CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0CVE-2024-7763 – WhatsUp Gold getReport Missing Authentication Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2024-7763
24 Oct 2024 — In WhatsUp Gold versions released before 2024.0.0, an Authentication Bypass issue exists which allows an attacker to obtain encrypted user credentials. This vulnerability allows remote attackers to bypass authentication on affected installations of Progress Software WhatsUp Gold. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of getReport method. The issue results from the lack of authentication and authorization prior to allowing access to f... • https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024 • CWE-287: Improper Authentication •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8015 – Telerik Report Server Insecure Type Resolution
https://notcve.org/view.php?id=CVE-2024-8015
09 Oct 2024 — In Progress Telerik Report Server versions prior to 2024 Q3 (10.2.24.924), a remote code execution attack is possible through object injection via an insecure type resolution vulnerability. • https://docs.telerik.com/report-server/knowledge-base/insecure-type-resolution-cve-2024-8015 • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-7292 – Account Controller allows high count of login attempts
https://notcve.org/view.php?id=CVE-2024-7292
09 Oct 2024 — In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), a credential stuffing attack is possible through improper restriction of excessive login attempts. • https://docs.telerik.com/report-server/knowledge-base/improper-restriction-of-excessive-login-attempts-cve-2024-7292 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7294 – Uncontrolled resource consumption of anonymous endpoints
https://notcve.org/view.php?id=CVE-2024-7294
09 Oct 2024 — In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), an HTTP DoS attack is possible on anonymous endpoints without rate limiting. • https://docs.telerik.com/report-server/knowledge-base/uncontrolled-resource-consumption-cve-2024-7294 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7293 – Password policy for new users is not strong enough
https://notcve.org/view.php?id=CVE-2024-7293
09 Oct 2024 — In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), a password brute forcing attack is possible through weak password requirements. • https://docs.telerik.com/report-server/knowledge-base/weak-password-requirement-cve-2024-7293 • CWE-521: Weak Password Requirements •
CVSS: 7.8EPSS: 1%CPEs: 1EXPL: 0CVE-2024-7840 – Improper neutralization special element in hyperlinks
https://notcve.org/view.php?id=CVE-2024-7840
09 Oct 2024 — In Progress Telerik Reporting versions prior to 2024 Q3 (2024.3.924), a command injection attack is possible through improper neutralization of hyperlink elements. In Progress Telerik Reporting versions prior to 2024 Q3 (18.2.24.924), a command injection attack is possible through improper neutralization of hyperlink elements. • https://docs.telerik.com/reporting/knowledge-base/command-injection-cve-2024-7840 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8048 – Telerik Reporting Insecure Expression Evaluation
https://notcve.org/view.php?id=CVE-2024-8048
09 Oct 2024 — In Progress Telerik Reporting versions prior to 2024 Q3 (18.2.24.924), a code execution attack is possible using object injection via insecure expression evaluation. • https://docs.telerik.com/reporting/knowledge-base/insecure-expression-evaluation-cve-2024-8048 • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') •
CVSS: 9.0EPSS: 3%CPEs: 1EXPL: 0CVE-2024-8014 – Telerik Reporting EntityDataSource Insecure Type Resolution
https://notcve.org/view.php?id=CVE-2024-8014
09 Oct 2024 — In Progress Telerik Reporting versions prior to 2024 Q3 (18.2.24.924), a code execution attack is possible through object injection via an insecure type resolution vulnerability. • https://docs.telerik.com/reporting/knowledge-base/insecure-type-resolution-cve-2024-8014 • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') •
CVSS: 10.0EPSS: 94%CPEs: 1EXPL: 2CVE-2024-6670 – Progress WhatsUp Gold SQL Injection Vulnerability
https://notcve.org/view.php?id=CVE-2024-6670
29 Aug 2024 — In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password. This vulnerability allows remote attackers to bypass authentication on affected installations of Progress Software WhatsUp Gold. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of HasErrors method. The issue results from the lack of proper validation of a user-supplied string before using... • https://packetstorm.news/files/id/180479 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 17%CPEs: 1EXPL: 0CVE-2024-6671 – WhatsUp Gold GetStatisticalMonitorList SQL Injection Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2024-6671
29 Aug 2024 — In WhatsUp Gold versions released before 2024.0.0, if the application is configured with only a single user, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password. This vulnerability allows remote attackers to bypass authentication on affected installations of Progress Software WhatsUp Gold. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of GetStatisticalMonitorList method. The issue results... • https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •