// For flags

CVE-2024-4561

WhatsUp Gold Server-Side Request Forgery Information Disclosure Vulnerability via FaviconController

Severity Score

4.2
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

In WhatsUp Gold versions released before 2023.1.2 ,

a blind SSRF vulnerability exists in Whatsup Gold's FaviconController that allows an attacker to send arbitrary HTTP requests on behalf of the vulnerable server.

En las versiones de WhatsUp Gold lanzadas antes de 2023.1.2, existe una vulnerabilidad SSRF ciega en FaviconController de Whatsup Gold que permite a un atacante enviar solicitudes HTTP arbitrarias en nombre del servidor vulnerable.

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Progress Software WhatsUp Gold. Authentication is required to exploit this vulnerability.
The specific flaw exists within the FaviconController class. The issue results from following HTTP redirects. An attacker can leverage this vulnerability to disclose information in the context of the application.

*Credits: Abdessamad Lahlali of Trend Micro.
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-05-06 CVE Reserved
  • 2024-05-14 CVE Published
  • 2024-06-01 EPSS Updated
  • 2024-08-01 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-918: Server-Side Request Forgery (SSRF)
CAPEC
  • CAPEC-54: Query System for Information
  • CAPEC-113: Interface Manipulation
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Progress Software Corporation
Search vendor "Progress Software Corporation"
WhatsUp Gold
Search vendor "Progress Software Corporation" for product "WhatsUp Gold"
>= 2023.1.0 < 2023.1.2
Search vendor "Progress Software Corporation" for product "WhatsUp Gold" and version " >= 2023.1.0 < 2023.1.2"
en
Affected