Page 10 of 169 results (0.003 seconds)

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

An information disclosure vulnerability exists in Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, allows low-privilege attacker to read systems file via XML External Entity Processing. Existe una vulnerabilidad de divulgación de información en Progress Telerik Report Server, versión 2024 Q1 (10.0.24.305) o anterior, que permite a un atacante con pocos privilegios leer archivos del sistema a través del procesamiento de entidades externas XML. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Progress Software Telerik Reporting. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the implementation of ValidateMetadaUri method. Due to the improper restriction of XML External Entity (XXE) references, a crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. • https://docs.telerik.com/report-server/knowledge-base/xxe-vulnerability-cve-2024-4357 • CWE-611: Improper Restriction of XML External Entity Reference •

CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0

In Progress® Telerik® Reporting versions prior to 2024 Q2 (18.1.24.2.514), a code execution attack is possible by a local threat actor through an insecure deserialization vulnerability. En las versiones de Progress® Telerik® Reporting anteriores al segundo trimestre de 2024 (18.1.24.2.514), un actor de amenazas local puede realizar un ataque de ejecución de código a través de una vulnerabilidad de deserialización insegura. • https://docs.telerik.com/reporting/knowledge-base/deserialization-vulnerability-cve-2024-4200 • CWE-502: Deserialization of Untrusted Data •

CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0

In Progress® Telerik® Reporting versions prior to 2024 Q2 (18.1.24.514), a code execution attack is possible through an insecure instantiation vulnerability. En las versiones de Progress® Telerik® Reporting anteriores al segundo trimestre de 2024 (18.1.24.514), es posible un ataque de ejecución de código a través de una vulnerabilidad de instanciación insegura. • https://docs.telerik.com/reporting/knowledge-base/instantiation-vulnerability-cve-2024-4202 • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0

A local code execution vulnerability is possible in Telerik UI for WinForms beginning in v2021.1.122 but prior to v2024.2.514. This vulnerability could allow an untrusted theme assembly to execute arbitrary code on the local Windows system. Es posible una vulnerabilidad de ejecución de código local en la interfaz de usuario de Telerik para WinForms a partir de v2021.1.122 pero antes de v2024.2.514. Esta vulnerabilidad podría permitir que un ensamblado de temas que no sea de confianza ejecute código arbitrario en el sistema Windows local. • https://docs.telerik.com/devtools/winforms/knowledge-base/local-code-execution-vulnerability-cve-2024-3892 • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0

In WhatsUp Gold versions released before 2023.1.2 , an SSRF vulnerability exists in Whatsup Gold's Issue exists in the HTTP Monitoring functionality.  Due to the lack of proper authorization, any authenticated user can access the HTTP monitoring functionality, what leads to the Server Side Request Forgery. En las versiones de WhatsUp Gold lanzadas antes de 2023.1.2, existe una vulnerabilidad SSRF en Whatsup Gold. El problema existe en la funcionalidad de monitoreo HTTP. Debido a la falta de autorización adecuada, cualquier usuario autenticado puede acceder a la funcionalidad de monitoreo HTTP, lo que conduce a Server Side Request Forgery. • https://community.progress.com/s/article/Announcing-WhatsUp-Gold-v2023-1-2 https://www.progress.com/network-monitoring • CWE-918: Server-Side Request Forgery (SSRF) •