CVE-2024-7295 – Hard-coded credentials used for temporary and cache data encryption
https://notcve.org/view.php?id=CVE-2024-7295
In Progress® Telerik® Report Server versions prior to 2024 Q4 (10.3.24.1112), the encryption of local asset data used an older algorithm which may allow a sophisticated actor to decrypt this information. • https://docs.telerik.com/report-server/knowledge-base/encryption-weakness-cve-2024-7295 • CWE-798: Use of Hard-coded Credentials •
CVE-2024-9999 – Multi-Factor Authentication Bypass in Progress WS_FTP Server
https://notcve.org/view.php?id=CVE-2024-9999
In WS_FTP Server versions before 8.8.9 (2022.0.9), an Incorrect Implementation of Authentication Algorithm in the Web Transfer Module allows users to skip the second-factor verification and log in with username and password only. • https://community.progress.com/s/article/WS-FTP-Server-Service-Pack-November-2024 https://www.progress.com/ftp-server • CWE-303: Incorrect Implementation of Authentication Algorithm •
CVE-2024-7763 – WhatsUp Gold getReport Missing Authentication Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2024-7763
In WhatsUp Gold versions released before 2024.0.0, an Authentication Bypass issue exists which allows an attacker to obtain encrypted user credentials. This vulnerability allows remote attackers to bypass authentication on affected installations of Progress Software WhatsUp Gold. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of getReport method. The issue results from the lack of authentication and authorization prior to allowing access to functionality. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. • https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024 https://www.progress.com/network-monitoring • CWE-287: Improper Authentication •
CVE-2024-7294 – Uncontrolled resource consumption of anonymous endpoints
https://notcve.org/view.php?id=CVE-2024-7294
In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), an HTTP DoS attack is possible on anonymous endpoints without rate limiting. • https://docs.telerik.com/report-server/knowledge-base/uncontrolled-resource-consumption-cve-2024-7294 • CWE-400: Uncontrolled Resource Consumption •
CVE-2024-7293 – Password policy for new users is not strong enough
https://notcve.org/view.php?id=CVE-2024-7293
In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), a password brute forcing attack is possible through weak password requirements. • https://docs.telerik.com/report-server/knowledge-base/weak-password-requirement-cve-2024-7293 • CWE-521: Weak Password Requirements •