CVE-2024-5011 – WhatsUp Gold TestController Chart denial of service vulnerability
https://notcve.org/view.php?id=CVE-2024-5011
In WhatsUp Gold versions released before 2023.1.3, an uncontrolled resource consumption vulnerability exists. A specially crafted unauthenticated HTTP request to the TestController Chart functionality can lead to denial of service. En las versiones de WhatsUp Gold lanzadas antes de 2023.1.3, existe una vulnerabilidad de consumo descontrolado de recursos. Una solicitud HTTP no autenticada especialmente manipulada para la funcionalidad TestController Chart puede provocar una denegación de servicio. • https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024 https://www.progress.com/network-monitoring https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-1934 • CWE-400: Uncontrolled Resource Consumption •
CVE-2024-5010 – WhatsUp Gold TestController multiple information disclosure vulnerabilities
https://notcve.org/view.php?id=CVE-2024-5010
In WhatsUp Gold versions released before 2023.1.3, a vulnerability exists in the TestController functionality. A specially crafted unauthenticated HTTP request can lead to a disclosure of sensitive information. En las versiones de WhatsUp Gold lanzadas antes de 2023.1.3, existe una vulnerabilidad en la funcionalidad TestController. Una solicitud HTTP no autenticada especialmente manipulada puede dar lugar a la divulgación de información confidencial. • https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024 https://www.progress.com/network-monitoring https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-1933 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2024-5009 – WhatsUp Gold SetAdminPassword Improper Access Control Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2024-5009
In WhatsUp Gold versions released before 2023.1.3, an Improper Access Control vulnerability in Wug.UI.Controllers.InstallController.SetAdminPassword allows local attackers to modify admin's password. En las versiones de WhatsUp Gold lanzadas antes de 2023.1.3, una vulnerabilidad de control de acceso inadecuado en Wug.UI.Controllers.InstallController.SetAdminPassword permite a atacantes locales modificar la contraseña del administrador. This vulnerability allows local attackers to escalate privileges on affected installations of Progress Software WhatsUp Gold. An attacker must first obtain the ability to execute low-privileged code on the target system or send an HTTP request from a local machine in order to exploit this vulnerability. The specific flaw exists within the implementation of SetAdminPassword method. The issue results from the improper access control. • https://github.com/sinsinology/CVE-2024-5009 https://github.com/th3gokul/CVE-2024-5009 https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024 https://www.progress.com/network-monitoring • CWE-269: Improper Privilege Management •
CVE-2024-5008 – WhatsUp Gold APM Unrestricted File Upload Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2024-5008
In WhatsUp Gold versions released before 2023.1.3, an authenticated user with certain permissions can upload an arbitrary file and obtain RCE using Apm.UI.Areas.APM.Controllers.Api.Applications.AppProfileImportController. En las versiones de WhatsUp Gold lanzadas antes de 2023.1.3, un usuario autenticado con ciertos permisos puede cargar un archivo arbitrario y obtener RCE usando Apm.UI.Areas.APM.Controllers.Api.Applications.AppProfileImportController. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Progress Software WhatsUp Gold. Authentication is required to exploit this vulnerability. The specific flaw exists within the APM module. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. • https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024 https://www.progress.com/network-monitoring • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2024-4885 – WhatsUp Gold GetFileWithoutZip Directory Traversal Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2024-4885
In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerability in Progress WhatsUpGold. The WhatsUp.ExportUtilities.Export.GetFileWithoutZip allows execution of commands with iisapppool\nmconsole privileges. En las versiones de WhatsUp Gold lanzadas antes de 2023.1.3, se detectó una vulnerabilidad de ejecución remota de código no autenticada en WhatsUpGold en curso. WhatsUp.ExportUtilities.Export.GetFileWithoutZip permite la ejecución de comandos con privilegios de iisapppool\nmconsole. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Progress Software WhatsUp Gold. • https://github.com/sinsinology/CVE-2024-4885 https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024 https://www.progress.com/network-monitoring • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •