CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0CVE-2024-3543 – LoadMaster Reversible Password Encryption Algorithm
https://notcve.org/view.php?id=CVE-2024-3543
Use of reversible password encryption algorithm allows attackers to decrypt passwords. Sensitive information can be easily unencrypted by the attacker, stolen credentials can be used for arbitrary actions to corrupt the system. El uso de un algoritmo de cifrado de contraseña reversible permite a los atacantes descifrar contraseñas. El atacante puede descifrar fácilmente la información confidencial y las credenciales robadas pueden usarse para acciones arbitrarias que corrompan el sistema. • https://kemptechnologies.com https://support.kemptechnologies.com/hc/en-us/articles/25724813518605-ECS-Connection-Manager-Security-Vulnerabilities-CVE-2024-3544-and-CVE-2024-3543 • CWE-257: Storing Passwords in a Recoverable Format •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 4CVE-2024-2389 – Flowmon Unauthenticated Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2024-2389
In Flowmon versions prior to 11.1.14 and 12.3.5, an operating system command injection vulnerability has been identified. An unauthenticated user can gain entry to the system via the Flowmon management interface, allowing for the execution of arbitrary system commands. En las versiones de Flowmon anteriores a la 11.1.14 y 12.3.5, se identificó una vulnerabilidad de inyección de comandos del sistema operativo. Un usuario no autenticado puede acceder al sistema a través de la interfaz de administración de Flowmon, lo que permite la ejecución de comandos arbitrarios del sistema. • https://github.com/Surko888/Surko-Exploit-Jenkins-CVE-2024-23897 https://github.com/Abo5/CVE-2024-23897 https://github.com/adhikara13/CVE-2024-2389 https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability https://www.flowmon.com https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/progress_flowmon_unauth_cmd_injection.rb • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-2449 – LoadMaster Cross-Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2024-2449
A cross-site request forgery vulnerability has been identified in LoadMaster. It is possible for a malicious actor, who has prior knowledge of the IP or hostname of a specific LoadMaster, to direct an authenticated LoadMaster administrator to a third-party site. In such a scenario, the CSRF payload hosted on the malicious site would execute HTTP transactions on behalf of the LoadMaster administrator. Se ha identificado una vulnerabilidad de Cross-Site Request Forgery en LoadMaster. Es posible que un actor malintencionado, que tenga conocimiento previo de la IP o el nombre de host de un LoadMaster específico, dirija a un administrador de LoadMaster autenticado a un sitio de terceros. • https://progress.com/loadmaster https://support.kemptechnologies.com/hc/en-us/articles/25119767150477-LoadMaster-Security-Vulnerabilities-CVE-2024-2448-and-CVE-2024-2449 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.4EPSS: 0%CPEs: 4EXPL: 1CVE-2024-2448 – LoadMaster Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2024-2448
An OS command injection vulnerability has been identified in LoadMaster. An authenticated UI user with any permission settings may be able to inject commands into a UI component using a shell command resulting in OS command injection. Se ha identificado una vulnerabilidad de inyección de comandos del sistema operativo en LoadMaster. Un usuario de UI autenticado con cualquier configuración de permisos puede inyectar comandos en un componente de UI usando un comando de shell, lo que resulta en la inyección de comandos del sistema operativo. • https://github.com/minj-ae/CVE-2024-24488 https://progress.com/loadmaster https://support.kemptechnologies.com/hc/en-us/articles/25119767150477-LoadMaster-Security-Vulnerabilities-CVE-2024-2448-and-CVE-2024-2449 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 1CVE-2024-2291 – MOVEit Transfer Logging Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2024-2291
In Progress MOVEit Transfer versions released before 2022.0.11 (14.0.11), 2022.1.12 (14.1.12), 2023.0.9 (15.0.9), 2023.1.4 (15.1.4), a logging bypass vulnerability has been discovered. An authenticated user could manipulate a request to bypass the logging mechanism within the web application which results in user activity not being logged properly. • https://github.com/ASR511-OO7/CVE-2024-22917 https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-March-2024 https://www.progress.com/moveit • CWE-778: Insufficient Logging •