Progress: Security Vulnerabilities
In Progress Telerik Reporting versions prior to 2024 Q3 (18.2.24.924), a command injection attack is possible through improper neutralization of hyperlink elements.
CVSS Score
7.8
EPSS Score
0.002
Published
2024-10-09
In Progress Telerik Reporting versions prior to 2024 Q3 (18.2.24.924), a code execution attack is possible through object injection via an insecure type resolution vulnerability.
CVSS Score
8.8
EPSS Score
0.005
Published
2024-10-09
In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), a credential stuffing attack is possible through improper restriction of excessive login attempts.
CVSS Score
7.5
EPSS Score
0.001
Published
2024-10-09
Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows OS Command Injection.This issue affects:
Product
Affected Versions
LoadMaster
From 7.2.55.0 to 7.2.60.0 (inclusive)
From 7.2.49.0 to 7.2.54.11 (inclusive)
7.2.48.12 and all prior versions
Multi-Tenant Hypervisor
7.1.35.11 and all prior versions
ECS
All prior versions to 7.2.60.0 (inclusive)
CVSS Score
8.4
EPSS Score
0.001
Published
2024-09-12
An ActiveMQ Discovery service was reachable by default from an OpenEdge Management installation when an OEE/OEM auto-discovery feature was activated. Unauthorized access to the discovery service's UDP port allowed content injection into parts of the OEM web interface making it possible for other types of attack that could spoof or deceive web interface users. Unauthorized use of the OEE/OEM discovery service was remediated by deactivating the discovery service by default.
CVSS Score
8.3
EPSS Score
0.001
Published
2024-09-03
Local ABL Client bypass of the required PASOE security checks may allow an attacker to commit unauthorized code injection into Multi-Session Agents on supported OpenEdge LTS platforms up to OpenEdge LTS 11.7.18 and LTS 12.2.13 on all supported release platforms
CVSS Score
8.3
EPSS Score
0.0
Published
2024-09-03
Host name validation for TLS certificates is bypassed when the installed OpenEdge default certificates are used to perform the TLS handshake for a networked connection. This has been corrected so that default certificates are no longer capable of overriding host name validation and will need to be replaced where full TLS certificate validation is needed for network security. The existing certificates should be replaced with CA-signed certificates from a recognized certificate authority that contain the necessary information to support host name validation.
CVSS Score
7.2
EPSS Score
0.0
Published
2024-09-03
CVE-2024-6670
In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.
Known exploited
CVSS Score
9.8
EPSS Score
0.945
Published
2024-08-29
In WhatsUp Gold versions released before 2024.0.0, if the application is configured with only a single user, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.
CVSS Score
9.8
EPSS Score
0.057
Published
2024-08-29
In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an authenticated low-privileged attacker to achieve privilege escalation by modifying a privileged user's password.
CVSS Score
8.8
EPSS Score
0.015
Published
2024-08-29