Filtered by vendor Progress
Subscribe
Total
143 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-6595 | 1 Progress | 1 Whatsup Gold | 2024-10-16 | N/A | 5.3 MEDIUM |
| In WhatsUp Gold versions released before 2023.1, an API endpoint was found to be missing an authentication mechanism. It is possible for an unauthenticated attacker to enumerate ancillary credential information stored within WhatsUp Gold. | |||||
| CVE-2023-6368 | 1 Progress | 1 Whatsup Gold | 2024-10-16 | N/A | 5.3 MEDIUM |
| In WhatsUp Gold versions released before 2023.1, an API endpoint was found to be missing an authentication mechanism. It is possible for an unauthenticated attacker to enumerate information related to a registered device being monitored by WhatsUp Gold. | |||||
| CVE-2024-8048 | 1 Progress | 1 Telerik Reporting | 2024-10-15 | N/A | 7.8 HIGH |
| In Progress Telerik Reporting versions prior to 2024 Q3 (18.2.24.924), a code execution attack is possible using object injection via insecure expression evaluation. | |||||
| CVE-2024-8015 | 1 Progress | 1 Telerik Report Server | 2024-10-15 | N/A | 7.2 HIGH |
| In Progress Telerik Report Server versions prior to 2024 Q3 (10.2.24.924), a remote code execution attack is possible through object injection via an insecure type resolution vulnerability. | |||||
| CVE-2024-8014 | 1 Progress | 1 Telerik Reporting | 2024-10-15 | N/A | 8.8 HIGH |
| In Progress Telerik Reporting versions prior to 2024 Q3 (18.2.24.924), a code execution attack is possible through object injection via an insecure type resolution vulnerability. | |||||
| CVE-2024-7840 | 1 Progress | 1 Telerik Reporting | 2024-10-15 | N/A | 7.8 HIGH |
| In Progress Telerik Reporting versions prior to 2024 Q3 (18.2.24.924), a command injection attack is possible through improper neutralization of hyperlink elements. | |||||
| CVE-2024-7294 | 1 Progress | 1 Telerik Reporting | 2024-10-15 | N/A | 6.5 MEDIUM |
| In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), an HTTP DoS attack is possible on anonymous endpoints without rate limiting. | |||||
| CVE-2024-7293 | 1 Progress | 1 Telerik Reporting | 2024-10-15 | N/A | 8.8 HIGH |
| In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), a password brute forcing attack is possible through weak password requirements. | |||||
| CVE-2024-7292 | 1 Progress | 1 Telerik Report Server | 2024-10-15 | N/A | 8.8 HIGH |
| In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), a credential stuffing attack is possible through improper restriction of excessive login attempts. | |||||
| CVE-2024-6670 | 1 Progress | 1 Whatsup Gold | 2024-09-17 | N/A | 9.8 CRITICAL |
| In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password. | |||||
| CVE-2024-4883 | 1 Progress | 1 Whatsup Gold | 2024-09-06 | N/A | 9.8 CRITICAL |
| In WhatsUp Gold versions released before 2023.1.3, a Remote Code Execution issue exists in Progress WhatsUp Gold. This vulnerability allows an unauthenticated attacker to achieve the RCE as a service account through NmApi.exe. | |||||
| CVE-2024-4884 | 1 Progress | 1 Whatsup Gold | 2024-09-06 | N/A | 9.8 CRITICAL |
| In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerability in Progress WhatsUpGold. The Apm.UI.Areas.APM.Controllers.CommunityController allows execution of commands with iisapppool\nmconsole privileges. | |||||
| CVE-2024-4885 | 1 Progress | 1 Whatsup Gold | 2024-09-06 | N/A | 9.8 CRITICAL |
| In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerability in Progress WhatsUpGold. The WhatsUp.ExportUtilities.Export.GetFileWithoutZip allows execution of commands with iisapppool\nmconsole privileges. | |||||
| CVE-2024-5008 | 1 Progress | 1 Whatsup Gold | 2024-09-06 | N/A | 8.8 HIGH |
| In WhatsUp Gold versions released before 2023.1.3, an authenticated user with certain permissions can upload an arbitrary file and obtain RCE using Apm.UI.Areas.APM.Controllers.Api.Applications.AppProfileImportController. | |||||
| CVE-2024-5009 | 1 Progress | 1 Whatsup Gold | 2024-09-06 | N/A | 8.4 HIGH |
| In WhatsUp Gold versions released before 2023.1.3, an Improper Access Control vulnerability in Wug.UI.Controllers.InstallController.SetAdminPassword allows local attackers to modify admin's password. | |||||
| CVE-2024-5010 | 1 Progress | 1 Whatsup Gold | 2024-09-06 | N/A | 7.5 HIGH |
| In WhatsUp Gold versions released before 2023.1.3, a vulnerability exists in the TestController functionality. A specially crafted unauthenticated HTTP request can lead to a disclosure of sensitive information. | |||||
| CVE-2024-5011 | 1 Progress | 1 Whatsup Gold | 2024-09-06 | N/A | 7.5 HIGH |
| In WhatsUp Gold versions released before 2023.1.3, an uncontrolled resource consumption vulnerability exists. A specially crafted unauthenticated HTTP request to the TestController Chart functionality can lead to denial of service. | |||||
| CVE-2024-7345 | 1 Progress | 1 Openedge | 2024-09-05 | N/A | 9.6 CRITICAL |
| Local ABL Client bypass of the required PASOE security checks may allow an attacker to commit unauthorized code injection into Multi-Session Agents on supported OpenEdge LTS platforms up to OpenEdge LTS 11.7.18 and LTS 12.2.13 on all supported release platforms | |||||
| CVE-2024-7346 | 1 Progress | 1 Openedge | 2024-09-05 | N/A | 4.8 MEDIUM |
| Host name validation for TLS certificates is bypassed when the installed OpenEdge default certificates are used to perform the TLS handshake for a networked connection. This has been corrected so that default certificates are no longer capable of overriding host name validation and will need to be replaced where full TLS certificate validation is needed for network security. The existing certificates should be replaced with CA-signed certificates from a recognized certificate authority that contain the necessary information to support host name validation. | |||||
| CVE-2024-7654 | 1 Progress | 1 Openedge | 2024-09-05 | N/A | 6.1 MEDIUM |
| An ActiveMQ Discovery service was reachable by default from an OpenEdge Management installation when an OEE/OEM auto-discovery feature was activated. Unauthorized access to the discovery service's UDP port allowed content injection into parts of the OEM web interface making it possible for other types of attack that could spoof or deceive web interface users. Unauthorized use of the OEE/OEM discovery service was remediated by deactivating the discovery service by default. | |||||