CVSS: 9.0EPSS: 5%CPEs: 1EXPL: 0CVE-2024-46907 – WhatsUp Gold GetFilterCriteria SQL Injection Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2024-46907
02 Dec 2024 — In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account. This vulnerability allows remote attackers to escalate privileges on affected installations of Progress Software WhatsUp Gold. Authentication is required to exploit this vulnerability. The specific flaw exists within the implementation of the GetFilterCriteria method. The issue results ... • https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-September-2024 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 5%CPEs: 1EXPL: 0CVE-2024-46908 – WhatsUp Gold GetFilterCriteria SQL Injection Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2024-46908
02 Dec 2024 — In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account. This vulnerability allows remote attackers to escalate privileges on affected installations of Progress Software WhatsUp Gold. Authentication is required to exploit this vulnerability. The specific flaw exists within the implementation of the GetFilterCriteria method. The issue results ... • https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-September-2024 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7295 – Hard-coded credentials used for temporary and cache data encryption
https://notcve.org/view.php?id=CVE-2024-7295
13 Nov 2024 — In Progress® Telerik® Report Server versions prior to 2024 Q4 (10.3.24.1112), the encryption of local asset data used an older algorithm which may allow a sophisticated actor to decrypt this information. • https://docs.telerik.com/report-server/knowledge-base/encryption-weakness-cve-2024-7295 • CWE-798: Use of Hard-coded Credentials •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9999 – Multi-Factor Authentication Bypass in Progress WS_FTP Server
https://notcve.org/view.php?id=CVE-2024-9999
12 Nov 2024 — In WS_FTP Server versions before 8.8.9 (2022.0.9), an Incorrect Implementation of Authentication Algorithm in the Web Transfer Module allows users to skip the second-factor verification and log in with username and password only. • https://community.progress.com/s/article/WS-FTP-Server-Service-Pack-November-2024 • CWE-303: Incorrect Implementation of Authentication Algorithm •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0CVE-2024-7763 – WhatsUp Gold getReport Missing Authentication Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2024-7763
24 Oct 2024 — In WhatsUp Gold versions released before 2024.0.0, an Authentication Bypass issue exists which allows an attacker to obtain encrypted user credentials. This vulnerability allows remote attackers to bypass authentication on affected installations of Progress Software WhatsUp Gold. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of getReport method. The issue results from the lack of authentication and authorization prior to allowing access to f... • https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024 • CWE-287: Improper Authentication •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7294 – Uncontrolled resource consumption of anonymous endpoints
https://notcve.org/view.php?id=CVE-2024-7294
09 Oct 2024 — In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), an HTTP DoS attack is possible on anonymous endpoints without rate limiting. • https://docs.telerik.com/report-server/knowledge-base/uncontrolled-resource-consumption-cve-2024-7294 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7293 – Password policy for new users is not strong enough
https://notcve.org/view.php?id=CVE-2024-7293
09 Oct 2024 — In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), a password brute forcing attack is possible through weak password requirements. • https://docs.telerik.com/report-server/knowledge-base/weak-password-requirement-cve-2024-7293 • CWE-521: Weak Password Requirements •
CVSS: 10.0EPSS: 94%CPEs: 1EXPL: 2CVE-2024-6670 – Progress WhatsUp Gold SQL Injection Vulnerability
https://notcve.org/view.php?id=CVE-2024-6670
29 Aug 2024 — In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password. This vulnerability allows remote attackers to bypass authentication on affected installations of Progress Software WhatsUp Gold. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of HasErrors method. The issue results from the lack of proper validation of a user-supplied string before using... • https://packetstorm.news/files/id/180479 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 17%CPEs: 1EXPL: 0CVE-2024-6671 – WhatsUp Gold GetStatisticalMonitorList SQL Injection Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2024-6671
29 Aug 2024 — In WhatsUp Gold versions released before 2024.0.0, if the application is configured with only a single user, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password. This vulnerability allows remote attackers to bypass authentication on affected installations of Progress Software WhatsUp Gold. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of GetStatisticalMonitorList method. The issue results... • https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 13%CPEs: 1EXPL: 0CVE-2024-6672 – WhatsUp Gold getMonitorJoin SQL Injection Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2024-6672
29 Aug 2024 — In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an authenticated low-privileged attacker to achieve privilege escalation by modifying a privileged user's password. This vulnerability allows remote attackers to escalate privileges on affected installations of Progress Software WhatsUp Gold. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the implementation of the g... • https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •