CVE-2024-7654

{"id": "CVE-2024-7654", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security@progress.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.6}]}, "published": "2024-09-03T15:15:17.223", "references": [{"url": "https://community.progress.com/s/article/Unauthenticated-Content-Injection-in-OpenEdge-Management-web-interface-via-ActiveMQ-discovery-service", "tags": ["Mitigation", "Vendor Advisory"], "source": "security@progress.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}, {"type": "Secondary", "source": "security@progress.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "An ActiveMQ Discovery service was reachable by default from an OpenEdge Management installation when an OEE/OEM auto-discovery feature was activated.\u00a0 Unauthorized access to the discovery service's UDP port allowed content injection into parts of the OEM web interface making it possible for other types of attack that could spoof or deceive web interface users.\u00a0\u00a0 Unauthorized use of the OEE/OEM discovery service was remediated by deactivating the discovery service by default."}, {"lang": "es", "value": "Se pod\u00eda acceder a un servicio ActiveMQ Discovery de forma predeterminada desde una instalaci\u00f3n de OpenEdge Management cuando se activaba una funci\u00f3n de descubrimiento autom\u00e1tico de OEE/OEM. El acceso no autorizado al puerto UDP del servicio de descubrimiento permiti\u00f3 la inyecci\u00f3n de contenido en partes de la interfaz web de OEM, lo que posibilit\u00f3 otros tipos de ataques que podr\u00edan suplantar o enga\u00f1ar a los usuarios de la interfaz web. El uso no autorizado del servicio de descubrimiento de OEE/OEM se solucion\u00f3 desactivando el servicio de descubrimiento de forma predeterminada."}], "lastModified": "2024-09-05T13:53:16.540", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:progress:openedge:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "148C3BEA-FD57-492F-9214-38FF9C128B67", "versionEndIncluding": "11.7.19"}, {"criteria": "cpe:2.3:a:progress:openedge:*:*:*:*:lts:*:*:*", "vulnerable": true, "matchCriteriaId": "21FD77B2-FC6C-4C65-8080-3884F2C10048", "versionEndIncluding": "12.2.14", "versionStartIncluding": "12.2"}, {"criteria": "cpe:2.3:a:progress:openedge:*:*:*:*:lts:*:*:*", "vulnerable": true, "matchCriteriaId": "A8DFC42C-6EBE-4770-B59C-B2C3B294FD8C", "versionEndExcluding": "12.8.3", "versionStartIncluding": "12.8"}], "operator": "OR"}]}], "sourceIdentifier": "security@progress.com"}