CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36968
https://notcve.org/view.php?id=CVE-2022-36968
In Progress WS_FTP Server prior to version 8.7.3, forms within the administrative interface did not include a nonce to mitigate the risk of cross-site request forgery (CSRF) attacks. En el servidor WS_FTP de Progress versiones anteriores a 8.7.3, los formularios de la interfaz administrativa no incluían un nonce para mitigar el riesgo de ataques de tipo cross-site request forgery (CSRF) • https://community.progress.com/s/article/WS-FTP-Server-Critical-Security-Product-Alert-Bulletin-June-2022 https://www.progress.com/ws_ftp • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36967
https://notcve.org/view.php?id=CVE-2022-36967
In Progress WS_FTP Server prior to version 8.7.3, multiple reflected cross-site scripting (XSS) vulnerabilities exist in the administrative web interface. It is possible for a remote attacker to inject arbitrary JavaScript into a WS_FTP administrator's web session. This would allow the attacker to execute code within the context of the victim's browser. En el servidor WS_FTP de Progress versiones anteriores a 8.7.3, se presentan múltiples vulnerabilidades de tipo cross-site scripting (XSS) reflejado en la interfaz web administrativa. Es posible que un atacante remoto inyecte JavaScript arbitrario en la sesión web de un administrador de WS_FTP. • https://community.progress.com/s/article/WS-FTP-Server-Critical-Security-Product-Alert-Bulletin-June-2022 https://www.progress.com/ws_ftp • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-29849
https://notcve.org/view.php?id=CVE-2022-29849
In Progress OpenEdge before 11.7.14 and 12.x before 12.2.9, certain SUID binaries within the OpenEdge application were susceptible to privilege escalation. If exploited, a local attacker could elevate their privileges and compromise the affected system. En Progress OpenEdge versiones anteriores a 11.7.14 y versiones 12.x anteriores a 12.2.9, determinados binarios SUID dentro de la aplicación OpenEdge eran susceptibles de escalar privilegios. Si es explotado, un atacante local podría elevar sus privilegios y comprometer el sistema afectado • https://community.progress.com/s/article/OpenEdge-11-7-14-is-Now-Available https://community.progress.com/s/article/OpenEdge-12-2-9-Update-is-available https://community.progress.com/s/article/Remediation-of-Privilege-Escalation-Security-Vulnerability-CVE-2022-29849 https://www.progress.com/openedge •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2021-41318 – WhatsUpGold 21.0.3 - Stored Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-41318
In Progress WhatsUp Gold prior to version 21.1.0, an application endpoint failed to adequately sanitize malicious input. which could allow an unauthenticated attacker to execute arbitrary code in a victim's browser. En Progress WhatsUp Gold versiones anteriores a 21.1.0, un endpoint de la aplicación no saneaba adecuadamente una entrada maliciosa, lo que podía permitir a un atacante no autenticado ejecutar código arbitrario en el navegador de la víctima WhatsUpGold version 21.0.3 suffers from a persistent cross site scripting vulnerability. • https://www.exploit-db.com/exploits/50366 http://packetstormsecurity.com/files/164359/WhatsUpGold-21.0.3-Cross-Site-Scripting.html https://knowledgebase.progress.com/articles/Knowledge/WhatsUp-Gold-Security-Bulletin-September-2021 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0CVE-2021-38159
https://notcve.org/view.php?id=CVE-2021-38159
In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4), SQL injection in the MOVEit Transfer web application could allow an unauthenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, or execute SQL statements that alter or delete database elements, via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.8 (11.0.8), 2019.1.7 (11.1.7), 2019.2.4 (11.2.4), 2020.0.7 (12.0.7), 2020.1.6 (12.1.6), and 2021.0.4 (13.0.4). En determinados Progress MOVEit Transfer versiones anteriores a 2021.0.4 (también se conoce como 13.0.4), una inyección SQL en la aplicación web de MOVEit Transfer, podría permitir a un atacante remoto no autenticado acceder a la base de datos. Dependiendo del motor de base de datos que es usado (MySQL, Microsoft SQL Server o Azure SQL), un atacante podría ser capaz de inferir información sobre la estructura y el contenido de la base de datos, o ejecutar sentencias SQL que alteren o eliminen elementos de la base de datos, por medio de cadenas diseñadas enviadas a tipos de transacciones únicas de MOVEit Transfer. • https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-6-2021 https://www.progress.com/moveit • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •