VYPR

Vendor CVEs

Progress (organisation)

All CVEs

218 total · sorted by risk
  • CVE-2024-6096Jul 24, 2024
    risk 0.00cvss epss 0.01

    In Progress® Telerik® Reporting versions prior to 18.1.24.709, a code execution attack is possible through object injection via an insecure type resolution vulnerability.

  • CVE-2024-6327Jul 24, 2024
    risk 0.00cvss epss 0.02

    In Progress® Telerik® Report Server versions prior to 2024 Q2 (10.1.24.709), a remote code execution attack is possible through an insecure deserialization vulnerability.

  • CVE-2024-5019Jun 25, 2024
    risk 0.00cvss epss 0.01

    In WhatsUp Gold versions released before 2023.1.3,  an unauthenticated Arbitrary File Read issue exists in Wug.UI.Areas.Wug.Controllers.SessionController.CachedCSS. This vulnerability allows reading of any file with iisapppool\NmConsole privileges.

  • CVE-2024-5015Jun 25, 2024
    risk 0.00cvss epss 0.01

    In WhatsUp Gold versions released before 2023.1.3, an authenticated SSRF vulnerability in Wug.UI.Areas.Wug.Controllers.SessionControler.Update allows a low privileged user to chain this SSRF with an Improper Access Control vulnerability. This can be used to escalate privileges…

  • CVE-2024-5805Jun 25, 2024
    risk 0.00cvss epss 0.08

    Improper Authentication vulnerability in Progress MOVEit Gateway (SFTP modules) allows Authentication Bypass.This issue affects MOVEit Gateway: 2024.0.0.

  • CVE-2024-4563May 22, 2024
    risk 0.00cvss epss 0.00

    The Progress MOVEit Automation configuration export function prior to 2024.0.0 uses a cryptographic method with insufficient bit length.

  • CVE-2024-4837May 15, 2024
    risk 0.00cvss epss 0.00

    In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via a trust boundary violation vulnerability.

  • CVE-2024-4357May 15, 2024
    risk 0.00cvss epss 0.01

    An information disclosure vulnerability exists in Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, allows low-privilege attacker to read systems file via XML External Entity Processing.

  • CVE-2024-4200May 15, 2024
    risk 0.00cvss epss 0.00

    In Progress® Telerik® Reporting versions prior to 2024 Q2 (18.1.24.2.514), a code execution attack is possible by a local threat actor through an insecure deserialization vulnerability.

  • CVE-2024-4202May 15, 2024
    risk 0.00cvss epss 0.00

    In Progress® Telerik® Reporting versions prior to 2024 Q2 (18.1.24.514), a code execution attack is possible through an insecure instantiation vulnerability.

  • CVE-2024-3544May 2, 2024
    risk 0.00cvss epss 0.00

    Unauthenticated attackers can perform actions, using SSH private keys, by knowing the IP address and having access to the same network of one of the machines in the HA or Cluster group. This vulnerability has been closed by enhancing LoadMaster partner communications to require…

  • CVE-2024-2449Mar 22, 2024
    risk 0.00cvss epss 0.13

    A cross-site request forgery vulnerability has been identified in LoadMaster.  It is possible for a malicious actor, who has prior knowledge of the IP or hostname of a specific LoadMaster, to direct an authenticated LoadMaster administrator to a third-party site. In such a…

  • CVE-2024-1856Mar 20, 2024
    risk 0.00cvss epss 0.01

    In Progress® Telerik® Reporting versions prior to 2024 Q1 (18.0.24.130), a code execution attack is possible by a remote threat actor through an insecure deserialization vulnerability.

  • CVE-2024-1801Mar 20, 2024
    risk 0.00cvss epss 0.00

    In Progress® Telerik® Reporting versions prior to 2024 Q1 (18.0.24.130), a code execution attack is possible by a local threat actor through an insecure deserialization vulnerability.

  • CVE-2024-1632Feb 28, 2024
    risk 0.00cvss epss 0.01

    Low-privileged users with access to the Sitefinity backend may obtain sensitive information from the site's administrative area.

  • CVE-2024-1474Feb 21, 2024
    risk 0.00cvss epss 0.00

    In WS_FTP Server versions before 8.8.5, reflected cross-site scripting issues have been identified on various user supplied inputs on the WS_FTP Server administrative interface.

  • CVE-2023-40052Jan 18, 2024
    risk 0.00cvss epss 0.01

    This issue affects Progress Application Server (PAS) for OpenEdge in versions 11.7 prior to 11.7.18, 12.2 prior to 12.2.13, and innovation releases prior to 12.8.0 .  An attacker who can produce a malformed web request may cause the crash of a PASOE agent potentially…

  • CVE-2023-40051Jan 18, 2024
    risk 0.00cvss epss 0.01

    This issue affects Progress Application Server (PAS) for OpenEdge in versions 11.7 prior to 11.7.18, 12.2 prior to 12.2.13, and innovation releases prior to 12.8.0. An attacker can formulate a request for a WEB transport that allows unintended file uploads to a server directory…

  • CVE-2023-6784Dec 20, 2023
    risk 0.00cvss epss 0.00

    A malicious user could potentially use the Sitefinity system for the distribution of phishing emails.

  • CVE-2023-6368Dec 14, 2023
    risk 0.00cvss epss 0.01

    In WhatsUp Gold versions released before 2023.1, an API endpoint was found to be missing an authentication mechanism. It is possible for an unauthenticated attacker to enumerate information related to a registered device being monitored by WhatsUp Gold.

  • CVE-2023-6595Dec 14, 2023
    risk 0.00cvss epss 0.01

    In WhatsUp Gold versions released before 2023.1, an API endpoint was found to be missing an authentication mechanism. It is possible for an unauthenticated attacker to enumerate ancillary credential information stored within WhatsUp Gold.

  • CVE-2023-6367Dec 14, 2023
    risk 0.00cvss epss 0.01

    In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified. It is possible for an attacker to craft a XSS payload and store that value within Roles.   If a WhatsUp Gold user interacts with the crafted payload, the…

  • CVE-2023-6366Dec 14, 2023
    risk 0.00cvss epss 0.01

    In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified. It is possible for an attacker to craft a XSS payload and store that value within Alert Center.   If a WhatsUp Gold user interacts with the crafted…

  • CVE-2023-6365Dec 14, 2023
    risk 0.00cvss epss 0.01

    In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified. It is possible for an attacker to craft a XSS payload and store that value within a device group.   If a WhatsUp Gold user interacts with the crafted…

  • CVE-2023-6364Dec 14, 2023
    risk 0.00cvss epss 0.01

    In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified.  It is possible for an attacker to craft a XSS payload and store that value within a dashboard component.   If a WhatsUp Gold user interacts with the…

  • CVE-2023-40049Sep 27, 2023
    risk 0.00cvss epss 0.01

    In WS_FTP Server version prior to 8.8.2, an unauthenticated user could enumerate files under the 'WebServiceHost' directory listing.

  • CVE-2023-40048Sep 27, 2023
    risk 0.00cvss epss 0.00

    In WS_FTP Server version prior to 8.8.2, the WS_FTP Server Manager interface was missing cross-site request forgery (CSRF) protection on a POST transaction corresponding to a WS_FTP Server administrative function.

  • CVE-2023-40047Sep 27, 2023
    risk 0.00cvss epss 0.00

    In WS_FTP Server version prior to 8.8.2, a stored cross-site scripting (XSS) vulnerability exists in WS_FTP Server's Management module. An attacker with administrative privileges could import a SSL certificate with malicious attributes containing cross-site scripting…

  • CVE-2023-40046Sep 27, 2023
    risk 0.00cvss epss 0.01

    In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a SQL injection vulnerability exists in the WS_FTP Server manager interface. An attacker may be able to infer information about the structure and contents of the database and execute SQL statements that alter or delete…

  • CVE-2023-40045Sep 27, 2023
    risk 0.00cvss epss 0.01

    In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a reflected cross-site scripting (XSS) vulnerability exists in WS_FTP Server's Ad Hoc Transfer module.  An attacker could leverage this vulnerability to target WS_FTP Server users with a specialized payload which results…

  • CVE-2023-42657Sep 27, 2023
    risk 0.00cvss epss 0.17

    In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a directory traversal vulnerability was discovered.  An attacker could leverage this vulnerability to perform file operations (delete, rename, rmdir, mkdir) on files and folders outside of their authorized WS_FTP folder…

  • CVE-2023-28864Jul 17, 2023
    risk 0.00cvss epss 0.00

    Progress Chef Infra Server before 15.7 allows a local attacker to exploit a /var/opt/opscode/local-mode-cache/backup world-readable temporary backup path to access sensitive information, resulting in the disclosure of all indexed node data, because OpenSearch credentials are…

  • CVE-2023-35759Jun 23, 2023
    risk 0.00cvss epss 0.02

    In Progress WhatsUp Gold before 23.0.0, an SNMP-related application endpoint failed to adequately sanitize malicious input. This could allow an unauthenticated attacker to execute arbitrary code in a victim's browser, aka XSS.

  • CVE-2023-34203Jun 23, 2023
    risk 0.00cvss epss 0.01

    In Progress OpenEdge OEM (OpenEdge Management) and OEE (OpenEdge Explorer) before 12.7, a remote user (who has any OEM or OEE role) could perform a URL injection attack to change identity or role membership, e.g., escalate to admin. This affects OpenEdge LTS before 11.7.16, 12.x…

  • CVE-2023-34363Jun 9, 2023
    risk 0.00cvss epss 0.00

    An issue was discovered in Progress DataDirect Connect for ODBC before 08.02.2770 for Oracle. When using Oracle Advanced Security (OAS) encryption, if an error is encountered initializing the encryption object used to encrypt data, the code falls back to a different encryption…

  • CVE-2023-34364Jun 9, 2023
    risk 0.00cvss epss 0.02

    A buffer overflow was discovered in Progress DataDirect Connect for ODBC before 08.02.2770 for Oracle. An overly large value for certain options of a connection string may overrun the buffer allocated to process the string value. This allows an attacker to execute code of their…

  • CVE-2023-26100Apr 21, 2023
    risk 0.00cvss epss 0.00

    In Progress Flowmon before 12.2.0, an application endpoint failed to sanitize user-supplied input. A threat actor could leverage a reflected XSS vulnerability to execute arbitrary code within the context of a Flowmon user's web browser.

  • CVE-2023-26101Apr 21, 2023
    risk 0.00cvss epss 0.01

    In Progress Flowmon Packet Investigator before 12.1.0, a Flowmon user with access to Flowmon Packet Investigator could leverage a path-traversal vulnerability to retrieve files on the Flowmon appliance's local filesystem.

  • CVE-2023-29375Apr 10, 2023
    risk 0.00cvss epss 0.01

    An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2 before 14.2.7930, and 14.3 before 14.3.8025. There is potentially dangerous file upload through the SharePoint connector.

  • CVE-2023-29376Apr 10, 2023
    risk 0.00cvss epss 0.00

    An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2 before 14.2.7930, and 14.3 before 14.3.8025. There is potential XSS by privileged users in Sitefinity to media libraries.

  • CVE-2022-27665Apr 3, 2023
    risk 0.00cvss epss 0.33

    Reflected XSS (via AngularJS sandbox escape expressions) exists in Progress Ipswitch WS_FTP Server 8.6.0. This can lead to execution of malicious code and commands on the client due to improper handling of user-provided input. By inputting malicious payloads in the subdirectory…

  • CVE-2023-24029Feb 3, 2023
    risk 0.00cvss epss 0.01

    In Progress WS_FTP Server before 8.8, it is possible for a host administrator to elevate their privileges via the administrative interface due to insufficient authorization controls applied on user modification workflows.

  • CVE-2021-41823Jan 1, 2023
    risk 0.00cvss epss 0.00

    The Web Application Firewall (WAF) in Kemp LoadMaster 7.2.54.1 allows certain uses of onmouseover to bypass an XSS protection mechanism.

  • CVE-2022-42711Oct 12, 2022
    risk 0.00cvss epss 0.01

    In Progress WhatsUp Gold before 22.1.0, an SNMP MIB Walker application endpoint failed to adequately sanitize malicious input. This could allow an unauthenticated attacker to execute arbitrary code in a victim's browser.

  • CVE-2022-36968Aug 2, 2022
    risk 0.00cvss epss 0.00

    In Progress WS_FTP Server prior to version 8.7.3, forms within the administrative interface did not include a nonce to mitigate the risk of cross-site request forgery (CSRF) attacks.

  • CVE-2022-36967Aug 2, 2022
    risk 0.00cvss epss 0.01

    In Progress WS_FTP Server prior to version 8.7.3, multiple reflected cross-site scripting (XSS) vulnerabilities exist in the administrative web interface. It is possible for a remote attacker to inject arbitrary JavaScript into a WS_FTP administrator's web session. This would…

  • CVE-2022-29849May 1, 2022
    risk 0.00cvss epss 0.00

    In Progress OpenEdge before 11.7.14 and 12.x before 12.2.9, certain SUID binaries within the OpenEdge application were susceptible to privilege escalation. If exploited, a local attacker could elevate their privileges and compromise the affected system.

  • CVE-2021-22891May 27, 2021
    risk 0.00cvss epss 0.01

    A missing authorization vulnerability exists in Citrix ShareFile Storage Zones Controller before 5.7.3, 5.8.3, 5.9.3, 5.10.1 and 5.11.18 may allow unauthenticated remote compromise of the Storage Zones Controller.

  • CVE-2021-28141Mar 11, 2021
    risk 0.00cvss epss 0.02

    An issue was discovered in Progress Telerik UI for ASP.NET AJAX 2021.1.224. It allows unauthorized access to MicrosoftAjax.js through the Telerik.Web.UI.WebResource.axd file. This may allow the attacker to gain unauthorized access to the server and execute code. To exploit, one…

  • CVE-2020-12677May 14, 2020
    risk 0.00cvss epss 0.02

    An issue was discovered in Progress MOVEit Automation Web Admin. A Web Admin application endpoint failed to adequately sanitize malicious input, which could allow an unauthenticated attacker to execute arbitrary code in a victim's browser, aka XSS. This affects 2018 - 2018.0…

Page 4 of 5