Progress: Security Vulnerabilities
In WhatsUp Gold versions released before 2023.1.2 ,
an SSRF vulnerability exists in Whatsup Gold's
Issue exists in the HTTP Monitoring functionality.
Due to the lack of proper authorization, any authenticated user can access the HTTP monitoring functionality, what leads to the Server Side Request Forgery.
CVSS Score
5.4
EPSS Score
0.0
Published
2024-05-14
Unauthenticated attackers can perform actions, using SSH private keys, by knowing the IP address and having access to the same network of one of the machines in the HA or Cluster group. This vulnerability has been closed by enhancing LoadMaster partner communications to require a shared secret that must be exchanged between the partners before communication can proceed.
CVSS Score
7.5
EPSS Score
0.002
Published
2024-05-02
Use of reversible password encryption algorithm allows attackers to decrypt passwords. Sensitive information can be easily unencrypted by the attacker, stolen credentials can be used for arbitrary actions to corrupt the system.
CVSS Score
6.4
EPSS Score
0.001
Published
2024-05-02
In Flowmon versions prior to 11.1.14 and 12.3.5, an operating system command injection vulnerability has been identified. An unauthenticated user can gain entry to the system via the Flowmon management interface, allowing for the execution of arbitrary system commands.
CVSS Score
10.0
EPSS Score
0.943
Published
2024-04-02
A cross-site request forgery vulnerability has been identified in LoadMaster. It is possible for a malicious actor, who has prior knowledge of the IP or hostname of a specific LoadMaster, to direct an authenticated LoadMaster administrator to a third-party site. In such a scenario, the CSRF payload hosted on the malicious site would execute HTTP transactions on behalf of the LoadMaster administrator.
CVSS Score
7.5
EPSS Score
0.064
Published
2024-03-22
An OS command injection vulnerability has been identified in LoadMaster. An authenticated UI user with any permission settings may be able to inject commands into a UI component using a shell command resulting in OS command injection.
CVSS Score
8.4
EPSS Score
0.227
Published
2024-03-22
In Progress MOVEit Transfer versions released before 2022.0.11 (14.0.11), 2022.1.12 (14.1.12), 2023.0.9 (15.0.9), 2023.1.4 (15.1.4), a logging bypass vulnerability has been discovered. An authenticated user could manipulate a request to bypass the logging mechanism within the web application which results in user activity not being logged properly.
CVSS Score
4.3
EPSS Score
0.001
Published
2024-03-20
In Progress® Telerik® Reporting versions prior to 2024 Q1 (18.0.24.130), a code execution attack is possible by a remote threat actor through an insecure deserialization vulnerability.
CVSS Score
8.5
EPSS Score
0.001
Published
2024-03-20
In Progress® Telerik® Reporting versions prior to 2024 Q1 (18.0.24.130), a code execution attack is possible by a local threat actor through an insecure deserialization vulnerability.
CVSS Score
7.7
EPSS Score
0.0
Published
2024-03-20
In Progress® Telerik® Report Server versions prior to 2024 Q1 (10.0.24.130), a remote code execution attack is possible through an insecure deserialization vulnerability.
CVSS Score
9.9
EPSS Score
0.764
Published
2024-03-20