Filtered by vendor Progress
Subscribe
Total
202 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-34364 | 1 Progress | 1 Datadirect Odbc Oracle Wire Protocol Driver | 2025-01-06 | N/A | 9.8 CRITICAL |
| A buffer overflow was discovered in Progress DataDirect Connect for ODBC before 08.02.2770 for Oracle. An overly large value for certain options of a connection string may overrun the buffer allocated to process the string value. This allows an attacker to execute code of their choice on an affected host by copying carefully selected data that will be executed as code. | |||||
| CVE-2023-34363 | 1 Progress | 1 Datadirect Odbc Oracle Wire Protocol Driver | 2025-01-06 | N/A | 5.9 MEDIUM |
| An issue was discovered in Progress DataDirect Connect for ODBC before 08.02.2770 for Oracle. When using Oracle Advanced Security (OAS) encryption, if an error is encountered initializing the encryption object used to encrypt data, the code falls back to a different encryption mechanism that uses an insecure random number generator to generate the private key. It is possible for a well-placed attacker to predict the output of this random number generator, which could lead to an attacker decrypting traffic between the driver and the database server. The vulnerability does not exist if SSL / TLS encryption is used. | |||||
| CVE-2024-12106 | 1 Progress | 1 Whatsup Gold | 2025-01-06 | N/A | 9.4 CRITICAL |
| In WhatsUp Gold versions released before 2024.0.2, an unauthenticated attacker can configure LDAP settings. | |||||
| CVE-2024-12108 | 2 Microsoft, Progress | 2 Windows, Whatsup Gold | 2025-01-06 | N/A | 9.6 CRITICAL |
| In WhatsUp Gold versions released before 2024.0.2, an attacker can gain access to the WhatsUp Gold server via the public API. | |||||
| CVE-2023-35036 | 1 Progress | 1 Moveit Transfer | 2025-01-03 | N/A | 9.1 CRITICAL |
| In Progress MOVEit Transfer before 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), and 2023.0.2 (15.0.2), SQL injection vulnerabilities have been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content. | |||||
| CVE-2024-1474 | 1 Progress | 1 Ws Ftp Server | 2025-01-02 | N/A | 7.5 HIGH |
| In WS_FTP Server versions before 8.8.5, reflected cross-site scripting issues have been identified on various user supplied inputs on the WS_FTP Server administrative interface. | |||||
| CVE-2023-34362 | 1 Progress | 2 Moveit Cloud, Moveit Transfer | 2024-12-20 | N/A | 9.8 CRITICAL |
| In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions. | |||||
| CVE-2024-1636 | 1 Progress | 1 Sitefinity | 2024-12-16 | N/A | 8.0 HIGH |
| Potential Cross-Site Scripting (XSS) in the page editing area. | |||||
| CVE-2024-1632 | 1 Progress | 1 Sitefinity | 2024-12-16 | N/A | 8.8 HIGH |
| Low-privileged users with access to the Sitefinity backend may obtain sensitive information from the site's administrative area. | |||||
| CVE-2024-46907 | 1 Progress | 1 Whatsup Gold | 2024-12-10 | N/A | 8.8 HIGH |
| In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account. | |||||
| CVE-2024-46908 | 1 Progress | 1 Whatsup Gold | 2024-12-10 | N/A | 8.8 HIGH |
| In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account. | |||||
| CVE-2024-46909 | 1 Progress | 1 Whatsup Gold | 2024-12-10 | N/A | 9.8 CRITICAL |
| In WhatsUp Gold versions released before 2024.0.1, a remote unauthenticated attacker could leverage this vulnerability to execute code in the context of the service account. | |||||
| CVE-2024-8785 | 1 Progress | 1 Whatsup Gold | 2024-12-09 | N/A | 9.8 CRITICAL |
| In WhatsUp Gold versions released before 2024.0.1, a remote unauthenticated attacker could leverage NmAPI.exe to create or change an existing registry value in registry path HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Ipswitch\. | |||||
| CVE-2024-4562 | 1 Progress | 1 Whatsup Gold | 2024-12-09 | N/A | 5.4 MEDIUM |
| In WhatsUp Gold versions released before 2023.1.2 , an SSRF vulnerability exists in Whatsup Gold's Issue exists in the HTTP Monitoring functionality. Due to the lack of proper authorization, any authenticated user can access the HTTP monitoring functionality, what leads to the Server Side Request Forgery. | |||||
| CVE-2024-4561 | 1 Progress | 1 Whatsup Gold | 2024-12-09 | N/A | 4.2 MEDIUM |
| In WhatsUp Gold versions released before 2023.1.2 , a blind SSRF vulnerability exists in Whatsup Gold's FaviconController that allows an attacker to send arbitrary HTTP requests on behalf of the vulnerable server. | |||||
| CVE-2024-46906 | 1 Progress | 1 Whatsup Gold | 2024-12-06 | N/A | 8.8 HIGH |
| In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account. | |||||
| CVE-2024-46905 | 1 Progress | 1 Whatsup Gold | 2024-12-03 | N/A | 8.8 HIGH |
| In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated lower-privileged user (at least Network Manager permissions required) to achieve privilege escalation to the admin account. | |||||
| CVE-2024-6327 | 1 Progress | 1 Telerik Report Server | 2024-11-21 | N/A | 9.9 CRITICAL |
| In Progress® Telerik® Report Server versions prior to 2024 Q2 (10.1.24.709), a remote code execution attack is possible through an insecure deserialization vulnerability. | |||||
| CVE-2024-5805 | 1 Progress | 1 Moveit Gateway | 2024-11-21 | N/A | 9.1 CRITICAL |
| Improper Authentication vulnerability in Progress MOVEit Gateway (SFTP modules) allows Authentication Bypass.This issue affects MOVEit Gateway: 2024.0.0. | |||||
| CVE-2024-5019 | 1 Progress | 1 Whatsup Gold | 2024-11-21 | N/A | 5.3 MEDIUM |
| In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Arbitrary File Read issue exists in Wug.UI.Areas.Wug.Controllers.SessionController.CachedCSS. This vulnerability allows reading of any file with iisapppool\NmConsole privileges. | |||||