Search

Find a vulnerability

Search criteria

    112 vulnerabilities found for whatsup_gold by progress

    CVE-2025-2572 (GCVE-0-2025-2572)

    Vulnerability from nvd – Published: 2025-04-14 16:06 – Updated: 2025-04-14 18:07
    VLAI
    Title
    WhatsUp Gold NmConfigurationManager.exe database manipulation vulnerability
    Summary
    In WhatsUp Gold versions released before 2024.0.3, a database manipulation vulnerability allows an unauthenticated attacker to modify the contents of WhatsUp.dbo.WrlsMacAddressGroup.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    Impacted products
    Vendor Product Version
    Progress Software Corporation WhatsUp Gold Affected: 2024.0.1 , ≤ 2024.0.2 (semver)
    Create a notification for this product.
    Credits
    Jimi from Tenable
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-2572",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-14T17:20:36.637462Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-14T18:07:07.373Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "modules": [
                "API Endpoint"
              ],
              "platforms": [
                "Windows"
              ],
              "product": "WhatsUp Gold",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThanOrEqual": "2024.0.2",
                  "status": "affected",
                  "version": "2024.0.1",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jimi from Tenable"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In WhatsUp Gold versions released before 2024.0.3, a \n\n\u003cspan style=\"background-color: rgba(161, 189, 217, 0.08);\"\u003edatabase manipulation \u003c/span\u003e\n\nvulnerability allows an unauthenticated attacker to modify the contents of\u0026nbsp;\u003cspan style=\"background-color: rgba(161, 189, 217, 0.08);\"\u003eWhatsUp.dbo.WrlsMacAddressGroup.\u003cbr\u003e\u003c/span\u003e"
                }
              ],
              "value": "In WhatsUp Gold versions released before 2024.0.3, a \n\ndatabase manipulation \n\nvulnerability allows an unauthenticated attacker to modify the contents of\u00a0WhatsUp.dbo.WrlsMacAddressGroup."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.6,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287 Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-14T16:06:45.424Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "url": "https://www.progress.com/network-monitoring"
            },
            {
              "url": "https://docs.progress.com/bundle/whatsupgold-release-notes-24-0/page/WhatsUp-Gold-2024.0-Release-Notes.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "WhatsUp Gold NmConfigurationManager.exe database manipulation vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2025-2572",
        "datePublished": "2025-04-14T16:06:45.424Z",
        "dateReserved": "2025-03-20T20:17:34.692Z",
        "dateUpdated": "2025-04-14T18:07:07.373Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-12108 (GCVE-0-2024-12108)

    Vulnerability from nvd – Published: 2024-12-31 10:31 – Updated: 2025-01-04 04:55
    VLAI
    Title
    WhatsUp Gold - Public API signing key rotation issue
    Summary
    In WhatsUp Gold versions released before 2024.0.2, an attacker can gain access to the WhatsUp Gold server via the public API.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-290 - Authentication Bypass by Spoofing
    Assigner
    References
    Impacted products
    Vendor Product Version
    Progress Software Corporation WhatsUp Gold Affected: 2023.1.0 , < 2024.0.2 (semver)
    Create a notification for this product.
    Credits
    Mike Barber, Software Architect at Progress Software
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-12108",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-03T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-04T04:55:29.674Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "platforms": [
                "Windows"
              ],
              "product": "WhatsUp Gold",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThan": "2024.0.2",
                  "status": "affected",
                  "version": "2023.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Mike Barber, Software Architect at Progress Software"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In WhatsUp Gold versions released before 2024.0.2, an attacker can gain access to the WhatsUp Gold server via the public API."
                }
              ],
              "value": "In WhatsUp Gold versions released before 2024.0.2, an attacker can gain access to the WhatsUp Gold server via the public API."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 9.6,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-290",
                  "description": "CWE-290 Authentication Bypass by Spoofing",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-31T10:31:56.107Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "url": "https://www.progress.com/network-monitoring"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "WhatsUp Gold - Public API signing key rotation issue",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-12108",
        "datePublished": "2024-12-31T10:31:56.107Z",
        "dateReserved": "2024-12-03T19:30:25.687Z",
        "dateUpdated": "2025-01-04T04:55:29.674Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-12106 (GCVE-0-2024-12106)

    Vulnerability from nvd – Published: 2024-12-31 10:32 – Updated: 2025-01-04 04:55
    VLAI
    Title
    WhatsUp Gold - LDAP configuration interface leading to allowing attacker to configure LDAP settings without authentication
    Summary
    In WhatsUp Gold versions released before 2024.0.2, an unauthenticated attacker can configure LDAP settings.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-306 - Missing Authentication for Critical Function
    Assigner
    References
    Impacted products
    Vendor Product Version
    Progress Software Corporation WhatsUp Gold Affected: 2023.1.0 , < 2024.0.2 (semver)
    Create a notification for this product.
    Credits
    Batuhan Er (@int20z) of Exploit7.tr
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-12106",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-03T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-04T04:55:30.898Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "modules": [
                "APIEndpoint"
              ],
              "platforms": [
                "Windows"
              ],
              "product": "WhatsUp Gold",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThan": "2024.0.2",
                  "status": "affected",
                  "version": "2023.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Batuhan Er (@int20z) of Exploit7.tr"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In WhatsUp Gold versions released before 2024.0.2, an unauthenticated attacker can configure\u003cspan style=\"background-color: rgb(247, 247, 247);\"\u003e\u0026nbsp;LDAP settings.\u003c/span\u003e"
                }
              ],
              "value": "In WhatsUp Gold versions released before 2024.0.2, an unauthenticated attacker can configure\u00a0LDAP settings."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 9.4,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "CWE-306 Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-31T10:32:02.035Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "url": "https://www.progress.com/network-monitoring"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "WhatsUp Gold -  LDAP configuration interface leading to allowing attacker to configure LDAP settings without authentication",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-12106",
        "datePublished": "2024-12-31T10:32:02.035Z",
        "dateReserved": "2024-12-03T16:20:30.450Z",
        "dateUpdated": "2025-01-04T04:55:30.898Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-12105 (GCVE-0-2024-12105)

    Vulnerability from nvd – Published: 2024-12-31 10:32 – Updated: 2025-01-08 13:07
    VLAI
    Title
    WhatsUp Gold - SnmpExtendedActiveMonitor path traversal
    Summary
    In WhatsUp Gold versions released before 2024.0.2, an authenticated user can use a specially crafted HTTP request that can lead to information disclosure.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    Progress Software Corporation WhatsUp Gold Affected: 2023.1.0 , < 2024.0.2 (semver)
    Create a notification for this product.
    Credits
    Marcin 'Icewall' Noga of Cisco Talos
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-12105",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-31T15:33:17.292251Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-31T15:33:26.240Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-01-08T13:07:04.839Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-2089"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "platforms": [
                "Windows"
              ],
              "product": "WhatsUp Gold",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThan": "2024.0.2",
                  "status": "affected",
                  "version": "2023.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Marcin \u0027Icewall\u0027 Noga of Cisco Talos"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In WhatsUp Gold versions released before 2024.0.2, an authenticated user can use a\u0026nbsp;\u003cspan style=\"background-color: rgba(161, 189, 217, 0.08);\"\u003especially crafted HTTP request that can lead to information disclosure.\u003c/span\u003e"
                }
              ],
              "value": "In WhatsUp Gold versions released before 2024.0.2, an authenticated user can use a\u00a0specially crafted HTTP request that can lead to information disclosure."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-126",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-126 Path Traversal"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-31T10:32:08.238Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "url": "https://www.progress.com/network-monitoring"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "WhatsUp Gold - SnmpExtendedActiveMonitor path traversal",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-12105",
        "datePublished": "2024-12-31T10:32:08.238Z",
        "dateReserved": "2024-12-03T16:20:11.850Z",
        "dateUpdated": "2025-01-08T13:07:04.839Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-8785 (GCVE-0-2024-8785)

    Vulnerability from nvd – Published: 2024-12-02 14:49 – Updated: 2024-12-02 15:30
    VLAI
    Title
    WhatsUp Gold Registry Overwrite Remote Code Execution Vulnerability
    Summary
    In WhatsUp Gold versions released before 2024.0.1, a remote unauthenticated attacker could leverage NmAPI.exe to create or change an existing registry value in registry path HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Ipswitch\.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-648 - Incorrect Use of Privileged APIs
    Assigner
    Impacted products
    Vendor Product Version
    Progress Software Corporation WhatsUp Gold Affected: 2023.1.0 , < 2024.0.1 (semver)
    Create a notification for this product.
    progress whatsup_gold Affected: 2023.1.0 , < 2024.0.1 (custom)
        cpe:2.3:a:progress:whatsup_gold:-:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Tenable
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:progress:whatsup_gold:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "whatsup_gold",
                "vendor": "progress",
                "versions": [
                  {
                    "lessThan": "2024.0.1",
                    "status": "affected",
                    "version": "2023.1.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8785",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-02T15:22:30.482222Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-02T15:30:19.766Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "modules": [
                "API Endpoint"
              ],
              "platforms": [
                "Windows"
              ],
              "product": "WhatsUp Gold",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThan": "2024.0.1",
                  "status": "affected",
                  "version": "2023.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Tenable"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In WhatsUp Gold versions released before 2024.0.1, a\u0026nbsp;remote unauthenticated attacker could leverage NmAPI.exe to create or change an existing registry value in registry path HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Ipswitch\\."
                }
              ],
              "value": "In WhatsUp Gold versions released before 2024.0.1, a\u00a0remote unauthenticated attacker could leverage NmAPI.exe to create or change an existing registry value in registry path HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Ipswitch\\."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-203",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-203 Manipulate Registry Information"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-648",
                  "description": "CWE-648 Incorrect Use of Privileged APIs",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-02T14:49:36.748Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "url": "https://www.progress.com/network-monitoring"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-September-2024"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.progress.com/bundle/whatsupgold-release-notes-24-0/page/WhatsUp-Gold-2024.0-Release-Notes.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "WhatsUp Gold Registry Overwrite Remote Code Execution Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-8785",
        "datePublished": "2024-12-02T14:49:36.748Z",
        "dateReserved": "2024-09-13T14:50:10.817Z",
        "dateUpdated": "2024-12-02T15:30:19.766Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-46909 (GCVE-0-2024-46909)

    Vulnerability from nvd – Published: 2024-12-02 14:46 – Updated: 2024-12-02 15:30
    VLAI
    Title
    WhatsUp Gold WriteDataFile Directory Traversal Remote Code Execution Vulnerability
    Summary
    In WhatsUp Gold versions released before 2024.0.1, a remote unauthenticated attacker could leverage this vulnerability to execute code in the context of the service account.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    • CWE-73 - External Control of File Name or Path
    • CWE-16 - Configuration
    Assigner
    Impacted products
    Vendor Product Version
    Progress Software Corporation WhatsUp Gold Affected: 2023.1.0 , < 2024.0.1 (semver)
    Create a notification for this product.
    progress whatsup_gold Affected: 2023.1.0 , < 2024.0.1 (custom)
        cpe:2.3:a:progress:whatsup_gold:-:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Andy Niu of Trend Micro
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:progress:whatsup_gold:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "whatsup_gold",
                "vendor": "progress",
                "versions": [
                  {
                    "lessThan": "2024.0.1",
                    "status": "affected",
                    "version": "2023.1.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-46909",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-02T15:21:54.773988Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-02T15:30:19.651Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "modules": [
                "API Endpoint"
              ],
              "platforms": [
                "Windows"
              ],
              "product": "WhatsUp Gold",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThan": "2024.0.1",
                  "status": "affected",
                  "version": "2023.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Andy Niu of Trend Micro"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In WhatsUp Gold versions released before 2024.0.1, a\u0026nbsp;remote unauthenticated attacker could leverage this vulnerability to execute code in the context of the service account.\u003cbr\u003e"
                }
              ],
              "value": "In WhatsUp Gold versions released before 2024.0.1, a\u00a0remote unauthenticated attacker could leverage this vulnerability to execute code in the context of the service account."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-165",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-165 File Manipulation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-73",
                  "description": "CWE-73 External Control of File Name or Path",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-16",
                  "description": "CWE-16 Configuration",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-02T14:46:49.513Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "url": "https://www.progress.com/network-monitoring"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-September-2024"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.progress.com/bundle/whatsupgold-release-notes-24-0/page/WhatsUp-Gold-2024.0-Release-Notes.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "WhatsUp Gold WriteDataFile Directory Traversal Remote Code Execution Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-46909",
        "datePublished": "2024-12-02T14:46:49.513Z",
        "dateReserved": "2024-09-13T14:50:06.820Z",
        "dateUpdated": "2024-12-02T15:30:19.651Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-46908 (GCVE-0-2024-46908)

    Vulnerability from nvd – Published: 2024-12-02 14:40 – Updated: 2024-12-02 15:30
    VLAI
    Title
    WhatsUp Gold GetFilterCriteria SQL Injection Privilege Escalation Vulnerability
    Summary
    In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Progress Software Corporation WhatsUp Gold Affected: 2023.1.0 , < 2024.0.1 (semver)
    Create a notification for this product.
    progress whatsup_gold Affected: 2023.1.0 , < 2024.0.1 (custom)
        cpe:2.3:a:progress:whatsup_gold:-:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:progress:whatsup_gold:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "whatsup_gold",
                "vendor": "progress",
                "versions": [
                  {
                    "lessThan": "2024.0.1",
                    "status": "affected",
                    "version": "2023.1.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-46908",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-02T15:21:45.398276Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-02T15:30:19.516Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "modules": [
                "API Endpoint"
              ],
              "platforms": [
                "Windows"
              ],
              "product": "WhatsUp Gold",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThan": "2024.0.1",
                  "status": "affected",
                  "version": "2023.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required)\n\n to achieve privilege escalation to the admin account."
                }
              ],
              "value": "In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required)\n\n to achieve privilege escalation to the admin account."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-233",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-233 Privilege Escalation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-02T14:40:08.735Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "url": "https://www.progress.com/network-monitoring"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-September-2024"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.progress.com/bundle/whatsupgold-release-notes-24-0/page/WhatsUp-Gold-2024.0-Release-Notes.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "WhatsUp Gold GetFilterCriteria SQL Injection Privilege Escalation Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-46908",
        "datePublished": "2024-12-02T14:40:08.735Z",
        "dateReserved": "2024-09-13T14:50:06.819Z",
        "dateUpdated": "2024-12-02T15:30:19.516Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-46907 (GCVE-0-2024-46907)

    Vulnerability from nvd – Published: 2024-12-02 14:42 – Updated: 2024-12-02 15:30
    VLAI
    Title
    WhatsUp Gold GetFilterCriteria SQL Injection Privilege Escalation Vulnerability
    Summary
    In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Progress Software Corporation WhatsUp Gold Affected: 2023.1.0 , < 2024.0.1 (semver)
    Create a notification for this product.
    progress whatsup_gold Affected: 2023.1.0 , < 2024.0.1 (custom)
        cpe:2.3:a:progress:whatsup_gold:-:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:progress:whatsup_gold:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "whatsup_gold",
                "vendor": "progress",
                "versions": [
                  {
                    "lessThan": "2024.0.1",
                    "status": "affected",
                    "version": "2023.1.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-46907",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-02T15:17:52.053686Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-02T15:30:19.393Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "modules": [
                "API Endpoint"
              ],
              "platforms": [
                "Windows"
              ],
              "product": "WhatsUp Gold",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThan": "2024.0.1",
                  "status": "affected",
                  "version": "2023.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account."
                }
              ],
              "value": "In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-233",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-233 Privilege Escalation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-02T14:42:08.418Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "url": "https://www.progress.com/network-monitoring"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-September-2024"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.progress.com/bundle/whatsupgold-release-notes-24-0/page/WhatsUp-Gold-2024.0-Release-Notes.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "WhatsUp Gold GetFilterCriteria SQL Injection Privilege Escalation Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-46907",
        "datePublished": "2024-12-02T14:42:08.418Z",
        "dateReserved": "2024-09-13T14:50:06.819Z",
        "dateUpdated": "2024-12-02T15:30:19.393Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-46906 (GCVE-0-2024-46906)

    Vulnerability from nvd – Published: 2024-12-02 14:44 – Updated: 2024-12-02 15:30
    VLAI
    Title
    WhatsUp Gold GetSqlWhereClause SQL Injection Privilege Escalation Vulnerability
    Summary
    In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Progress Software Corporation WhatsUp Gold Affected: 2023.1.0 , < 2024.0.1 (semver)
    Create a notification for this product.
    progress whatsup_gold Affected: 2023.1.0 , < 2024.0.1 (custom)
        cpe:2.3:a:progress:whatsup_gold:-:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:progress:whatsup_gold:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "whatsup_gold",
                "vendor": "progress",
                "versions": [
                  {
                    "lessThan": "2024.0.1",
                    "status": "affected",
                    "version": "2023.1.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-46906",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-02T15:21:49.800800Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-02T15:30:19.268Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "modules": [
                "API Endpoint"
              ],
              "platforms": [
                "Windows"
              ],
              "product": "WhatsUp Gold",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThan": "2024.0.1",
                  "status": "affected",
                  "version": "2023.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required)  to achieve privilege escalation to the admin account."
                }
              ],
              "value": "In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required)  to achieve privilege escalation to the admin account."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-233",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-233 Privilege Escalation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-02T14:44:08.220Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "url": "https://www.progress.com/network-monitoring"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-September-2024"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.progress.com/bundle/whatsupgold-release-notes-24-0/page/WhatsUp-Gold-2024.0-Release-Notes.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "WhatsUp Gold GetSqlWhereClause  SQL Injection Privilege Escalation Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-46906",
        "datePublished": "2024-12-02T14:44:08.220Z",
        "dateReserved": "2024-09-13T14:50:06.819Z",
        "dateUpdated": "2024-12-02T15:30:19.268Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-46905 (GCVE-0-2024-46905)

    Vulnerability from nvd – Published: 2024-12-02 14:45 – Updated: 2024-12-02 15:30
    VLAI
    Title
    WhatsUp Gold GetOrderByClause SQL Injection Privilege Escalation Vulnerability
    Summary
    In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated lower-privileged user (at least Network Manager permissions required) to achieve privilege escalation to the admin account.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Progress Software Corporation WhatsUp Gold Affected: 2023.1.0 , < 2024.0.1 (semver)
    Create a notification for this product.
    progress whatsup_gold Affected: 2023.1.0 , < 2024.0.1 (custom)
        cpe:2.3:a:progress:whatsup_gold:-:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:progress:whatsup_gold:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "whatsup_gold",
                "vendor": "progress",
                "versions": [
                  {
                    "lessThan": "2024.0.1",
                    "status": "affected",
                    "version": "2023.1.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-46905",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-02T15:21:40.531864Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-02T15:30:19.092Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "modules": [
                "API Endpoint"
              ],
              "platforms": [
                "Windows"
              ],
              "product": "WhatsUp Gold",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThan": "2024.0.1",
                  "status": "affected",
                  "version": "2023.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated lower-privileged user (at least Network Manager permissions required) to achieve privilege escalation to the admin account."
                }
              ],
              "value": "In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated lower-privileged user (at least Network Manager permissions required) to achieve privilege escalation to the admin account."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-233",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-233 Privilege Escalation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-02T14:45:13.504Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "url": "https://www.progress.com/network-monitoring"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-September-2024"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.progress.com/bundle/whatsupgold-release-notes-24-0/page/WhatsUp-Gold-2024.0-Release-Notes.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "WhatsUp Gold GetOrderByClause SQL Injection Privilege Escalation Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-46905",
        "datePublished": "2024-12-02T14:45:13.504Z",
        "dateReserved": "2024-09-13T14:50:06.819Z",
        "dateUpdated": "2024-12-02T15:30:19.092Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-7763 (GCVE-0-2024-7763)

    Vulnerability from nvd – Published: 2024-10-24 20:11 – Updated: 2024-10-29 03:55
    VLAI
    Title
    WhatsUp Gold getReport Missing Authentication Authentication Bypass Vulnerability
    Summary
    In WhatsUp Gold versions released before 2024.0.0,  an Authentication Bypass issue exists which allows an attacker to obtain encrypted user credentials.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    Impacted products
    Vendor Product Version
    Progress Software Corporation WhatsUp Gold Affected: 2023.1.0 , < 2024.0.0 (semver)
    Create a notification for this product.
    progress whatsup_gold Affected: 2023.1.0 , < 2024.0.0 (semver)
        cpe:2.3:a:progress:whatsup_gold:-:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:progress:whatsup_gold:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "whatsup_gold",
                "vendor": "progress",
                "versions": [
                  {
                    "lessThan": "2024.0.0",
                    "status": "affected",
                    "version": "2023.1.0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-7763",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-28T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-29T03:55:09.900Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "modules": [
                "API Endpoint"
              ],
              "platforms": [
                "Windows"
              ],
              "product": "WhatsUp Gold",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThan": "2024.0.0",
                  "status": "affected",
                  "version": "2023.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In WhatsUp Gold versions released before 2024.0.0,\u0026nbsp;\n\n\u003cspan style=\"background-color: rgba(161, 189, 217, 0.08);\"\u003ean Authentication Bypass issue exists which allows an attacker to obtain encrypted user credentials.\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003c/span\u003e"
                }
              ],
              "value": "In WhatsUp Gold versions released before 2024.0.0,\u00a0\n\nan Authentication Bypass issue exists which allows an attacker to obtain encrypted user credentials."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287 Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-10-24T20:11:50.614Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://www.progress.com/network-monitoring"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "WhatsUp Gold getReport Missing Authentication Authentication Bypass Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-7763",
        "datePublished": "2024-10-24T20:11:50.614Z",
        "dateReserved": "2024-08-13T18:22:43.153Z",
        "dateUpdated": "2024-10-29T03:55:09.900Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-6672 (GCVE-0-2024-6672)

    Vulnerability from nvd – Published: 2024-08-29 22:07 – Updated: 2024-08-30 13:45
    VLAI
    Title
    WhatsUp Gold getMonitorJoin SQL Injection Privilege Escalation Vulnerability
    Summary
    In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an authenticated low-privileged attacker to achieve privilege escalation by modifying a privileged user's password.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Progress Software Corporation WhatsUp Gold Affected: 2023.1.0 , < 2024.0.0 (semver)
    Create a notification for this product.
    progress whatsupgold Affected: 2023.1.0 , < 2024.0.0 (semver)
        cpe:2.3:a:progress:whatsupgold:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:progress:whatsupgold:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "affected",
                "product": "whatsupgold",
                "vendor": "progress",
                "versions": [
                  {
                    "lessThan": "2024.0.0",
                    "status": "affected",
                    "version": "2023.1.0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-6672",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-30T13:44:33.392630Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-30T13:45:45.129Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "modules": [
                "API Endpoint"
              ],
              "platforms": [
                "Windows"
              ],
              "product": "WhatsUp Gold",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThan": "2024.0.0",
                  "status": "affected",
                  "version": "2023.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an authenticated low-privileged attacker to achieve privilege escalation by modifying a privileged user\u0027s password."
                }
              ],
              "value": "In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an authenticated low-privileged attacker to achieve privilege escalation by modifying a privileged user\u0027s password."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-233",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-233 Privilege Escalation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-08-29T22:07:13.727Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://www.progress.com/network-monitoring"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "WhatsUp Gold getMonitorJoin SQL Injection Privilege Escalation Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-6672",
        "datePublished": "2024-08-29T22:07:13.727Z",
        "dateReserved": "2024-07-10T19:45:29.346Z",
        "dateUpdated": "2024-08-30T13:45:45.129Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-6671 (GCVE-0-2024-6671)

    Vulnerability from nvd – Published: 2024-08-29 22:06 – Updated: 2024-09-25 03:55
    Title
    WhatsUp Gold GetStatisticalMonitorList SQL Injection Authentication Bypass Vulnerability
    Summary
    In WhatsUp Gold versions released before 2024.0.0, if the application is configured with only a single user, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Progress Software Corporation WhatsUp Gold Affected: 2023.1.0 , < 2024.0.0 (semver)
    Create a notification for this product.
    progress whatsupgold Affected: 2023.1.0 , < 2024.0.0 (semver)
        cpe:2.3:a:progress:whatsupgold:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:progress:whatsupgold:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "affected",
                "product": "whatsupgold",
                "vendor": "progress",
                "versions": [
                  {
                    "lessThan": "2024.0.0",
                    "status": "affected",
                    "version": "2023.1.0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-6671",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-24T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-25T03:55:41.371Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "modules": [
                "API Endpoint"
              ],
              "platforms": [
                "Windows"
              ],
              "product": "WhatsUp Gold",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThan": "2024.0.0",
                  "status": "affected",
                  "version": "2023.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In WhatsUp Gold versions released before 2024.0.0, if the application is configured with only a single user, \u003cspan style=\"background-color: var(--wht);\"\u003ea SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.\u003c/span\u003e\n\n\u003cbr\u003e\n\n\u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "In WhatsUp Gold versions released before 2024.0.0, if the application is configured with only a single user, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-08-29T22:06:19.291Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://www.progress.com/network-monitoring"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "WhatsUp Gold GetStatisticalMonitorList SQL Injection Authentication Bypass Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-6671",
        "datePublished": "2024-08-29T22:06:19.291Z",
        "dateReserved": "2024-07-10T19:45:28.296Z",
        "dateUpdated": "2024-09-25T03:55:41.371Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-6670 (GCVE-0-2024-6670)

    Vulnerability from nvd – Published: 2024-08-29 22:04 – Updated: 2025-10-21 22:55
    Title
    WhatsUp Gold HasErrors SQL Injection Authentication Bypass Vulnerability
    Summary
    In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.
    SSVC
    Exploitation: active Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Progress Software Corporation WhatsUp Gold Affected: 2023.1.0 , < 2024.0.0 (semver)
    Create a notification for this product.
    progress whatsupgold Affected: 2023.1.0 , < 2024.0.0 (semver)
        cpe:2.3:a:progress:whatsupgold:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:progress:whatsupgold:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "affected",
                "product": "whatsupgold",
                "vendor": "progress",
                "versions": [
                  {
                    "lessThan": "2024.0.0",
                    "status": "affected",
                    "version": "2023.1.0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-6670",
                    "options": [
                      {
                        "Exploitation": "active"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-27T22:06:14.229470Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              },
              {
                "other": {
                  "content": {
                    "dateAdded": "2024-09-16",
                    "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-6670"
                  },
                  "type": "kev"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-21T22:55:46.285Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "government-resource"
                ],
                "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-6670"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2024-09-16T00:00:00.000Z",
                "value": "CVE-2024-6670 added to CISA KEV"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "modules": [
                "API Endpoint"
              ],
              "platforms": [
                "Windows"
              ],
              "product": "WhatsUp Gold",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThan": "2024.0.0",
                  "status": "affected",
                  "version": "2023.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In WhatsUp Gold versions released before 2024.0.0,\u0026nbsp;\u003cspan style=\"background-color: var(--wht);\"\u003ea SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.\u003c/span\u003e"
                }
              ],
              "value": "In WhatsUp Gold versions released before 2024.0.0,\u00a0a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-08-29T22:04:41.139Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://www.progress.com/network-monitoring"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "WhatsUp Gold HasErrors SQL Injection Authentication Bypass Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-6670",
        "datePublished": "2024-08-29T22:04:41.139Z",
        "dateReserved": "2024-07-10T19:45:27.069Z",
        "dateUpdated": "2025-10-21T22:55:46.285Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-5019 (GCVE-0-2024-5019)

    Vulnerability from nvd – Published: 2024-06-25 20:29 – Updated: 2024-08-01 20:55
    VLAI
    Title
    WhatsUp Gold LoadCSSUsingBasePath Directory Traversal Information Disclosure Vulnerability
    Summary
    In WhatsUp Gold versions released before 2023.1.3,  an unauthenticated Arbitrary File Read issue exists in Wug.UI.Areas.Wug.Controllers.SessionController.CachedCSS. This vulnerability allows reading of any file with iisapppool\NmConsole privileges.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    Progress Software Corporation WhatsUp Gold Affected: 2023.1.0 , < 2023.1.3 (semver)
    Create a notification for this product.
    progress whatsup_gold Affected: 2023.1.0 , < 2023.1.3 (semver)
        cpe:2.3:a:progress:whatsup_gold:2023.1.0:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:progress:whatsup_gold:2023.1.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "affected",
                "product": "whatsup_gold",
                "vendor": "progress",
                "versions": [
                  {
                    "lessThan": "2023.1.3",
                    "status": "affected",
                    "version": "2023.1.0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-5019",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-26T13:45:44.009938Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-26T23:34:34.233Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:55:10.378Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "product",
                  "x_transferred"
                ],
                "url": "https://www.progress.com/network-monitoring"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "modules": [
                "API Endpoint"
              ],
              "platforms": [
                "Windows"
              ],
              "product": "WhatsUp Gold",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThan": "2023.1.3",
                  "status": "affected",
                  "version": "2023.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In WhatsUp Gold versions released before 2023.1.3,\u003cspan style=\"background-color: rgba(161, 189, 217, 0.08);\"\u003e\u0026nbsp;\n\nan unauthenticated Arbitrary File Read issue exists in Wug.UI.Areas.Wug.Controllers.SessionController.CachedCSS. This\u0026nbsp;\u003ccode\u003evulnerability allows reading of any file with iisapppool\\NmConsole privileges.\u0026nbsp;\u003c/code\u003e\u003c/span\u003e\u003cspan style=\"background-color: rgba(161, 189, 217, 0.08);\"\u003e\u003cspan style=\"background-color: rgba(9, 30, 66, 0.06);\"\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003c/span\u003e\n\n\u003c/span\u003e"
                }
              ],
              "value": "In WhatsUp Gold versions released before 2023.1.3,\u00a0\n\nan unauthenticated Arbitrary File Read issue exists in Wug.UI.Areas.Wug.Controllers.SessionController.CachedCSS. This\u00a0vulnerability allows reading of any file with iisapppool\\NmConsole privileges."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-113",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-113 API Manipulation"
                }
              ]
            },
            {
              "capecId": "CAPEC-497",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-497 File Discovery"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-06-25T20:29:00.522Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://www.progress.com/network-monitoring"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "WhatsUp Gold LoadCSSUsingBasePath Directory Traversal Information Disclosure Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-5019",
        "datePublished": "2024-06-25T20:29:00.522Z",
        "dateReserved": "2024-05-16T15:59:57.666Z",
        "dateUpdated": "2024-08-01T20:55:10.378Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-5018 (GCVE-0-2024-5018)

    Vulnerability from nvd – Published: 2024-06-25 20:27 – Updated: 2024-08-01 20:55
    VLAI
    Title
    WhatsUp Gold LoadUsingBasePath Directory Traversal Information Disclosure Vulnerability
    Summary
    In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Path Traversal vulnerability exists Wug.UI.Areas.Wug.Controllers.SessionController.LoadNMScript. This allows allows reading of any file from the applications web-root directory .
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    Progress Software Corporation WhatsUp Gold Affected: 2023.1.0 , < 2023.1.3 (semver)
    Create a notification for this product.
    progress whatsup_gold Affected: 2023.1.0 , < 2023.1.3 (semver)
        cpe:2.3:a:progress:whatsup_gold:-:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Abdessamad Lahlali of Trend Micro.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:progress:whatsup_gold:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "whatsup_gold",
                "vendor": "progress",
                "versions": [
                  {
                    "lessThan": "2023.1.3",
                    "status": "affected",
                    "version": "2023.1.0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-5018",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-26T17:44:51.993372Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-26T17:46:16.699Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:55:10.444Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "product",
                  "x_transferred"
                ],
                "url": "https://www.progress.com/network-monitoring"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "modules": [
                "API Endpoint"
              ],
              "platforms": [
                "Windows"
              ],
              "product": "WhatsUp Gold",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThan": "2023.1.3",
                  "status": "affected",
                  "version": "2023.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Abdessamad Lahlali of Trend Micro."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Path Traversal vulnerability exists Wug.UI.Areas.Wug.Controllers.SessionController.LoadNMScript. This allows allows reading of any file from the applications web-root directory .\u003cbr\u003e"
                }
              ],
              "value": "In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Path Traversal vulnerability exists Wug.UI.Areas.Wug.Controllers.SessionController.LoadNMScript. This allows allows reading of any file from the applications web-root directory ."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-126",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-126 Path Traversal"
                }
              ]
            },
            {
              "capecId": "CAPEC-410",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-410 Information Elicitation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-06-25T20:27:11.395Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://www.progress.com/network-monitoring"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "WhatsUp Gold LoadUsingBasePath Directory Traversal Information Disclosure Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-5018",
        "datePublished": "2024-06-25T20:27:11.395Z",
        "dateReserved": "2024-05-16T15:59:56.888Z",
        "dateUpdated": "2024-08-01T20:55:10.444Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-2572 (GCVE-0-2025-2572)

    Vulnerability from cvelistv5 – Published: 2025-04-14 16:06 – Updated: 2025-04-14 18:07
    VLAI
    Title
    WhatsUp Gold NmConfigurationManager.exe database manipulation vulnerability
    Summary
    In WhatsUp Gold versions released before 2024.0.3, a database manipulation vulnerability allows an unauthenticated attacker to modify the contents of WhatsUp.dbo.WrlsMacAddressGroup.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    Impacted products
    Vendor Product Version
    Progress Software Corporation WhatsUp Gold Affected: 2024.0.1 , ≤ 2024.0.2 (semver)
    Create a notification for this product.
    Credits
    Jimi from Tenable
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-2572",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-14T17:20:36.637462Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-14T18:07:07.373Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "modules": [
                "API Endpoint"
              ],
              "platforms": [
                "Windows"
              ],
              "product": "WhatsUp Gold",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThanOrEqual": "2024.0.2",
                  "status": "affected",
                  "version": "2024.0.1",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jimi from Tenable"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In WhatsUp Gold versions released before 2024.0.3, a \n\n\u003cspan style=\"background-color: rgba(161, 189, 217, 0.08);\"\u003edatabase manipulation \u003c/span\u003e\n\nvulnerability allows an unauthenticated attacker to modify the contents of\u0026nbsp;\u003cspan style=\"background-color: rgba(161, 189, 217, 0.08);\"\u003eWhatsUp.dbo.WrlsMacAddressGroup.\u003cbr\u003e\u003c/span\u003e"
                }
              ],
              "value": "In WhatsUp Gold versions released before 2024.0.3, a \n\ndatabase manipulation \n\nvulnerability allows an unauthenticated attacker to modify the contents of\u00a0WhatsUp.dbo.WrlsMacAddressGroup."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.6,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287 Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-14T16:06:45.424Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "url": "https://www.progress.com/network-monitoring"
            },
            {
              "url": "https://docs.progress.com/bundle/whatsupgold-release-notes-24-0/page/WhatsUp-Gold-2024.0-Release-Notes.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "WhatsUp Gold NmConfigurationManager.exe database manipulation vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2025-2572",
        "datePublished": "2025-04-14T16:06:45.424Z",
        "dateReserved": "2025-03-20T20:17:34.692Z",
        "dateUpdated": "2025-04-14T18:07:07.373Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-12105 (GCVE-0-2024-12105)

    Vulnerability from cvelistv5 – Published: 2024-12-31 10:32 – Updated: 2025-01-08 13:07
    VLAI
    Title
    WhatsUp Gold - SnmpExtendedActiveMonitor path traversal
    Summary
    In WhatsUp Gold versions released before 2024.0.2, an authenticated user can use a specially crafted HTTP request that can lead to information disclosure.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    Progress Software Corporation WhatsUp Gold Affected: 2023.1.0 , < 2024.0.2 (semver)
    Create a notification for this product.
    Credits
    Marcin 'Icewall' Noga of Cisco Talos
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-12105",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-31T15:33:17.292251Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-31T15:33:26.240Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-01-08T13:07:04.839Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-2089"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "platforms": [
                "Windows"
              ],
              "product": "WhatsUp Gold",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThan": "2024.0.2",
                  "status": "affected",
                  "version": "2023.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Marcin \u0027Icewall\u0027 Noga of Cisco Talos"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In WhatsUp Gold versions released before 2024.0.2, an authenticated user can use a\u0026nbsp;\u003cspan style=\"background-color: rgba(161, 189, 217, 0.08);\"\u003especially crafted HTTP request that can lead to information disclosure.\u003c/span\u003e"
                }
              ],
              "value": "In WhatsUp Gold versions released before 2024.0.2, an authenticated user can use a\u00a0specially crafted HTTP request that can lead to information disclosure."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-126",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-126 Path Traversal"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-31T10:32:08.238Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "url": "https://www.progress.com/network-monitoring"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "WhatsUp Gold - SnmpExtendedActiveMonitor path traversal",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-12105",
        "datePublished": "2024-12-31T10:32:08.238Z",
        "dateReserved": "2024-12-03T16:20:11.850Z",
        "dateUpdated": "2025-01-08T13:07:04.839Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-12106 (GCVE-0-2024-12106)

    Vulnerability from cvelistv5 – Published: 2024-12-31 10:32 – Updated: 2025-01-04 04:55
    VLAI
    Title
    WhatsUp Gold - LDAP configuration interface leading to allowing attacker to configure LDAP settings without authentication
    Summary
    In WhatsUp Gold versions released before 2024.0.2, an unauthenticated attacker can configure LDAP settings.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-306 - Missing Authentication for Critical Function
    Assigner
    References
    Impacted products
    Vendor Product Version
    Progress Software Corporation WhatsUp Gold Affected: 2023.1.0 , < 2024.0.2 (semver)
    Create a notification for this product.
    Credits
    Batuhan Er (@int20z) of Exploit7.tr
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-12106",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-03T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-04T04:55:30.898Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "modules": [
                "APIEndpoint"
              ],
              "platforms": [
                "Windows"
              ],
              "product": "WhatsUp Gold",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThan": "2024.0.2",
                  "status": "affected",
                  "version": "2023.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Batuhan Er (@int20z) of Exploit7.tr"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In WhatsUp Gold versions released before 2024.0.2, an unauthenticated attacker can configure\u003cspan style=\"background-color: rgb(247, 247, 247);\"\u003e\u0026nbsp;LDAP settings.\u003c/span\u003e"
                }
              ],
              "value": "In WhatsUp Gold versions released before 2024.0.2, an unauthenticated attacker can configure\u00a0LDAP settings."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 9.4,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "CWE-306 Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-31T10:32:02.035Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "url": "https://www.progress.com/network-monitoring"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "WhatsUp Gold -  LDAP configuration interface leading to allowing attacker to configure LDAP settings without authentication",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-12106",
        "datePublished": "2024-12-31T10:32:02.035Z",
        "dateReserved": "2024-12-03T16:20:30.450Z",
        "dateUpdated": "2025-01-04T04:55:30.898Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-12108 (GCVE-0-2024-12108)

    Vulnerability from cvelistv5 – Published: 2024-12-31 10:31 – Updated: 2025-01-04 04:55
    VLAI
    Title
    WhatsUp Gold - Public API signing key rotation issue
    Summary
    In WhatsUp Gold versions released before 2024.0.2, an attacker can gain access to the WhatsUp Gold server via the public API.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-290 - Authentication Bypass by Spoofing
    Assigner
    References
    Impacted products
    Vendor Product Version
    Progress Software Corporation WhatsUp Gold Affected: 2023.1.0 , < 2024.0.2 (semver)
    Create a notification for this product.
    Credits
    Mike Barber, Software Architect at Progress Software
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-12108",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-03T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-04T04:55:29.674Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "platforms": [
                "Windows"
              ],
              "product": "WhatsUp Gold",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThan": "2024.0.2",
                  "status": "affected",
                  "version": "2023.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Mike Barber, Software Architect at Progress Software"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In WhatsUp Gold versions released before 2024.0.2, an attacker can gain access to the WhatsUp Gold server via the public API."
                }
              ],
              "value": "In WhatsUp Gold versions released before 2024.0.2, an attacker can gain access to the WhatsUp Gold server via the public API."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 9.6,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-290",
                  "description": "CWE-290 Authentication Bypass by Spoofing",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-31T10:31:56.107Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "url": "https://www.progress.com/network-monitoring"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "WhatsUp Gold - Public API signing key rotation issue",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-12108",
        "datePublished": "2024-12-31T10:31:56.107Z",
        "dateReserved": "2024-12-03T19:30:25.687Z",
        "dateUpdated": "2025-01-04T04:55:29.674Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-8785 (GCVE-0-2024-8785)

    Vulnerability from cvelistv5 – Published: 2024-12-02 14:49 – Updated: 2024-12-02 15:30
    VLAI
    Title
    WhatsUp Gold Registry Overwrite Remote Code Execution Vulnerability
    Summary
    In WhatsUp Gold versions released before 2024.0.1, a remote unauthenticated attacker could leverage NmAPI.exe to create or change an existing registry value in registry path HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Ipswitch\.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-648 - Incorrect Use of Privileged APIs
    Assigner
    Impacted products
    Vendor Product Version
    Progress Software Corporation WhatsUp Gold Affected: 2023.1.0 , < 2024.0.1 (semver)
    Create a notification for this product.
    progress whatsup_gold Affected: 2023.1.0 , < 2024.0.1 (custom)
        cpe:2.3:a:progress:whatsup_gold:-:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Tenable
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:progress:whatsup_gold:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "whatsup_gold",
                "vendor": "progress",
                "versions": [
                  {
                    "lessThan": "2024.0.1",
                    "status": "affected",
                    "version": "2023.1.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8785",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-02T15:22:30.482222Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-02T15:30:19.766Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "modules": [
                "API Endpoint"
              ],
              "platforms": [
                "Windows"
              ],
              "product": "WhatsUp Gold",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThan": "2024.0.1",
                  "status": "affected",
                  "version": "2023.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Tenable"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In WhatsUp Gold versions released before 2024.0.1, a\u0026nbsp;remote unauthenticated attacker could leverage NmAPI.exe to create or change an existing registry value in registry path HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Ipswitch\\."
                }
              ],
              "value": "In WhatsUp Gold versions released before 2024.0.1, a\u00a0remote unauthenticated attacker could leverage NmAPI.exe to create or change an existing registry value in registry path HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Ipswitch\\."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-203",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-203 Manipulate Registry Information"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-648",
                  "description": "CWE-648 Incorrect Use of Privileged APIs",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-02T14:49:36.748Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "url": "https://www.progress.com/network-monitoring"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-September-2024"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.progress.com/bundle/whatsupgold-release-notes-24-0/page/WhatsUp-Gold-2024.0-Release-Notes.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "WhatsUp Gold Registry Overwrite Remote Code Execution Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-8785",
        "datePublished": "2024-12-02T14:49:36.748Z",
        "dateReserved": "2024-09-13T14:50:10.817Z",
        "dateUpdated": "2024-12-02T15:30:19.766Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-46909 (GCVE-0-2024-46909)

    Vulnerability from cvelistv5 – Published: 2024-12-02 14:46 – Updated: 2024-12-02 15:30
    VLAI
    Title
    WhatsUp Gold WriteDataFile Directory Traversal Remote Code Execution Vulnerability
    Summary
    In WhatsUp Gold versions released before 2024.0.1, a remote unauthenticated attacker could leverage this vulnerability to execute code in the context of the service account.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    • CWE-73 - External Control of File Name or Path
    • CWE-16 - Configuration
    Assigner
    Impacted products
    Vendor Product Version
    Progress Software Corporation WhatsUp Gold Affected: 2023.1.0 , < 2024.0.1 (semver)
    Create a notification for this product.
    progress whatsup_gold Affected: 2023.1.0 , < 2024.0.1 (custom)
        cpe:2.3:a:progress:whatsup_gold:-:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Andy Niu of Trend Micro
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:progress:whatsup_gold:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "whatsup_gold",
                "vendor": "progress",
                "versions": [
                  {
                    "lessThan": "2024.0.1",
                    "status": "affected",
                    "version": "2023.1.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-46909",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-02T15:21:54.773988Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-02T15:30:19.651Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "modules": [
                "API Endpoint"
              ],
              "platforms": [
                "Windows"
              ],
              "product": "WhatsUp Gold",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThan": "2024.0.1",
                  "status": "affected",
                  "version": "2023.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Andy Niu of Trend Micro"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In WhatsUp Gold versions released before 2024.0.1, a\u0026nbsp;remote unauthenticated attacker could leverage this vulnerability to execute code in the context of the service account.\u003cbr\u003e"
                }
              ],
              "value": "In WhatsUp Gold versions released before 2024.0.1, a\u00a0remote unauthenticated attacker could leverage this vulnerability to execute code in the context of the service account."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-165",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-165 File Manipulation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-73",
                  "description": "CWE-73 External Control of File Name or Path",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-16",
                  "description": "CWE-16 Configuration",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-02T14:46:49.513Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "url": "https://www.progress.com/network-monitoring"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-September-2024"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.progress.com/bundle/whatsupgold-release-notes-24-0/page/WhatsUp-Gold-2024.0-Release-Notes.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "WhatsUp Gold WriteDataFile Directory Traversal Remote Code Execution Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-46909",
        "datePublished": "2024-12-02T14:46:49.513Z",
        "dateReserved": "2024-09-13T14:50:06.820Z",
        "dateUpdated": "2024-12-02T15:30:19.651Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-46905 (GCVE-0-2024-46905)

    Vulnerability from cvelistv5 – Published: 2024-12-02 14:45 – Updated: 2024-12-02 15:30
    VLAI
    Title
    WhatsUp Gold GetOrderByClause SQL Injection Privilege Escalation Vulnerability
    Summary
    In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated lower-privileged user (at least Network Manager permissions required) to achieve privilege escalation to the admin account.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Progress Software Corporation WhatsUp Gold Affected: 2023.1.0 , < 2024.0.1 (semver)
    Create a notification for this product.
    progress whatsup_gold Affected: 2023.1.0 , < 2024.0.1 (custom)
        cpe:2.3:a:progress:whatsup_gold:-:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:progress:whatsup_gold:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "whatsup_gold",
                "vendor": "progress",
                "versions": [
                  {
                    "lessThan": "2024.0.1",
                    "status": "affected",
                    "version": "2023.1.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-46905",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-02T15:21:40.531864Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-02T15:30:19.092Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "modules": [
                "API Endpoint"
              ],
              "platforms": [
                "Windows"
              ],
              "product": "WhatsUp Gold",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThan": "2024.0.1",
                  "status": "affected",
                  "version": "2023.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated lower-privileged user (at least Network Manager permissions required) to achieve privilege escalation to the admin account."
                }
              ],
              "value": "In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated lower-privileged user (at least Network Manager permissions required) to achieve privilege escalation to the admin account."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-233",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-233 Privilege Escalation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-02T14:45:13.504Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "url": "https://www.progress.com/network-monitoring"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-September-2024"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.progress.com/bundle/whatsupgold-release-notes-24-0/page/WhatsUp-Gold-2024.0-Release-Notes.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "WhatsUp Gold GetOrderByClause SQL Injection Privilege Escalation Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-46905",
        "datePublished": "2024-12-02T14:45:13.504Z",
        "dateReserved": "2024-09-13T14:50:06.819Z",
        "dateUpdated": "2024-12-02T15:30:19.092Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-46906 (GCVE-0-2024-46906)

    Vulnerability from cvelistv5 – Published: 2024-12-02 14:44 – Updated: 2024-12-02 15:30
    VLAI
    Title
    WhatsUp Gold GetSqlWhereClause SQL Injection Privilege Escalation Vulnerability
    Summary
    In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Progress Software Corporation WhatsUp Gold Affected: 2023.1.0 , < 2024.0.1 (semver)
    Create a notification for this product.
    progress whatsup_gold Affected: 2023.1.0 , < 2024.0.1 (custom)
        cpe:2.3:a:progress:whatsup_gold:-:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:progress:whatsup_gold:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "whatsup_gold",
                "vendor": "progress",
                "versions": [
                  {
                    "lessThan": "2024.0.1",
                    "status": "affected",
                    "version": "2023.1.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-46906",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-02T15:21:49.800800Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-02T15:30:19.268Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "modules": [
                "API Endpoint"
              ],
              "platforms": [
                "Windows"
              ],
              "product": "WhatsUp Gold",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThan": "2024.0.1",
                  "status": "affected",
                  "version": "2023.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required)  to achieve privilege escalation to the admin account."
                }
              ],
              "value": "In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required)  to achieve privilege escalation to the admin account."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-233",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-233 Privilege Escalation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-02T14:44:08.220Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "url": "https://www.progress.com/network-monitoring"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-September-2024"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.progress.com/bundle/whatsupgold-release-notes-24-0/page/WhatsUp-Gold-2024.0-Release-Notes.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "WhatsUp Gold GetSqlWhereClause  SQL Injection Privilege Escalation Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-46906",
        "datePublished": "2024-12-02T14:44:08.220Z",
        "dateReserved": "2024-09-13T14:50:06.819Z",
        "dateUpdated": "2024-12-02T15:30:19.268Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-46907 (GCVE-0-2024-46907)

    Vulnerability from cvelistv5 – Published: 2024-12-02 14:42 – Updated: 2024-12-02 15:30
    VLAI
    Title
    WhatsUp Gold GetFilterCriteria SQL Injection Privilege Escalation Vulnerability
    Summary
    In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Progress Software Corporation WhatsUp Gold Affected: 2023.1.0 , < 2024.0.1 (semver)
    Create a notification for this product.
    progress whatsup_gold Affected: 2023.1.0 , < 2024.0.1 (custom)
        cpe:2.3:a:progress:whatsup_gold:-:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:progress:whatsup_gold:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "whatsup_gold",
                "vendor": "progress",
                "versions": [
                  {
                    "lessThan": "2024.0.1",
                    "status": "affected",
                    "version": "2023.1.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-46907",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-02T15:17:52.053686Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-02T15:30:19.393Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "modules": [
                "API Endpoint"
              ],
              "platforms": [
                "Windows"
              ],
              "product": "WhatsUp Gold",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThan": "2024.0.1",
                  "status": "affected",
                  "version": "2023.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account."
                }
              ],
              "value": "In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-233",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-233 Privilege Escalation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-02T14:42:08.418Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "url": "https://www.progress.com/network-monitoring"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-September-2024"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.progress.com/bundle/whatsupgold-release-notes-24-0/page/WhatsUp-Gold-2024.0-Release-Notes.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "WhatsUp Gold GetFilterCriteria SQL Injection Privilege Escalation Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-46907",
        "datePublished": "2024-12-02T14:42:08.418Z",
        "dateReserved": "2024-09-13T14:50:06.819Z",
        "dateUpdated": "2024-12-02T15:30:19.393Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-46908 (GCVE-0-2024-46908)

    Vulnerability from cvelistv5 – Published: 2024-12-02 14:40 – Updated: 2024-12-02 15:30
    VLAI
    Title
    WhatsUp Gold GetFilterCriteria SQL Injection Privilege Escalation Vulnerability
    Summary
    In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Progress Software Corporation WhatsUp Gold Affected: 2023.1.0 , < 2024.0.1 (semver)
    Create a notification for this product.
    progress whatsup_gold Affected: 2023.1.0 , < 2024.0.1 (custom)
        cpe:2.3:a:progress:whatsup_gold:-:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:progress:whatsup_gold:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "whatsup_gold",
                "vendor": "progress",
                "versions": [
                  {
                    "lessThan": "2024.0.1",
                    "status": "affected",
                    "version": "2023.1.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-46908",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-02T15:21:45.398276Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-02T15:30:19.516Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "modules": [
                "API Endpoint"
              ],
              "platforms": [
                "Windows"
              ],
              "product": "WhatsUp Gold",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThan": "2024.0.1",
                  "status": "affected",
                  "version": "2023.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required)\n\n to achieve privilege escalation to the admin account."
                }
              ],
              "value": "In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required)\n\n to achieve privilege escalation to the admin account."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-233",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-233 Privilege Escalation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-02T14:40:08.735Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "url": "https://www.progress.com/network-monitoring"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-September-2024"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://docs.progress.com/bundle/whatsupgold-release-notes-24-0/page/WhatsUp-Gold-2024.0-Release-Notes.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "WhatsUp Gold GetFilterCriteria SQL Injection Privilege Escalation Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-46908",
        "datePublished": "2024-12-02T14:40:08.735Z",
        "dateReserved": "2024-09-13T14:50:06.819Z",
        "dateUpdated": "2024-12-02T15:30:19.516Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-7763 (GCVE-0-2024-7763)

    Vulnerability from cvelistv5 – Published: 2024-10-24 20:11 – Updated: 2024-10-29 03:55
    VLAI
    Title
    WhatsUp Gold getReport Missing Authentication Authentication Bypass Vulnerability
    Summary
    In WhatsUp Gold versions released before 2024.0.0,  an Authentication Bypass issue exists which allows an attacker to obtain encrypted user credentials.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    Impacted products
    Vendor Product Version
    Progress Software Corporation WhatsUp Gold Affected: 2023.1.0 , < 2024.0.0 (semver)
    Create a notification for this product.
    progress whatsup_gold Affected: 2023.1.0 , < 2024.0.0 (semver)
        cpe:2.3:a:progress:whatsup_gold:-:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:progress:whatsup_gold:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "whatsup_gold",
                "vendor": "progress",
                "versions": [
                  {
                    "lessThan": "2024.0.0",
                    "status": "affected",
                    "version": "2023.1.0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-7763",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-28T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-29T03:55:09.900Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "modules": [
                "API Endpoint"
              ],
              "platforms": [
                "Windows"
              ],
              "product": "WhatsUp Gold",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThan": "2024.0.0",
                  "status": "affected",
                  "version": "2023.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In WhatsUp Gold versions released before 2024.0.0,\u0026nbsp;\n\n\u003cspan style=\"background-color: rgba(161, 189, 217, 0.08);\"\u003ean Authentication Bypass issue exists which allows an attacker to obtain encrypted user credentials.\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003c/span\u003e"
                }
              ],
              "value": "In WhatsUp Gold versions released before 2024.0.0,\u00a0\n\nan Authentication Bypass issue exists which allows an attacker to obtain encrypted user credentials."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287 Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-10-24T20:11:50.614Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://www.progress.com/network-monitoring"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "WhatsUp Gold getReport Missing Authentication Authentication Bypass Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-7763",
        "datePublished": "2024-10-24T20:11:50.614Z",
        "dateReserved": "2024-08-13T18:22:43.153Z",
        "dateUpdated": "2024-10-29T03:55:09.900Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-6672 (GCVE-0-2024-6672)

    Vulnerability from cvelistv5 – Published: 2024-08-29 22:07 – Updated: 2024-08-30 13:45
    VLAI
    Title
    WhatsUp Gold getMonitorJoin SQL Injection Privilege Escalation Vulnerability
    Summary
    In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an authenticated low-privileged attacker to achieve privilege escalation by modifying a privileged user's password.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Progress Software Corporation WhatsUp Gold Affected: 2023.1.0 , < 2024.0.0 (semver)
    Create a notification for this product.
    progress whatsupgold Affected: 2023.1.0 , < 2024.0.0 (semver)
        cpe:2.3:a:progress:whatsupgold:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:progress:whatsupgold:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "affected",
                "product": "whatsupgold",
                "vendor": "progress",
                "versions": [
                  {
                    "lessThan": "2024.0.0",
                    "status": "affected",
                    "version": "2023.1.0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-6672",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-30T13:44:33.392630Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-30T13:45:45.129Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "modules": [
                "API Endpoint"
              ],
              "platforms": [
                "Windows"
              ],
              "product": "WhatsUp Gold",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThan": "2024.0.0",
                  "status": "affected",
                  "version": "2023.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an authenticated low-privileged attacker to achieve privilege escalation by modifying a privileged user\u0027s password."
                }
              ],
              "value": "In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an authenticated low-privileged attacker to achieve privilege escalation by modifying a privileged user\u0027s password."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-233",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-233 Privilege Escalation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-08-29T22:07:13.727Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://www.progress.com/network-monitoring"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "WhatsUp Gold getMonitorJoin SQL Injection Privilege Escalation Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-6672",
        "datePublished": "2024-08-29T22:07:13.727Z",
        "dateReserved": "2024-07-10T19:45:29.346Z",
        "dateUpdated": "2024-08-30T13:45:45.129Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-6671 (GCVE-0-2024-6671)

    Vulnerability from cvelistv5 – Published: 2024-08-29 22:06 – Updated: 2024-09-25 03:55
    Title
    WhatsUp Gold GetStatisticalMonitorList SQL Injection Authentication Bypass Vulnerability
    Summary
    In WhatsUp Gold versions released before 2024.0.0, if the application is configured with only a single user, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Progress Software Corporation WhatsUp Gold Affected: 2023.1.0 , < 2024.0.0 (semver)
    Create a notification for this product.
    progress whatsupgold Affected: 2023.1.0 , < 2024.0.0 (semver)
        cpe:2.3:a:progress:whatsupgold:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:progress:whatsupgold:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "affected",
                "product": "whatsupgold",
                "vendor": "progress",
                "versions": [
                  {
                    "lessThan": "2024.0.0",
                    "status": "affected",
                    "version": "2023.1.0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-6671",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-24T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-25T03:55:41.371Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "modules": [
                "API Endpoint"
              ],
              "platforms": [
                "Windows"
              ],
              "product": "WhatsUp Gold",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThan": "2024.0.0",
                  "status": "affected",
                  "version": "2023.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In WhatsUp Gold versions released before 2024.0.0, if the application is configured with only a single user, \u003cspan style=\"background-color: var(--wht);\"\u003ea SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.\u003c/span\u003e\n\n\u003cbr\u003e\n\n\u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "In WhatsUp Gold versions released before 2024.0.0, if the application is configured with only a single user, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-08-29T22:06:19.291Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://www.progress.com/network-monitoring"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "WhatsUp Gold GetStatisticalMonitorList SQL Injection Authentication Bypass Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-6671",
        "datePublished": "2024-08-29T22:06:19.291Z",
        "dateReserved": "2024-07-10T19:45:28.296Z",
        "dateUpdated": "2024-09-25T03:55:41.371Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-6670 (GCVE-0-2024-6670)

    Vulnerability from cvelistv5 – Published: 2024-08-29 22:04 – Updated: 2025-10-21 22:55
    Title
    WhatsUp Gold HasErrors SQL Injection Authentication Bypass Vulnerability
    Summary
    In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.
    SSVC
    Exploitation: active Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Progress Software Corporation WhatsUp Gold Affected: 2023.1.0 , < 2024.0.0 (semver)
    Create a notification for this product.
    progress whatsupgold Affected: 2023.1.0 , < 2024.0.0 (semver)
        cpe:2.3:a:progress:whatsupgold:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:progress:whatsupgold:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "affected",
                "product": "whatsupgold",
                "vendor": "progress",
                "versions": [
                  {
                    "lessThan": "2024.0.0",
                    "status": "affected",
                    "version": "2023.1.0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-6670",
                    "options": [
                      {
                        "Exploitation": "active"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-27T22:06:14.229470Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              },
              {
                "other": {
                  "content": {
                    "dateAdded": "2024-09-16",
                    "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-6670"
                  },
                  "type": "kev"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-21T22:55:46.285Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "government-resource"
                ],
                "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-6670"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2024-09-16T00:00:00.000Z",
                "value": "CVE-2024-6670 added to CISA KEV"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "modules": [
                "API Endpoint"
              ],
              "platforms": [
                "Windows"
              ],
              "product": "WhatsUp Gold",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThan": "2024.0.0",
                  "status": "affected",
                  "version": "2023.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "In WhatsUp Gold versions released before 2024.0.0,\u0026nbsp;\u003cspan style=\"background-color: var(--wht);\"\u003ea SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.\u003c/span\u003e"
                }
              ],
              "value": "In WhatsUp Gold versions released before 2024.0.0,\u00a0a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-08-29T22:04:41.139Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://www.progress.com/network-monitoring"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "WhatsUp Gold HasErrors SQL Injection Authentication Bypass Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-6670",
        "datePublished": "2024-08-29T22:04:41.139Z",
        "dateReserved": "2024-07-10T19:45:27.069Z",
        "dateUpdated": "2025-10-21T22:55:46.285Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }