CVE-2023-6366

In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified. It is possible for an attacker to craft a XSS payload and store that value within Alert Center. If a WhatsUp Gold user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victims browser.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-December-2023	Vendor Advisory
https://www.progress.com/network-monitoring	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:progress:whatsup_gold:*:*:*:*:*:*:*:*

History

19 Dec 2023, 17:30

Type	Values Removed	Values Added
CPE		cpe:2.3:a:progress:whatsup_gold::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.4
References	~~() https://www.progress.com/network-monitoring -~~	() https://www.progress.com/network-monitoring - Product
References	~~() https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-December-2023 -~~	() https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-December-2023 - Vendor Advisory
CWE		CWE-79

14 Dec 2023, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-12-14 16:15

Updated : 2024-02-05 00:22

NVD link : CVE-2023-6366

Mitre link : CVE-2023-6366

CVE.ORG link : CVE-2023-6366

JSON object : View

Products Affected

progress

whatsup_gold

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2023-6366", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}, {"type": "Secondary", "source": "security@progress.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.0}]}, "published": "2023-12-14T16:15:53.383", "references": [{"url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-December-2023", "tags": ["Vendor Advisory"], "source": "security@progress.com"}, {"url": "https://www.progress.com/network-monitoring", "tags": ["Product"], "source": "security@progress.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}, {"type": "Secondary", "source": "security@progress.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "\nIn WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified. It is possible for an attacker to craft a XSS payload and store that value within Alert Center. \u00a0\n\nIf a WhatsUp Gold user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victims browser.\n\n"}, {"lang": "es", "value": "En las versiones de WhatsUp Gold lanzadas antes de la 2023.1, se identific\u00f3 una vulnerabilidad de Cross-Site Scripting (XSS) almacenadas. Es posible que un atacante cree un payload XSS y almacene ese valor en el Centro de Alertas. Si un usuario de WhatsUp Gold interact\u00faa con el payload manipulado, el atacante podr\u00eda ejecutar JavaScript malicioso dentro del contexto del navegador de la v\u00edctima."}], "lastModified": "2023-12-19T17:30:45.493", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:progress:whatsup_gold:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5D27D3E3-A9E8-493A-8D4A-51ED537ABC7D", "versionEndExcluding": "23.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@progress.com"}