Progress: Security Vulnerabilities
Server-Side Request Forgery (SSRF) vulnerability in Progress MOVEit Transfer.This issue affects MOVEit Transfer: before 2024.1.8, from 2025.0.0 before 2025.0.4.
CVSS Score
5.3
EPSS Score
0.0
Published
2025-11-19
In HDP Server versions below 4.6.2.2978 on Linux, unauthorized access could occur via IP spoofing using the X-Forwarded-For header.
Since XFF is a client-controlled header, it could be spoofed, allowing unauthorized access if the spoofed IP matched a whitelisted range.
This vulnerability could be exploited to bypass IP restrictions, though valid user credentials would still be required for resource access.
CVSS Score
8.4
EPSS Score
0.0
Published
2025-07-29
Unauthorized access and impersonation can occur in versions 4.6.2.3226 and below of Progress Software's Hybrid Data Pipeline Server on Linux. This vulnerability allows attackers to combine credentials from different sources, potentially leading to client impersonation and unauthorized access.
When OAuth Clients perform an OAuth handshake with the Hybrid Data Pipeline Server, the server accepts client credentials from both HTTP headers and request parameters.
CVSS Score
8.1
EPSS Score
0.0
Published
2025-07-29
In Progress® Telerik® UI for AJAX, versions 2011.2.712 to 2025.1.218, an unsafe reflection vulnerability exists that may lead to an unhandled exception resulting in a crash of the hosting process and denial of service.
CVSS Score
7.5
EPSS Score
0.003
Published
2025-05-14
In WhatsUp Gold versions released before 2024.0.3, a
database manipulation
vulnerability allows an unauthenticated attacker to modify the contents of WhatsUp.dbo.WrlsMacAddressGroup.
CVSS Score
5.6
EPSS Score
0.0
Published
2025-04-14
Improper Privilege Management vulnerability for users configured as Shared Accounts in Progress MOVEit Transfer (SFTP module) allows Privilege Escalation.This issue affects MOVEit Transfer: from 2023.1.0 before 2023.1.12, from 2024.0.0 before 2024.0.8, from 2024.1.0 before 2024.1.2.
CVSS Score
5.9
EPSS Score
0.001
Published
2025-03-19
Improper Input Validation vulnerability in Progress LoadMaster allows : Buffer OverflowThis issue affects:
* LoadMaster: 7.2.40.0 and above
* ECS: All versions
* Multi-Tenancy: 7.1.35.4 and above
CVSS Score
4.3
EPSS Score
0.001
Published
2025-03-19
In Progress® Telerik® Reporting versions prior to 2025 Q1 (19.0.25.211), information disclosure is possible by a local threat actor through an absolute path vulnerability.
CVSS Score
5.3
EPSS Score
0.001
Published
2025-02-12
In Progress® Telerik® Kendo UI for Vue versions v2.4.0 through v6.0.1, an attacker can introduce or modify properties within the global prototype chain which can result in denial of service or command injection.
CVSS Score
4.1
EPSS Score
0.002
Published
2025-02-12
In Progress® Telerik® Document Processing Libraries, versions prior to 2025 Q1 (2025.1.205), using .NET Standard 2.0, the contents of a file at an arbitrary path can be exported to RTF.
CVSS Score
7.1
EPSS Score
0.013
Published
2025-02-12
Page 1