CVSS: 9.0EPSS: 13%CPEs: 1EXPL: 0CVE-2024-6672 – WhatsUp Gold getMonitorJoin SQL Injection Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2024-6672
29 Aug 2024 — In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an authenticated low-privileged attacker to achieve privilege escalation by modifying a privileged user's password. This vulnerability allows remote attackers to escalate privileges on affected installations of Progress Software WhatsUp Gold. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the implementation of the g... • https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7745 – Multi-Factor Authentication Bypass in Progress WS_FTP Server
https://notcve.org/view.php?id=CVE-2024-7745
28 Aug 2024 — In WS_FTP Server versions before 8.8.8 (2022.0.8), a Missing Critical Step in Multi-Factor Authentication of the Web Transfer Module allows users to skip the second-factor verification and log in with username and password only. • https://community.progress.com/s/article/WS-FTP-Server-Service-Pack-August-2024 • CWE-290: Authentication Bypass by Spoofing CWE-304: Missing Critical Step in Authentication •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7744 – Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Progress WS_FTP Server
https://notcve.org/view.php?id=CVE-2024-7744
28 Aug 2024 — In WS_FTP Server versions before 8.8.8 (2022.0.8), an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in the Web Transfer Module allows File Discovery, Probe System Files, User-Controlled Filename, Path Traversal. An authenticated file download flaw has been identified where a user can craft an API call that allows them to download a file from an arbitrary folder on the drive where that user host's root folder is located (by default this is C:) This vulnerability... • https://community.progress.com/s/article/WS-FTP-Server-Service-Pack-August-2024 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-73: External Control of File Name or Path •
CVSS: 7.5EPSS: 2%CPEs: 3EXPL: 0CVE-2024-6576 – MOVEit Transfer Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2024-6576
29 Jul 2024 — Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Privilege Escalation.This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.12, from 2023.1.0 before 2023.1.7, from 2024.0.0 before 2024.0.3. • https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-July-2024-CVE-2024-6576 • CWE-287: Improper Authentication •
CVSS: 10.0EPSS: 4%CPEs: 1EXPL: 0CVE-2024-6096 – Unsafe Deserialization Vulnerability
https://notcve.org/view.php?id=CVE-2024-6096
24 Jul 2024 — In Progress® Telerik® Reporting versions prior to 18.1.24.709, a code execution attack is possible through object injection via an insecure type resolution vulnerability. • https://docs.telerik.com/reporting/knowledge-base/unsafe-reflection-CVE-2024-6096 • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 0CVE-2024-6327 – Progress Telerik Report Server Deserialization
https://notcve.org/view.php?id=CVE-2024-6327
24 Jul 2024 — In Progress® Telerik® Report Server versions prior to 2024 Q2 (10.1.24.709), a remote code execution attack is possible through an insecure deserialization vulnerability. • https://docs.telerik.com/report-server/knowledge-base/deserialization-vulnerability-cve-2024-6327 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4882 – URL Redirection to Arbitrary Site Exists in Sitefinity
https://notcve.org/view.php?id=CVE-2024-4882
08 Jul 2024 — The user may be redirected to an arbitrary site in Sitefinity 15.1.8321.0 and previous versions. El usuario puede ser redirigido a un sitio arbitrario en Sitefinity 15.1.8321.0 y versiones anteriores. • https://community.progress.com/s/article/Open-Redirect-vulnerability-CVE-2024-4882 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37411 – WordPress Progress Planner plugin <= 0.9.1 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-37411
27 Jun 2024 — Missing Authorization vulnerability in Team Emilia Projects Progress Planner allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Progress Planner: from n/a through 0.9.1. The Progress Planner plugin for WordPress is vulnerable to unauthorized access of data due to an insufficient capability check in the validate_token() function in versions up to, and including, 0.9.1. This makes it possible for unauthenticated attackers to retrieve stats. • https://patchstack.com/database/vulnerability/progress-planner/wordpress-progress-planner-plugin-0-9-1-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37422 – WordPress Progress Planner plugin <= 0.9.2 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-37422
27 Jun 2024 — Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Team Emilia Projects Progress Planner allows Stored XSS.This issue affects Progress Planner: from n/a through 0.9.2. Vulnerabilidad de neutralización incorrecta de la entrada durante la generación de páginas web (XSS o 'Cross-site Scripting') en Team Emilia Projects Progress Planner permite XSS almacenado. Este problema afecta al Progress Planner: desde n/a hasta 0.9.2. The Progress Planner plugin fo... • https://patchstack.com/database/vulnerability/progress-planner/wordpress-progress-planner-plugin-0-9-2-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5019 – WhatsUp Gold LoadCSSUsingBasePath Directory Traversal Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2024-5019
25 Jun 2024 — In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Arbitrary File Read issue exists in Wug.UI.Areas.Wug.Controllers.SessionController.CachedCSS. This vulnerability allows reading of any file with iisapppool\NmConsole privileges. En las versiones de WhatsUp Gold lanzadas antes de 2023.1.3, existe un problema de lectura arbitraria de archivos no autenticados en Wug.UI.Areas.Wug.Controllers.SessionController.CachedCSS. Esta vulnerabilidad permite la lectura de cualquier archivo con privilegi... • https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •