CVSS: 9.1EPSS: 0%CPEs: 3EXPL: 1CVE-2024-5806 – MOVEit Transfer Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2024-5806
Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass.This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, from 2024.0.0 before 2024.0.2. • https://github.com/watchtowrlabs/watchTowr-vs-progress-moveit_CVE-2024-5806 https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-June-2024-CVE-2024-5806 https://www.progress.com/moveit • CWE-287: Improper Authentication •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5805 – MOVEit Gateway Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2024-5805
Improper Authentication vulnerability in Progress MOVEit Gateway (SFTP modules) allows Authentication Bypass.This issue affects MOVEit Gateway: 2024.0.0. • https://community.progress.com/s/article/MOVEit-Gateway-Critical-Security-Alert-Bulletin-June-2024-CVE-2024-5805 https://www.progress.com/moveit • CWE-287: Improper Authentication •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4837 – Trust Boundary Violation Vulnerability
https://notcve.org/view.php?id=CVE-2024-4837
In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via a trust boundary violation vulnerability. En Progress Telerik Report Server, versión 2024 Q1 (10.0.24.305) o anterior, en IIS, un atacante no autenticado puede obtener acceso a la funcionalidad restringida de Telerik Report Server a través de una vulnerabilidad de violación de los límites de confianza. • https://docs.telerik.com/report-server/knowledge-base/information-exposure-cve-2024-4837 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4357 – XML External Entity Processing Information Disclosure
https://notcve.org/view.php?id=CVE-2024-4357
An information disclosure vulnerability exists in Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, allows low-privilege attacker to read systems file via XML External Entity Processing. Existe una vulnerabilidad de divulgación de información en Progress Telerik Report Server, versión 2024 Q1 (10.0.24.305) o anterior, que permite a un atacante con pocos privilegios leer archivos del sistema a través del procesamiento de entidades externas XML. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Progress Software Telerik Reporting. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the implementation of ValidateMetadaUri method. Due to the improper restriction of XML External Entity (XXE) references, a crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. • https://docs.telerik.com/report-server/knowledge-base/xxe-vulnerability-cve-2024-4357 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4200 – Progress Telerik Reporting Local Deserialization Vulnerability
https://notcve.org/view.php?id=CVE-2024-4200
In Progress® Telerik® Reporting versions prior to 2024 Q2 (18.1.24.2.514), a code execution attack is possible by a local threat actor through an insecure deserialization vulnerability. En las versiones de Progress® Telerik® Reporting anteriores al segundo trimestre de 2024 (18.1.24.2.514), un actor de amenazas local puede realizar un ataque de ejecución de código a través de una vulnerabilidad de deserialización insegura. • https://docs.telerik.com/reporting/knowledge-base/deserialization-vulnerability-cve-2024-4200 • CWE-502: Deserialization of Untrusted Data •