CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7293 – Password policy for new users is not strong enough
https://notcve.org/view.php?id=CVE-2024-7293
In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), a password brute forcing attack is possible through weak password requirements. • https://docs.telerik.com/report-server/knowledge-base/weak-password-requirement-cve-2024-7293 • CWE-521: Weak Password Requirements •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7840 – Improper neutralization special element in hyperlinks
https://notcve.org/view.php?id=CVE-2024-7840
In Progress Telerik Reporting versions prior to 2024 Q3 (2024.3.924), a command injection attack is possible through improper neutralization of hyperlink elements. In Progress Telerik Reporting versions prior to 2024 Q3 (18.2.24.924), a command injection attack is possible through improper neutralization of hyperlink elements. • https://docs.telerik.com/reporting/knowledge-base/command-injection-cve-2024-7840 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8048 – Telerik Reporting Insecure Expression Evaluation
https://notcve.org/view.php?id=CVE-2024-8048
In Progress Telerik Reporting versions prior to 2024 Q3 (18.2.24.924), a code execution attack is possible using object injection via insecure expression evaluation. • https://docs.telerik.com/reporting/knowledge-base/insecure-expression-evaluation-cve-2024-8048 • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8014 – Telerik Reporting EntityDataSource Insecure Type Resolution
https://notcve.org/view.php?id=CVE-2024-8014
In Progress Telerik Reporting versions prior to 2024 Q3 (18.2.24.924), a code execution attack is possible through object injection via an insecure type resolution vulnerability. • https://docs.telerik.com/reporting/knowledge-base/insecure-type-resolution-cve-2024-8014 • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') •
CVSS: 9.8EPSS: 90%CPEs: 1EXPL: 1CVE-2024-6670 – Progress WhatsUp Gold SQL Injection Vulnerability
https://notcve.org/view.php?id=CVE-2024-6670
In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password. This vulnerability allows remote attackers to bypass authentication on affected installations of Progress Software WhatsUp Gold. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of HasErrors method. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to bypass authentication on the system. • https://github.com/sinsinology/CVE-2024-6670 https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024 https://www.progress.com/network-monitoring https://summoning.team/blog/progress-whatsup-gold-sqli-cve-2024-6670 https://www.zerodayinitiative.com/advisories/ZDI-24-1185 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •