CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6097 – Absolute Path Traversal Vulnerability
https://notcve.org/view.php?id=CVE-2024-6097
12 Feb 2025 — In Progress® Telerik® Reporting versions prior to 2025 Q1 (19.0.25.211), information disclosure is possible by a local threat actor through an absolute path vulnerability. • https://docs.telerik.com/reporting/knowledge-base/kb-security-absolute-path-traversal-CVE-2024-6097 • CWE-36: Absolute Path Traversal •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11628 – Prototype Pollution in Progress® Telerik® Kendo UI for Vue
https://notcve.org/view.php?id=CVE-2024-11628
12 Feb 2025 — In Progress® Telerik® Kendo UI for Vue versions v2.4.0 through v6.0.1, an attacker can introduce or modify properties within the global prototype chain which can result in denial of service or command injection. • https://www.telerik.com/kendo-vue-ui/components/knowledge-base/kb-security-protoype-pollution-2024-11628 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 4.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12629 – Prototype Pollution in Progress® Telerik® KendoReact
https://notcve.org/view.php?id=CVE-2024-12629
12 Feb 2025 — In Progress® Telerik® KendoReact versions v3.5.0 through v9.4.0, an attacker can introduce or modify properties within the global prototype chain which can result in denial of service or command injection. • https://www.telerik.com/kendo-react-ui/components/knowledge-base/kb-security-protoype-pollution-2024-12629 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-0556 – Telerik Report Server Clear Text Transmission of Agent Commands
https://notcve.org/view.php?id=CVE-2025-0556
12 Feb 2025 — In Progress® Telerik® Report Server, versions prior to 2025 Q1 (11.0.25.211) when using the older .NET Framework implementation, communication of non-sensitive information between the service agent process and app host process occurs over an unencrypted tunnel, which can be subjected to local network traffic sniffing. • https://docs.telerik.com/report-server/knowledge-base/kb-security-cleartext-transmission-cve-2025-0556 • CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12251 – Improper neutralization special element in hyperlinks
https://notcve.org/view.php?id=CVE-2024-12251
12 Feb 2025 — In Progress® Telerik® UI for WinUI versions prior to 2025 Q1 (3.0.0), a command injection attack is possible through improper neutralization of hyperlink elements. • https://docs.telerik.com/devtools/winui/security/kb-security-command-injection-cve-2024-12251 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 8.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-11626
https://notcve.org/view.php?id=CVE-2024-11626
07 Jan 2025 — Improper Neutralization of Input During CMS Backend (adminstrative section) Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Progress Sitefinity.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400 through 15.2.8421. Vulnerabilidad de neutralización incorrecta de la entrada durante la generación de páginas web del backend de CMS (sección administrativa) (XSS o 'Cross-site Scripting') en Progress Site... • https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-11625-and-CVE-2024-11626-January-2025 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.7EPSS: 0%CPEs: 4EXPL: 0CVE-2024-11625
https://notcve.org/view.php?id=CVE-2024-11625
07 Jan 2025 — Information Exposure Through an Error Message vulnerability in Progress Software Corporation Sitefinity.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400 through 15.2.8421. Vulnerabilidad de exposición de información a través de un mensaje de error en Sitefinity de Progress Software Corporation. Este problema afecta a Sitefinity: desde la versión 4.0 hasta la 14.4.8142, desde la versión 15.0.8200 hasta la 15.0.8229, ... • https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-11625-and-CVE-2024-11626-January-2025 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12105 – WhatsUp Gold - SnmpExtendedActiveMonitor path traversal
https://notcve.org/view.php?id=CVE-2024-12105
31 Dec 2024 — In WhatsUp Gold versions released before 2024.0.2, an authenticated user can use a specially crafted HTTP request that can lead to information disclosure. In WhatsUp Gold versions released before 2024.0.2, an authenticated user can use a specially crafted HTTP request that can lead to information disclosure. • https://www.progress.com/network-monitoring • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.7EPSS: 4%CPEs: 1EXPL: 0CVE-2024-12106 – WhatsUp Gold - LDAP configuration interface leading to allowing attacker to configure LDAP settings without authentication
https://notcve.org/view.php?id=CVE-2024-12106
31 Dec 2024 — In WhatsUp Gold versions released before 2024.0.2, an unauthenticated attacker can configure LDAP settings. In WhatsUp Gold versions released before 2024.0.2, an unauthenticated attacker can configure LDAP settings. • https://www.progress.com/network-monitoring • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.6EPSS: 2%CPEs: 1EXPL: 0CVE-2024-12108 – WhatsUp Gold - Public API signing key rotation issue
https://notcve.org/view.php?id=CVE-2024-12108
31 Dec 2024 — In WhatsUp Gold versions released before 2024.0.2, an attacker can gain access to the WhatsUp Gold server via the public API. • https://www.progress.com/network-monitoring • CWE-290: Authentication Bypass by Spoofing •