WhatsUp Gold
by WhatsUp Gold
CVEs (17)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-6671 | Cri | 0.65 | 9.8 | 0.15 | Aug 29, 2024 | In WhatsUp Gold versions released before 2024.0.0, if the application is configured with only a single user, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password. | ||
| CVE-2024-7763 | Cri | 0.64 | 9.8 | 0.01 | Oct 24, 2024 | In WhatsUp Gold versions released before 2024.0.0, an Authentication Bypass issue exists which allows an attacker to obtain encrypted user credentials. | ||
| CVE-2024-12108 | Cri | 0.63 | 9.6 | 0.07 | Dec 31, 2024 | In WhatsUp Gold versions released before 2024.0.2, an attacker can gain access to the WhatsUp Gold server via the public API. | ||
| CVE-2024-12106 | Cri | 0.62 | 9.4 | 0.09 | Dec 31, 2024 | In WhatsUp Gold versions released before 2024.0.2, an unauthenticated attacker can configure LDAP settings. | ||
| CVE-2024-46908 | Hig | 0.57 | 8.8 | 0.02 | Dec 2, 2024 | In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account. | ||
| CVE-2024-46905 | Hig | 0.57 | 8.8 | 0.02 | Dec 2, 2024 | In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated lower-privileged user (at least Network Manager permissions required) to achieve privilege escalation to the admin account. | ||
| CVE-2024-5010 | Hig | 0.54 | 7.5 | 0.70 | Jun 25, 2024 | In WhatsUp Gold versions released before 2023.1.3, a vulnerability exists in the TestController functionality. A specially crafted unauthenticated HTTP request can lead to a disclosure of sensitive information. | ||
| CVE-2024-5016 | Hig | 0.49 | 7.2 | 0.22 | Jun 25, 2024 | In WhatsUp Gold versions released before 2023.1.3, Distributed Edition installations can be exploited by using a deserialization tool to achieve a Remote Code Execution as SYSTEM. The vulnerability exists in the main message processing routines NmDistributed.DistributedServic… | ||
| CVE-2023-6367 | Hig | 0.49 | 7.6 | 0.01 | Dec 14, 2023 | In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified. It is possible for an attacker to craft a XSS payload and store that value within Roles. If a WhatsUp Gold user interacts with the crafted payload, the… | ||
| CVE-2023-6366 | Hig | 0.49 | 7.6 | 0.01 | Dec 14, 2023 | In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified. It is possible for an attacker to craft a XSS payload and store that value within Alert Center. If a WhatsUp Gold user interacts with the crafted… | ||
| CVE-2023-6365 | Hig | 0.49 | 7.6 | 0.01 | Dec 14, 2023 | In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified. It is possible for an attacker to craft a XSS payload and store that value within a device group. If a WhatsUp Gold user interacts with the crafted… | ||
| CVE-2023-6364 | Hig | 0.49 | 7.6 | 0.01 | Dec 14, 2023 | In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified. It is possible for an attacker to craft a XSS payload and store that value within a dashboard component. If a WhatsUp Gold user interacts with the… | ||
| CVE-2024-12105 | Med | 0.46 | 6.5 | 0.42 | Dec 31, 2024 | In WhatsUp Gold versions released before 2024.0.2, an authenticated user can use a specially crafted HTTP request that can lead to information disclosure. | ||
| CVE-2023-6368 | Med | 0.38 | 5.9 | 0.01 | Dec 14, 2023 | In WhatsUp Gold versions released before 2023.1, an API endpoint was found to be missing an authentication mechanism. It is possible for an unauthenticated attacker to enumerate information related to a registered device being monitored by WhatsUp Gold. | ||
| CVE-2025-2572 | Med | 0.36 | 5.6 | 0.00 | Apr 14, 2025 | In WhatsUp Gold versions released before 2024.0.3, a database manipulation vulnerability allows an unauthenticated attacker to modify the contents of WhatsUp.dbo.WrlsMacAddressGroup. | ||
| CVE-2024-5019 | Med | 0.35 | 5.3 | 0.01 | Jun 25, 2024 | In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Arbitrary File Read issue exists in Wug.UI.Areas.Wug.Controllers.SessionController.CachedCSS. This vulnerability allows reading of any file with iisapppool\NmConsole privileges. | ||
| CVE-2024-5018 | Med | 0.35 | 5.3 | 0.01 | Jun 25, 2024 | In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Path Traversal vulnerability exists Wug.UI.Areas.Wug.Controllers.SessionController.LoadNMScript. This allows allows reading of any file from the applications web-root directory . |
- risk 0.65cvss 9.8epss 0.15
In WhatsUp Gold versions released before 2024.0.0, if the application is configured with only a single user, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.
- risk 0.64cvss 9.8epss 0.01
In WhatsUp Gold versions released before 2024.0.0, an Authentication Bypass issue exists which allows an attacker to obtain encrypted user credentials.
- risk 0.63cvss 9.6epss 0.07
In WhatsUp Gold versions released before 2024.0.2, an attacker can gain access to the WhatsUp Gold server via the public API.
- risk 0.62cvss 9.4epss 0.09
In WhatsUp Gold versions released before 2024.0.2, an unauthenticated attacker can configure LDAP settings.
- risk 0.57cvss 8.8epss 0.02
In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account.
- risk 0.57cvss 8.8epss 0.02
In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated lower-privileged user (at least Network Manager permissions required) to achieve privilege escalation to the admin account.
- risk 0.54cvss 7.5epss 0.70
In WhatsUp Gold versions released before 2023.1.3, a vulnerability exists in the TestController functionality. A specially crafted unauthenticated HTTP request can lead to a disclosure of sensitive information.
- risk 0.49cvss 7.2epss 0.22
In WhatsUp Gold versions released before 2023.1.3, Distributed Edition installations can be exploited by using a deserialization tool to achieve a Remote Code Execution as SYSTEM. The vulnerability exists in the main message processing routines NmDistributed.DistributedServic…
- risk 0.49cvss 7.6epss 0.01
In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified. It is possible for an attacker to craft a XSS payload and store that value within Roles. If a WhatsUp Gold user interacts with the crafted payload, the…
- risk 0.49cvss 7.6epss 0.01
In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified. It is possible for an attacker to craft a XSS payload and store that value within Alert Center. If a WhatsUp Gold user interacts with the crafted…
- risk 0.49cvss 7.6epss 0.01
In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified. It is possible for an attacker to craft a XSS payload and store that value within a device group. If a WhatsUp Gold user interacts with the crafted…
- risk 0.49cvss 7.6epss 0.01
In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified. It is possible for an attacker to craft a XSS payload and store that value within a dashboard component. If a WhatsUp Gold user interacts with the…
- risk 0.46cvss 6.5epss 0.42
In WhatsUp Gold versions released before 2024.0.2, an authenticated user can use a specially crafted HTTP request that can lead to information disclosure.
- risk 0.38cvss 5.9epss 0.01
In WhatsUp Gold versions released before 2023.1, an API endpoint was found to be missing an authentication mechanism. It is possible for an unauthenticated attacker to enumerate information related to a registered device being monitored by WhatsUp Gold.
- risk 0.36cvss 5.6epss 0.00
In WhatsUp Gold versions released before 2024.0.3, a database manipulation vulnerability allows an unauthenticated attacker to modify the contents of WhatsUp.dbo.WrlsMacAddressGroup.
- risk 0.35cvss 5.3epss 0.01
In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Arbitrary File Read issue exists in Wug.UI.Areas.Wug.Controllers.SessionController.CachedCSS. This vulnerability allows reading of any file with iisapppool\NmConsole privileges.
- risk 0.35cvss 5.3epss 0.01
In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Path Traversal vulnerability exists Wug.UI.Areas.Wug.Controllers.SessionController.LoadNMScript. This allows allows reading of any file from the applications web-root directory .