CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4200 – Progress Telerik Reporting Local Deserialization Vulnerability
https://notcve.org/view.php?id=CVE-2024-4200
15 May 2024 — In Progress® Telerik® Reporting versions prior to 2024 Q2 (18.1.24.2.514), a code execution attack is possible by a local threat actor through an insecure deserialization vulnerability. En las versiones de Progress® Telerik® Reporting anteriores al segundo trimestre de 2024 (18.1.24.2.514), un actor de amenazas local puede realizar un ataque de ejecución de código a través de una vulnerabilidad de deserialización insegura. • https://docs.telerik.com/reporting/knowledge-base/deserialization-vulnerability-cve-2024-4200 • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4202 – Progress Telerik Reporting Local Instantiation Vulnerability
https://notcve.org/view.php?id=CVE-2024-4202
15 May 2024 — In Progress® Telerik® Reporting versions prior to 2024 Q2 (18.1.24.514), a code execution attack is possible through an insecure instantiation vulnerability. En las versiones de Progress® Telerik® Reporting anteriores al segundo trimestre de 2024 (18.1.24.514), es posible un ataque de ejecución de código a través de una vulnerabilidad de instanciación insegura. • https://docs.telerik.com/reporting/knowledge-base/instantiation-vulnerability-cve-2024-4202 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3892 – Local code execution vulnerability in Telerik UI for WinForms
https://notcve.org/view.php?id=CVE-2024-3892
15 May 2024 — A local code execution vulnerability is possible in Telerik UI for WinForms beginning in v2021.1.122 but prior to v2024.2.514. This vulnerability could allow an untrusted theme assembly to execute arbitrary code on the local Windows system. Es posible una vulnerabilidad de ejecución de código local en la interfaz de usuario de Telerik para WinForms a partir de v2021.1.122 pero antes de v2024.2.514. Esta vulnerabilidad podría permitir que un ensamblado de temas que no sea de confianza ejecute código arbitrar... • https://docs.telerik.com/devtools/winforms/knowledge-base/local-code-execution-vulnerability-cve-2024-3892 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4562 – WhatsUp Gold Server-Side Request Forgery Information Disclosure Vulnerability via HttpMonitorSettings
https://notcve.org/view.php?id=CVE-2024-4562
14 May 2024 — In WhatsUp Gold versions released before 2023.1.2 , an SSRF vulnerability exists in Whatsup Gold's Issue exists in the HTTP Monitoring functionality. Due to the lack of proper authorization, any authenticated user can access the HTTP monitoring functionality, what leads to the Server Side Request Forgery. En las versiones de WhatsUp Gold lanzadas antes de 2023.1.2, existe una vulnerabilidad SSRF en Whatsup Gold. El problema existe en la funcionalidad de monitoreo HTTP. Debido a la falta de autorización adec... • https://community.progress.com/s/article/Announcing-WhatsUp-Gold-v2023-1-2 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4561 – WhatsUp Gold Server-Side Request Forgery Information Disclosure Vulnerability via FaviconController
https://notcve.org/view.php?id=CVE-2024-4561
14 May 2024 — In WhatsUp Gold versions released before 2023.1.2 , a blind SSRF vulnerability exists in Whatsup Gold's FaviconController that allows an attacker to send arbitrary HTTP requests on behalf of the vulnerable server. En las versiones de WhatsUp Gold lanzadas antes de 2023.1.2, existe una vulnerabilidad SSRF ciega en FaviconController de Whatsup Gold que permite a un atacante enviar solicitudes HTTP arbitrarias en nombre del servidor vulnerable. This vulnerability allows remote attackers to disclose sensitive i... • https://community.progress.com/s/article/Announcing-WhatsUp-Gold-v2023-1-2 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-3544 – LoadMaster Hardcoded SSH Key
https://notcve.org/view.php?id=CVE-2024-3544
02 May 2024 — Unauthenticated attackers can perform actions, using SSH private keys, by knowing the IP address and having access to the same network of one of the machines in the HA or Cluster group. This vulnerability has been closed by enhancing LoadMaster partner communications to require a shared secret that must be exchanged between the partners before communication can proceed. Los atacantes no autenticados pueden realizar acciones utilizando claves privadas SSH conociendo la dirección IP y teniendo acceso a la mis... • https://kemptechnologies.com • CWE-798: Use of Hard-coded Credentials •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-3543 – LoadMaster Reversible Password Encryption Algorithm
https://notcve.org/view.php?id=CVE-2024-3543
02 May 2024 — Use of reversible password encryption algorithm allows attackers to decrypt passwords. Sensitive information can be easily unencrypted by the attacker, stolen credentials can be used for arbitrary actions to corrupt the system. El uso de un algoritmo de cifrado de contraseña reversible permite a los atacantes descifrar contraseñas. El atacante puede descifrar fácilmente la información confidencial y las credenciales robadas pueden usarse para acciones arbitrarias que corrompan el sistema. • https://kemptechnologies.com • CWE-257: Storing Passwords in a Recoverable Format •
CVSS: 10.0EPSS: 94%CPEs: 2EXPL: 4CVE-2024-2389 – Flowmon Unauthenticated Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2024-2389
02 Apr 2024 — In Flowmon versions prior to 11.1.14 and 12.3.5, an operating system command injection vulnerability has been identified. An unauthenticated user can gain entry to the system via the Flowmon management interface, allowing for the execution of arbitrary system commands. En las versiones de Flowmon anteriores a la 11.1.14 y 12.3.5, se identificó una vulnerabilidad de inyección de comandos del sistema operativo. Un usuario no autenticado puede acceder al sistema a través de la interfaz de administración de Flo... • https://packetstorm.news/files/id/178849 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.6EPSS: 0%CPEs: 4EXPL: 0CVE-2024-2449 – LoadMaster Cross-Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2024-2449
22 Mar 2024 — A cross-site request forgery vulnerability has been identified in LoadMaster. It is possible for a malicious actor, who has prior knowledge of the IP or hostname of a specific LoadMaster, to direct an authenticated LoadMaster administrator to a third-party site. In such a scenario, the CSRF payload hosted on the malicious site would execute HTTP transactions on behalf of the LoadMaster administrator. Se ha identificado una vulnerabilidad de Cross-Site Request Forgery en LoadMaster. Es posible que un actor m... • https://progress.com/loadmaster • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.0EPSS: 60%CPEs: 4EXPL: 1CVE-2024-2448 – LoadMaster Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2024-2448
22 Mar 2024 — An OS command injection vulnerability has been identified in LoadMaster. An authenticated UI user with any permission settings may be able to inject commands into a UI component using a shell command resulting in OS command injection. Se ha identificado una vulnerabilidad de inyección de comandos del sistema operativo en LoadMaster. Un usuario de UI autenticado con cualquier configuración de permisos puede inyectar comandos en un componente de UI usando un comando de shell, lo que resulta en la inyección de... • https://github.com/minj-ae/CVE-2024-24488 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •