CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0CVE-2024-7763 – WhatsUp Gold getReport Missing Authentication Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2024-7763
24 Oct 2024 — In WhatsUp Gold versions released before 2024.0.0, an Authentication Bypass issue exists which allows an attacker to obtain encrypted user credentials. This vulnerability allows remote attackers to bypass authentication on affected installations of Progress Software WhatsUp Gold. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of getReport method. The issue results from the lack of authentication and authorization prior to allowing access to f... • https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024 • CWE-287: Improper Authentication •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49652 – WordPress 3D Work In Progress plugin <= 1.0.3 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-49652
21 Oct 2024 — Unrestricted Upload of File with Dangerous Type vulnerability in ReneeCussack 3D Work In Progress allows Upload a Web Shell to a Web Server.This issue affects 3D Work In Progress: from n/a through 1.0.3. The 3D Work In Progress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.0.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's s... • https://patchstack.com/database/vulnerability/renee-work-in-progress/wordpress-3d-work-in-progress-plugin-1-0-3-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49657 – WordPress 3D Work In Progress plugin <= 1.0.3 - Arbitrary File Deletion vulnerability
https://notcve.org/view.php?id=CVE-2024-49657
21 Oct 2024 — Missing Authorization vulnerability in ReneeCussack 3D Work In Progress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 3D Work In Progress: from n/a through 1.0.3. The 3D Work In Progress plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 1.0.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server,... • https://patchstack.com/database/vulnerability/renee-work-in-progress/wordpress-3d-work-in-progress-plugin-1-0-3-arbitrary-file-deletion-vulnerability?_s_id=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 4%CPEs: 1EXPL: 0CVE-2024-8755 – Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection.
https://notcve.org/view.php?id=CVE-2024-8755
11 Oct 2024 — Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection.This issue affects: Product Affected Versions LoadMaster From 7.2.55.0 to 7.2.60.1 (inclusive) From 7.2.49.0 to 7.2.54.12 (inclusive) 7.2.48.12 and all prior versions Multi-Tenant Hypervisor 7.1.35.12 and all prior versions ECS All prior versions to 7.2.60.1 (inclusive) • https://support.kemptechnologies.com/hc/en-us/articles/30297374715661-LoadMaster-Security-Vulnerability-CVE-2024-8755 • CWE-20: Improper Input Validation •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8015 – Telerik Report Server Insecure Type Resolution
https://notcve.org/view.php?id=CVE-2024-8015
09 Oct 2024 — In Progress Telerik Report Server versions prior to 2024 Q3 (10.2.24.924), a remote code execution attack is possible through object injection via an insecure type resolution vulnerability. • https://docs.telerik.com/report-server/knowledge-base/insecure-type-resolution-cve-2024-8015 • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-7292 – Account Controller allows high count of login attempts
https://notcve.org/view.php?id=CVE-2024-7292
09 Oct 2024 — In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), a credential stuffing attack is possible through improper restriction of excessive login attempts. • https://docs.telerik.com/report-server/knowledge-base/improper-restriction-of-excessive-login-attempts-cve-2024-7292 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7294 – Uncontrolled resource consumption of anonymous endpoints
https://notcve.org/view.php?id=CVE-2024-7294
09 Oct 2024 — In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), an HTTP DoS attack is possible on anonymous endpoints without rate limiting. • https://docs.telerik.com/report-server/knowledge-base/uncontrolled-resource-consumption-cve-2024-7294 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7293 – Password policy for new users is not strong enough
https://notcve.org/view.php?id=CVE-2024-7293
09 Oct 2024 — In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), a password brute forcing attack is possible through weak password requirements. • https://docs.telerik.com/report-server/knowledge-base/weak-password-requirement-cve-2024-7293 • CWE-521: Weak Password Requirements •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7840 – Improper neutralization special element in hyperlinks
https://notcve.org/view.php?id=CVE-2024-7840
09 Oct 2024 — In Progress Telerik Reporting versions prior to 2024 Q3 (2024.3.924), a command injection attack is possible through improper neutralization of hyperlink elements. In Progress Telerik Reporting versions prior to 2024 Q3 (18.2.24.924), a command injection attack is possible through improper neutralization of hyperlink elements. • https://docs.telerik.com/reporting/knowledge-base/command-injection-cve-2024-7840 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8048 – Telerik Reporting Insecure Expression Evaluation
https://notcve.org/view.php?id=CVE-2024-8048
09 Oct 2024 — In Progress Telerik Reporting versions prior to 2024 Q3 (18.2.24.924), a code execution attack is possible using object injection via insecure expression evaluation. • https://docs.telerik.com/reporting/knowledge-base/insecure-expression-evaluation-cve-2024-8048 • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') •