEM se solucion\u00f3 desactivando el servicio de descubrimiento de forma predeterminada."}], "id": "CVE-2024-7654", "lastModified": "2024-09-05T13:53:16.540", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 6.0, "source": "security@progress.com", "type": "Secondary"}]}, "published": "2024-09-03T15:15:17.223", "references": [{"source": "security@progress.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://community.progress.com/s/article/Unauthenticated-Content-Injection-in-OpenEdge-Management-web-interface-via-ActiveMQ-discovery-service"}], "sourceIdentifier": "security@progress.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@progress.com", "type": "Secondary"}]}

{}