CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2023-29376
https://notcve.org/view.php?id=CVE-2023-29376
10 Apr 2023 — An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2 before 14.2.7930, and 14.3 before 14.3.8025. There is potential XSS by privileged users in Sitefinity to media libraries. • https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-April-2023 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-27665
https://notcve.org/view.php?id=CVE-2022-27665
03 Apr 2023 — Reflected XSS (via AngularJS sandbox escape expressions) exists in Progress Ipswitch WS_FTP Server 8.6.0. This can lead to execution of malicious code and commands on the client due to improper handling of user-provided input. By inputting malicious payloads in the subdirectory searchbar or Add folder filename boxes, it is possible to execute client-side commands. For example, there is Client-Side Template Injection via subFolderPath to the ThinClient/WtmApiService.asmx/GetFileSubTree URI. • https://github.com/dievus/CVE-2022-27665 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-24029
https://notcve.org/view.php?id=CVE-2023-24029
03 Feb 2023 — In Progress WS_FTP Server before 8.8, it is possible for a host administrator to elevate their privileges via the administrative interface due to insufficient authorization controls applied on user modification workflows. • https://community.progress.com/s/article/WS-FTP-Server-Critical-Security-Product-Alert-Bulletin-January-2023?popup=true • CWE-863: Incorrect Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-42711
https://notcve.org/view.php?id=CVE-2022-42711
12 Oct 2022 — In Progress WhatsUp Gold before 22.1.0, an SNMP MIB Walker application endpoint failed to adequately sanitize malicious input. This could allow an unauthenticated attacker to execute arbitrary code in a victim's browser. En Progress WhatsUp Gold versiones anteriores a 22.1.0, un endpoint de la aplicación SNMP MIB Walker no saneaba apropiadamente la entrada maliciosa. Esto podría permitir a un atacante no autenticado ejecutar código arbitrario en el navegador de la víctima • https://community.progress.com/s/article/Product-Alert-Bulletin-October-2022 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36968
https://notcve.org/view.php?id=CVE-2022-36968
02 Aug 2022 — In Progress WS_FTP Server prior to version 8.7.3, forms within the administrative interface did not include a nonce to mitigate the risk of cross-site request forgery (CSRF) attacks. En el servidor WS_FTP de Progress versiones anteriores a 8.7.3, los formularios de la interfaz administrativa no incluían un nonce para mitigar el riesgo de ataques de tipo cross-site request forgery (CSRF) • https://community.progress.com/s/article/WS-FTP-Server-Critical-Security-Product-Alert-Bulletin-June-2022 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36967
https://notcve.org/view.php?id=CVE-2022-36967
02 Aug 2022 — In Progress WS_FTP Server prior to version 8.7.3, multiple reflected cross-site scripting (XSS) vulnerabilities exist in the administrative web interface. It is possible for a remote attacker to inject arbitrary JavaScript into a WS_FTP administrator's web session. This would allow the attacker to execute code within the context of the victim's browser. En el servidor WS_FTP de Progress versiones anteriores a 8.7.3, se presentan múltiples vulnerabilidades de tipo cross-site scripting (XSS) reflejado en la i... • https://community.progress.com/s/article/WS-FTP-Server-Critical-Security-Product-Alert-Bulletin-June-2022 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-29849
https://notcve.org/view.php?id=CVE-2022-29849
01 May 2022 — In Progress OpenEdge before 11.7.14 and 12.x before 12.2.9, certain SUID binaries within the OpenEdge application were susceptible to privilege escalation. If exploited, a local attacker could elevate their privileges and compromise the affected system. En Progress OpenEdge versiones anteriores a 11.7.14 y versiones 12.x anteriores a 12.2.9, determinados binarios SUID dentro de la aplicación OpenEdge eran susceptibles de escalar privilegios. Si es explotado, un atacante local podría elevar sus privilegios y... • https://community.progress.com/s/article/OpenEdge-11-7-14-is-Now-Available •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 3CVE-2021-41318 – WhatsUpGold 21.0.3 - Stored Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-41318
28 Sep 2021 — In Progress WhatsUp Gold prior to version 21.1.0, an application endpoint failed to adequately sanitize malicious input. which could allow an unauthenticated attacker to execute arbitrary code in a victim's browser. En Progress WhatsUp Gold versiones anteriores a 21.1.0, un endpoint de la aplicación no saneaba adecuadamente una entrada maliciosa, lo que podía permitir a un atacante no autenticado ejecutar código arbitrario en el navegador de la víctima WhatsUpGold version 21.0.3 suffers from a persistent cr... • https://packetstorm.news/files/id/164359 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 3%CPEs: 6EXPL: 0CVE-2021-38159
https://notcve.org/view.php?id=CVE-2021-38159
07 Aug 2021 — In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4), SQL injection in the MOVEit Transfer web application could allow an unauthenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, or execute SQL statements that alter or delete database elements, via crafted strings sent to unique MOVEit Transfer tran... • https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-6-2021 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2021-37614
https://notcve.org/view.php?id=CVE-2021-37614
05 Aug 2021 — In certain Progress MOVEit Transfer versions before 2021.0.3 (aka 13.0.3), SQL injection in the MOVEit Transfer web application could allow an authenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, or execute SQL statements that alter or delete database elements, via crafted strings sent to unique MOVEit Transfer transa... • https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-2021 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •