CVE-2024-5015
WhatsUp Gold SessionControler Server-Side Request Forgery Information Disclosure Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In WhatsUp Gold versions released before 2023.1.3, an authenticated SSRF vulnerability in Wug.UI.Areas.Wug.Controllers.SessionControler.Update allows a low privileged user to chain this SSRF with an Improper Access Control vulnerability. This can be used to escalate privileges to Admin.
En las versiones de WhatsUp Gold lanzadas antes de 2023.1.3, una vulnerabilidad SSRF autenticada en Wug.UI.Areas.Wug.Controllers.SessionControler.Update permite a un usuario con pocos privilegios encadenar esta SSRF con una vulnerabilidad de control de acceso inadecuado. Esto se puede utilizar para escalar privilegios a Administrador.
This vulnerability allows remote attackers to initiate arbitrary server-side requests on affected installations of Progress Software WhatsUp Gold. Authentication is required to exploit this vulnerability.
The specific flaw exists within the SessionControler class. The issue results from the lack of authorization prior to allowing access to functionality. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges to resources normally protected from the user.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-05-16 CVE Reserved
- 2024-06-25 CVE Published
- 2024-08-01 CVE Updated
- 2024-08-22 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-918: Server-Side Request Forgery (SSRF)
CAPEC
- CAPEC-233: Privilege Escalation
References (2)
URL | Tag | Source |
---|---|---|
https://www.progress.com/network-monitoring | Product |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024 | 2024-06-26 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Progress Software Corporation Search vendor "Progress Software Corporation" | WhatsUp Gold Search vendor "Progress Software Corporation" for product "WhatsUp Gold" | >= 2023.1.0 < 2023.1.3 Search vendor "Progress Software Corporation" for product "WhatsUp Gold" and version " >= 2023.1.0 < 2023.1.3" | en |
Affected
|