Filtered by vendor Progress
Subscriptions
Total
168 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2023-34362 | 1 Progress | 2 Moveit Cloud, Moveit Transfer | 2024-12-20 | 9.8 Critical |
In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions. | ||||
CVE-2023-35708 | 1 Progress | 1 Moveit Transfer | 2024-12-17 | 9.8 Critical |
In Progress MOVEit Transfer before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content. These are fixed versions of the DLL drop-in: 2020.1.10 (12.1.10), 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3). | ||||
CVE-2024-1636 | 1 Progress | 1 Sitefinity | 2024-12-17 | 8 High |
Potential Cross-Site Scripting (XSS) in the page editing area. | ||||
CVE-2024-1632 | 1 Progress | 1 Sitefinity | 2024-12-17 | 8.8 High |
Low-privileged users with access to the Sitefinity backend may obtain sensitive information from the site's administrative area. | ||||
CVE-2024-46907 | 1 Progress | 1 Whatsup Gold | 2024-12-10 | 8.8 High |
In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account. | ||||
CVE-2024-46908 | 1 Progress | 1 Whatsup Gold | 2024-12-10 | 8.8 High |
In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account. | ||||
CVE-2024-46909 | 1 Progress | 1 Whatsup Gold | 2024-12-10 | 9.8 Critical |
In WhatsUp Gold versions released before 2024.0.1, a remote unauthenticated attacker could leverage this vulnerability to execute code in the context of the service account. | ||||
CVE-2024-8785 | 1 Progress | 1 Whatsup Gold | 2024-12-09 | 9.8 Critical |
In WhatsUp Gold versions released before 2024.0.1, a remote unauthenticated attacker could leverage NmAPI.exe to create or change an existing registry value in registry path HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Ipswitch\. | ||||
CVE-2024-4562 | 1 Progress | 1 Whatsup Gold | 2024-12-09 | 5.4 Medium |
In WhatsUp Gold versions released before 2023.1.2 , an SSRF vulnerability exists in Whatsup Gold's Issue exists in the HTTP Monitoring functionality. Due to the lack of proper authorization, any authenticated user can access the HTTP monitoring functionality, what leads to the Server Side Request Forgery. | ||||
CVE-2024-4561 | 1 Progress | 1 Whatsup Gold | 2024-12-09 | 4.2 Medium |
In WhatsUp Gold versions released before 2023.1.2 , a blind SSRF vulnerability exists in Whatsup Gold's FaviconController that allows an attacker to send arbitrary HTTP requests on behalf of the vulnerable server. | ||||
CVE-2024-46906 | 1 Progress | 1 Whatsup Gold | 2024-12-07 | 8.8 High |
In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account. | ||||
CVE-2024-46905 | 1 Progress | 1 Whatsup Gold | 2024-12-03 | 8.8 High |
In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated lower-privileged user (at least Network Manager permissions required) to achieve privilege escalation to the admin account. | ||||
CVE-2024-5010 | 1 Progress | 1 Whatsup Gold | 2024-12-02 | 7.5 High |
In WhatsUp Gold versions released before 2023.1.3, a vulnerability exists in the TestController functionality. A specially crafted unauthenticated HTTP request can lead to a disclosure of sensitive information. | ||||
CVE-2024-5011 | 1 Progress | 1 Whatsup Gold | 2024-12-02 | 7.5 High |
In WhatsUp Gold versions released before 2023.1.3, an uncontrolled resource consumption vulnerability exists. A specially crafted unauthenticated HTTP request to the TestController Chart functionality can lead to denial of service. | ||||
CVE-2023-34203 | 1 Progress | 3 Openedge, Openedge Explorer, Openedge Management | 2024-12-02 | 8.8 High |
In Progress OpenEdge OEM (OpenEdge Management) and OEE (OpenEdge Explorer) before 12.7, a remote user (who has any OEM or OEE role) could perform a URL injection attack to change identity or role membership, e.g., escalate to admin. This affects OpenEdge LTS before 11.7.16, 12.x before 12.2.12, and 12.3.x through 12.6.x before 12.7. | ||||
CVE-2023-6784 | 1 Progress | 1 Sitefinity | 2024-11-27 | 4.7 Medium |
A malicious user could potentially use the Sitefinity system for the distribution of phishing emails. | ||||
CVE-2022-27665 | 1 Progress | 1 Ws Ftp Server | 2024-11-27 | 6.1 Medium |
Reflected XSS (via AngularJS sandbox escape expressions) exists in Progress Ipswitch WS_FTP Server 8.6.0. This can lead to execution of malicious code and commands on the client due to improper handling of user-provided input. By inputting malicious payloads in the subdirectory searchbar or Add folder filename boxes, it is possible to execute client-side commands. For example, there is Client-Side Template Injection via subFolderPath to the ThinClient/WtmApiService.asmx/GetFileSubTree URI. | ||||
CVE-2023-36932 | 1 Progress | 1 Moveit Transfer | 2024-11-21 | 8.1 High |
In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), multiple SQL injection vulnerabilities have been identified in the MOVEit Transfer web application that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content. | ||||
CVE-2023-36933 | 1 Progress | 1 Moveit Transfer | 2024-11-21 | 7.5 High |
In Progress MOVEit Transfer before 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), it is possible for an attacker to invoke a method that results in an unhandled exception. Triggering this workflow can cause the MOVEit Transfer application to terminate unexpectedly. | ||||
CVE-2023-36934 | 1 Progress | 1 Moveit Transfer | 2024-11-21 | 9.1 Critical |
In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content. |