CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7295 – Hard-coded credentials used for temporary and cache data encryption
https://notcve.org/view.php?id=CVE-2024-7295
In Progress® Telerik® Report Server versions prior to 2024 Q4 (10.3.24.1112), the encryption of local asset data used an older algorithm which may allow a sophisticated actor to decrypt this information. • https://docs.telerik.com/report-server/knowledge-base/encryption-weakness-cve-2024-7295 • CWE-798: Use of Hard-coded Credentials •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9999 – Multi-Factor Authentication Bypass in Progress WS_FTP Server
https://notcve.org/view.php?id=CVE-2024-9999
In WS_FTP Server versions before 8.8.9 (2022.0.9), an Incorrect Implementation of Authentication Algorithm in the Web Transfer Module allows users to skip the second-factor verification and log in with username and password only. • https://community.progress.com/s/article/WS-FTP-Server-Service-Pack-November-2024 https://www.progress.com/ftp-server • CWE-303: Incorrect Implementation of Authentication Algorithm •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7763 – WhatsUp Gold getReport Missing Authentication Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2024-7763
In WhatsUp Gold versions released before 2024.0.0, an Authentication Bypass issue exists which allows an attacker to obtain encrypted user credentials. This vulnerability allows remote attackers to bypass authentication on affected installations of Progress Software WhatsUp Gold. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of getReport method. The issue results from the lack of authentication and authorization prior to allowing access to functionality. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. • https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024 https://www.progress.com/network-monitoring • CWE-287: Improper Authentication •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8015 – Telerik Report Server Insecure Type Resolution
https://notcve.org/view.php?id=CVE-2024-8015
In Progress Telerik Report Server versions prior to 2024 Q3 (10.2.24.924), a remote code execution attack is possible through object injection via an insecure type resolution vulnerability. • https://docs.telerik.com/report-server/knowledge-base/insecure-type-resolution-cve-2024-8015 • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7294 – Uncontrolled resource consumption of anonymous endpoints
https://notcve.org/view.php?id=CVE-2024-7294
In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), an HTTP DoS attack is possible on anonymous endpoints without rate limiting. • https://docs.telerik.com/report-server/knowledge-base/uncontrolled-resource-consumption-cve-2024-7294 • CWE-400: Uncontrolled Resource Consumption •