VYPR

Vendor CVEs

Progress (organisation)

All CVEs

218 total · sorted by risk
  • CVE-2026-8485MedMay 20, 2026
    risk 0.38cvss 5.9epss 0.00

    Uncontrolled Memory Allocation vulnerability in Progress Software MOVEit Automation allows Excessive Allocation. This issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7.

  • CVE-2017-18177MedFeb 12, 2018
    risk 0.35cvss 5.4epss 0.01

    Progress Sitefinity 9.1 has XSS via the Last name, First name, and About fields on the New User Creation Page. This is fixed in 10.1.

  • CVE-2017-18176MedFeb 12, 2018
    risk 0.35cvss 5.4epss 0.01

    Progress Sitefinity 9.1 has XSS via file upload, because JavaScript code in an HTML file has the same origin as the application's own code. This is fixed in 10.1.

  • CVE-2017-18175MedFeb 12, 2018
    risk 0.35cvss 5.4epss 0.01

    Progress Sitefinity 9.1 has XSS via the Content Management Template Configuration (aka Templateconfiguration), as demonstrated by the src attribute of an IMG element. This is fixed in 10.1.

  • CVE-2026-8486MedMay 20, 2026
    risk 0.34cvss 5.3epss 0.00

    Allocation of resources without limits or throttling vulnerability in Progress Software MOVEit Automation allows Flooding. This issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7.

  • CVE-2024-37411MedNov 1, 2024
    risk 0.34cvss 5.3epss 0.00

    Missing Authorization vulnerability in Progress Planner Progress Planner progress-planner.This issue affects Progress Planner: from n/a through <= 0.9.1.

  • CVE-2024-4882MedJul 8, 2024
    risk 0.34cvss epss 0.00

    The user may be redirected to an arbitrary site in Sitefinity 15.1.8321.0 and previous versions.

  • CVE-2024-37422MedJul 22, 2024
    risk 0.31cvss 5.9epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Progress Planner Progress Planner progress-planner.This issue affects Progress Planner: from n/a through <= 0.9.2.

  • CVE-2023-40044KEVSep 27, 2023
    risk 0.29cvss epss 0.90

    In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system.

  • CVE-2026-8488MedMay 20, 2026
    risk 0.28cvss 4.3epss 0.00

    Allocation of resources without limits or throttling vulnerability in Progress Software MOVEit Automation allows Excessive Allocation. This issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7.

  • CVE-2019-18935KEVDec 11, 2019
    risk 0.28cvss epss 1.00

    Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can…

  • CVE-2021-22941KEVSep 23, 2021
    risk 0.25cvss epss 0.54

    Improper Access Control in Citrix ShareFile storage zones controller before 5.11.20 may allow an unauthenticated attacker to remotely compromise the storage zones controller.

  • CVE-2024-4358KEVMay 29, 2024
    risk 0.23cvss epss 0.97

    In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.

  • CVE-2024-1212KEVFeb 21, 2024
    risk 0.23cvss epss 0.95

    Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary system command execution.

  • CVE-2024-4885KEVJun 25, 2024
    risk 0.20cvss epss 0.99

    In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerability in Progress WhatsUpGold.  The WhatsUp.ExportUtilities.Export.GetFileWithoutZip allows execution of commands with iisapppool\nmconsole privileges.

  • CVE-2023-24489KEVJul 10, 2023
    risk 0.20cvss epss 0.95

    A vulnerability has been discovered in the customer-managed ShareFile storage zones controller which, if exploited, could allow an unauthenticated attacker to remotely compromise the customer-managed ShareFile storage zones controller.

  • CVE-2024-2389Apr 2, 2024
    risk 0.11cvss epss 0.94

    In Flowmon versions prior to 11.1.14 and 12.3.5, an operating system command injection vulnerability has been identified.  An unauthenticated user can gain entry to the system via the Flowmon management interface, allowing for the execution of arbitrary system commands.

  • CVE-2022-29847May 11, 2022
    risk 0.10cvss epss 0.56

    In Progress Ipswitch WhatsUp Gold 21.0.0 through 21.1.1, and 22.0.0, it is possible for an unauthenticated attacker to invoke an API transaction that would allow them to relay encrypted WhatsUp Gold user credentials to an arbitrary host.

  • CVE-2006-4847Sep 19, 2006
    risk 0.10cvss epss 0.85

    Multiple buffer overflows in Ipswitch WS_FTP Server 5.05 before Hotfix 1 allow remote authenticated users to execute arbitrary code via long (1) XCRC, (2) XSHA1, or (3) XMD5 commands.

  • CVE-2024-1800Mar 20, 2024
    risk 0.09cvss epss 0.40

    In Progress® Telerik® Report Server versions prior to 2024 Q1 (10.0.24.130), a remote code execution attack is possible through an insecure deserialization vulnerability.

  • CVE-2003-0772Sep 22, 2003
    risk 0.09cvss epss 0.72

    Multiple buffer overflows in WS_FTP 3 and 4 allow remote authenticated users to cause a denial of service and possibly execute arbitrary code via long (1) APPE (append) or (2) STAT (status) arguments.

  • CVE-2022-29848May 11, 2022
    risk 0.08cvss epss 0.04

    In Progress Ipswitch WhatsUp Gold 17.0.0 through 21.1.1, and 22.0.0, it is possible for an authenticated user to invoke an API transaction that would allow them to read sensitive operating-system attributes from a host that is accessible by the WhatsUp Gold system.

  • CVE-2004-0798Oct 20, 2004
    risk 0.08cvss epss 0.63

    Buffer overflow in the _maincfgret.cgi script for Ipswitch WhatsUp Gold before 8.03 Hotfix 1 allows remote attackers to execute arbitrary code via a long instancename parameter.

  • CVE-2024-4883Jun 25, 2024
    risk 0.07cvss epss 0.65

    In WhatsUp Gold versions released before 2023.1.3, a Remote Code Execution issue exists in Progress WhatsUp Gold. This vulnerability allows an unauthenticated attacker to achieve the RCE as a service account through NmApi.exe.

  • CVE-2022-29845May 11, 2022
    risk 0.07cvss epss 0.04

    In Progress Ipswitch WhatsUp Gold 21.1.0 through 21.1.1, and 22.0.0, it is possible for an authenticated user to invoke an API transaction that would allow them to read the contents of a local file.

  • CVE-2020-8982May 7, 2020
    risk 0.07cvss epss 0.27

    An unauthenticated arbitrary file read issue exists in all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5.10.x releases as of May 2020. RCE and file access is granted to everything hosted by ShareFile, be it on-premise or…

  • CVE-2022-29846May 11, 2022
    risk 0.06cvss epss 0.05

    In Progress Ipswitch WhatsUp Gold 16.1 through 21.1.1, and 22.0.0, it is possible for an unauthenticated attacker to obtain the WhatsUp Gold installation serial number.

  • CVE-2001-1021Jul 26, 2001
    risk 0.06cvss epss 0.42

    Buffer overflows in WS_FTP 2.02 allow remote attackers to execute arbitrary code via long arguments to (1) DELE, (2) MDTM, (3) MLST, (4) MKD, (5) RMD, (6) RNFR, (7) RNTO, (8) SIZE, (9) STAT, (10) XMKD, or (11) XRMD.

  • CVE-2020-7473May 7, 2020
    risk 0.05cvss epss 0.14

    In certain situations, all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5.10.x releases as of May 2020, allow unauthenticated attackers to access the documents and folders of ShareFile users. NOTE: unlike most CVEs,…

  • CVE-2008-0590Feb 5, 2008
    risk 0.05cvss epss 0.22

    Buffer overflow in Ipswitch WS_FTP Server with SSH 6.1.0.0 allows remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via a long opendir command.

  • CVE-2006-5000Sep 26, 2006
    risk 0.05cvss epss 0.64

    Multiple buffer overflows in WS_FTP Server 5.05 before Hotfix 1, and possibly other versions down to 5.0, have unknown impact and remote authenticated attack vectors via the (1) XCRC, (2) XMD5, and (3) XSHA1 commands. NOTE: in the early publication of this identifier on…

  • CVE-2014-8555Nov 12, 2014
    risk 0.04cvss epss 0.07

    Directory traversal vulnerability in report/reportViewAction.jsp in Progress Software OpenEdge 11.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the selection parameter.

  • CVE-2004-1643Aug 29, 2004
    risk 0.04cvss epss 0.07

    WS_FTP 5.0.2 allows remote authenticated users to cause a denial of service (CPU consumption) via a CD command that contains an invalid path with a "../" sequence.

  • CVE-2024-7591Sep 5, 2024
    risk 0.03cvss epss 0.44

    Improper Input Validation vulnerability in Progress LoadMaster allows OS Command Injection.This issue affects: * LoadMaster: 7.2.40.0 and above * ECS: All versions * Multi-Tenancy: 7.1.35.4 and above

  • CVE-2024-5008Jun 25, 2024
    risk 0.03cvss epss 0.17

    In WhatsUp Gold versions released before 2023.1.3, an authenticated user with certain permissions can upload an arbitrary file and obtain RCE using Apm.UI.Areas.APM.Controllers.Api.Applications.AppProfileImportController.

  • CVE-2023-27636Jun 16, 2024
    risk 0.03cvss epss 0.01

    Progress Sitefinity before 15.0.0 allows XSS by authenticated users via the content form in the SF Editor.

  • CVE-2021-41318Sep 28, 2021
    risk 0.03cvss epss 0.06

    In Progress WhatsUp Gold prior to version 21.1.0, an application endpoint failed to adequately sanitize malicious input. which could allow an unauthenticated attacker to execute arbitrary code in a victim's browser.

  • CVE-2012-4344Aug 15, 2012
    risk 0.03cvss epss 0.04

    Cross-site scripting (XSS) vulnerability in Ipswitch WhatsUp Gold 15.02 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving the SNMP system name of the attacking host.

  • CVE-2012-2601Aug 15, 2012
    risk 0.03cvss epss 0.03

    SQL injection vulnerability in WrVMwareHostList.asp in Ipswitch WhatsUp Gold 15.02 allows remote attackers to execute arbitrary SQL commands via the sGroupList parameter.

  • CVE-2007-2506May 4, 2007
    risk 0.03cvss epss 0.04

    WebSpeed 3.x in OpenEdge 10.x in Progress Software Progress 9.1e, and certain other 9.x versions, allows remote attackers to cause a denial of service (infinite loop and daemon hang) via a messenger URL that invokes _edit.r with no additional parameters, as demonstrated by…

  • CVE-2004-1883Dec 31, 2004
    risk 0.03cvss epss 0.05

    Multiple buffer overflows in Ipswitch WS_FTP Server 4.0.2 (1) allow remote authenticated users to execute arbitrary code by causing a large error string to be generated by the ALLO handler, or (2) may allow remote FTP administrators to execute arbitrary code by causing a long…

  • CVE-2003-0449Aug 7, 2003
    risk 0.03cvss epss 0.01

    Progress Database 9.1 to 9.1D06 trusts user input to find and load libraries using dlopen, which allows local users to gain privileges via (1) a PATH environment variable that points to malicious libraries, as demonstrated using libjutil.so in_proapsv, or (2) the -installdir…

  • CVE-2001-1127Oct 5, 2001
    risk 0.03cvss epss 0.02

    Buffer overflow in Progress database 8.3D and 9.1C could allow a local user to execute arbitrary code via (1) _proapsv, (2) _mprosrv, (3) _mprshut, (4) orarx, (5) sqlcpp, (6) _probrkr, (7) _sqlschema and (8) _sqldump.

  • CVE-1999-1171Feb 2, 1999
    risk 0.03cvss epss 0.05

    IPswitch WS_FTP allows local users to gain additional privileges and modify or add mail accounts by setting the "flags" registry key to 1920.

  • CVE-1999-1170Jan 2, 1999
    risk 0.03cvss epss 0.04

    IPswitch IMail allows local users to gain additional privileges and modify or add mail accounts by setting the "flags" registry key to 1920.

  • CVE-2025-8868Sep 29, 2025
    risk 0.02cvss epss 0.23

    In Progress Chef Automate, versions earlier than 4.13.295, on Linux x86 platform, an authenticated attacker can gain access to Chef Automate restricted functionality in the compliance service via improperly neutralized inputs used in an SQL command using a well-known token.

  • CVE-2024-5010Jun 25, 2024
    risk 0.02cvss epss 0.70

    In WhatsUp Gold versions released before 2023.1.3, a vulnerability exists in the TestController functionality.  A specially crafted unauthenticated HTTP request can lead to a disclosure of sensitive information.

  • CVE-2006-5001Sep 26, 2006
    risk 0.02cvss epss 0.32

    Unspecified vulnerability in the log analyzer in WS_FTP Server 5.05 before Hotfix 1, and possibly other versions down to 5.0, prevents certain sensitive information from being displayed in the (1) Files and (2) Summary tabs. NOTE: in the early publication of this identifier on…

  • CVE-2024-1403Feb 27, 2024
    risk 0.01cvss epss 0.03

    In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been identified.  The vulnerability is a bypass to authentication based on a failure to properly…

  • CVE-2023-40050Oct 31, 2023
    risk 0.01cvss epss 0.01

    Upload profile either through API or user interface in Chef Automate prior to and including version 4.10.29 using InSpec check command with maliciously crafted profile allows remote code execution.

Page 2 of 5