Vendor CVEs
Progress (organisation)
All CVEs
218 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-6096 | 0.00 | — | 0.01 | Jul 24, 2024 | In Progress® Telerik® Reporting versions prior to 18.1.24.709, a code execution attack is possible through object injection via an insecure type resolution vulnerability. | |||
| CVE-2024-6327 | 0.00 | — | 0.02 | Jul 24, 2024 | In Progress® Telerik® Report Server versions prior to 2024 Q2 (10.1.24.709), a remote code execution attack is possible through an insecure deserialization vulnerability. | |||
| CVE-2024-5019 | 0.00 | — | 0.01 | Jun 25, 2024 | In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Arbitrary File Read issue exists in Wug.UI.Areas.Wug.Controllers.SessionController.CachedCSS. This vulnerability allows reading of any file with iisapppool\NmConsole privileges. | |||
| CVE-2024-5015 | 0.00 | — | 0.01 | Jun 25, 2024 | In WhatsUp Gold versions released before 2023.1.3, an authenticated SSRF vulnerability in Wug.UI.Areas.Wug.Controllers.SessionControler.Update allows a low privileged user to chain this SSRF with an Improper Access Control vulnerability. This can be used to escalate privileges… | |||
| CVE-2024-5805 | 0.00 | — | 0.08 | Jun 25, 2024 | Improper Authentication vulnerability in Progress MOVEit Gateway (SFTP modules) allows Authentication Bypass.This issue affects MOVEit Gateway: 2024.0.0. | |||
| CVE-2024-4563 | 0.00 | — | 0.00 | May 22, 2024 | The Progress MOVEit Automation configuration export function prior to 2024.0.0 uses a cryptographic method with insufficient bit length. | |||
| CVE-2024-4837 | 0.00 | — | 0.00 | May 15, 2024 | In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via a trust boundary violation vulnerability. | |||
| CVE-2024-4357 | 0.00 | — | 0.01 | May 15, 2024 | An information disclosure vulnerability exists in Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, allows low-privilege attacker to read systems file via XML External Entity Processing. | |||
| CVE-2024-4200 | 0.00 | — | 0.00 | May 15, 2024 | In Progress® Telerik® Reporting versions prior to 2024 Q2 (18.1.24.2.514), a code execution attack is possible by a local threat actor through an insecure deserialization vulnerability. | |||
| CVE-2024-4202 | 0.00 | — | 0.00 | May 15, 2024 | In Progress® Telerik® Reporting versions prior to 2024 Q2 (18.1.24.514), a code execution attack is possible through an insecure instantiation vulnerability. | |||
| CVE-2024-3544 | 0.00 | — | 0.00 | May 2, 2024 | Unauthenticated attackers can perform actions, using SSH private keys, by knowing the IP address and having access to the same network of one of the machines in the HA or Cluster group. This vulnerability has been closed by enhancing LoadMaster partner communications to require… | |||
| CVE-2024-2449 | 0.00 | — | 0.13 | Mar 22, 2024 | A cross-site request forgery vulnerability has been identified in LoadMaster. It is possible for a malicious actor, who has prior knowledge of the IP or hostname of a specific LoadMaster, to direct an authenticated LoadMaster administrator to a third-party site. In such a… | |||
| CVE-2024-1856 | 0.00 | — | 0.01 | Mar 20, 2024 | In Progress® Telerik® Reporting versions prior to 2024 Q1 (18.0.24.130), a code execution attack is possible by a remote threat actor through an insecure deserialization vulnerability. | |||
| CVE-2024-1801 | 0.00 | — | 0.00 | Mar 20, 2024 | In Progress® Telerik® Reporting versions prior to 2024 Q1 (18.0.24.130), a code execution attack is possible by a local threat actor through an insecure deserialization vulnerability. | |||
| CVE-2024-1632 | 0.00 | — | 0.01 | Feb 28, 2024 | Low-privileged users with access to the Sitefinity backend may obtain sensitive information from the site's administrative area. | |||
| CVE-2024-1474 | 0.00 | — | 0.00 | Feb 21, 2024 | In WS_FTP Server versions before 8.8.5, reflected cross-site scripting issues have been identified on various user supplied inputs on the WS_FTP Server administrative interface. | |||
| CVE-2023-40052 | 0.00 | — | 0.01 | Jan 18, 2024 | This issue affects Progress Application Server (PAS) for OpenEdge in versions 11.7 prior to 11.7.18, 12.2 prior to 12.2.13, and innovation releases prior to 12.8.0 . An attacker who can produce a malformed web request may cause the crash of a PASOE agent potentially… | |||
| CVE-2023-40051 | 0.00 | — | 0.01 | Jan 18, 2024 | This issue affects Progress Application Server (PAS) for OpenEdge in versions 11.7 prior to 11.7.18, 12.2 prior to 12.2.13, and innovation releases prior to 12.8.0. An attacker can formulate a request for a WEB transport that allows unintended file uploads to a server directory… | |||
| CVE-2023-6784 | 0.00 | — | 0.00 | Dec 20, 2023 | A malicious user could potentially use the Sitefinity system for the distribution of phishing emails. | |||
| CVE-2023-6368 | 0.00 | — | 0.01 | Dec 14, 2023 | In WhatsUp Gold versions released before 2023.1, an API endpoint was found to be missing an authentication mechanism. It is possible for an unauthenticated attacker to enumerate information related to a registered device being monitored by WhatsUp Gold. | |||
| CVE-2023-6595 | 0.00 | — | 0.01 | Dec 14, 2023 | In WhatsUp Gold versions released before 2023.1, an API endpoint was found to be missing an authentication mechanism. It is possible for an unauthenticated attacker to enumerate ancillary credential information stored within WhatsUp Gold. | |||
| CVE-2023-6367 | 0.00 | — | 0.01 | Dec 14, 2023 | In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified. It is possible for an attacker to craft a XSS payload and store that value within Roles. If a WhatsUp Gold user interacts with the crafted payload, the… | |||
| CVE-2023-6366 | 0.00 | — | 0.01 | Dec 14, 2023 | In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified. It is possible for an attacker to craft a XSS payload and store that value within Alert Center. If a WhatsUp Gold user interacts with the crafted… | |||
| CVE-2023-6365 | 0.00 | — | 0.01 | Dec 14, 2023 | In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified. It is possible for an attacker to craft a XSS payload and store that value within a device group. If a WhatsUp Gold user interacts with the crafted… | |||
| CVE-2023-6364 | 0.00 | — | 0.01 | Dec 14, 2023 | In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified. It is possible for an attacker to craft a XSS payload and store that value within a dashboard component. If a WhatsUp Gold user interacts with the… | |||
| CVE-2023-40049 | 0.00 | — | 0.01 | Sep 27, 2023 | In WS_FTP Server version prior to 8.8.2, an unauthenticated user could enumerate files under the 'WebServiceHost' directory listing. | |||
| CVE-2023-40048 | 0.00 | — | 0.00 | Sep 27, 2023 | In WS_FTP Server version prior to 8.8.2, the WS_FTP Server Manager interface was missing cross-site request forgery (CSRF) protection on a POST transaction corresponding to a WS_FTP Server administrative function. | |||
| CVE-2023-40047 | 0.00 | — | 0.00 | Sep 27, 2023 | In WS_FTP Server version prior to 8.8.2, a stored cross-site scripting (XSS) vulnerability exists in WS_FTP Server's Management module. An attacker with administrative privileges could import a SSL certificate with malicious attributes containing cross-site scripting… | |||
| CVE-2023-40046 | 0.00 | — | 0.01 | Sep 27, 2023 | In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a SQL injection vulnerability exists in the WS_FTP Server manager interface. An attacker may be able to infer information about the structure and contents of the database and execute SQL statements that alter or delete… | |||
| CVE-2023-40045 | 0.00 | — | 0.01 | Sep 27, 2023 | In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a reflected cross-site scripting (XSS) vulnerability exists in WS_FTP Server's Ad Hoc Transfer module. An attacker could leverage this vulnerability to target WS_FTP Server users with a specialized payload which results… | |||
| CVE-2023-42657 | 0.00 | — | 0.17 | Sep 27, 2023 | In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a directory traversal vulnerability was discovered. An attacker could leverage this vulnerability to perform file operations (delete, rename, rmdir, mkdir) on files and folders outside of their authorized WS_FTP folder… | |||
| CVE-2023-28864 | 0.00 | — | 0.00 | Jul 17, 2023 | Progress Chef Infra Server before 15.7 allows a local attacker to exploit a /var/opt/opscode/local-mode-cache/backup world-readable temporary backup path to access sensitive information, resulting in the disclosure of all indexed node data, because OpenSearch credentials are… | |||
| CVE-2023-35759 | 0.00 | — | 0.02 | Jun 23, 2023 | In Progress WhatsUp Gold before 23.0.0, an SNMP-related application endpoint failed to adequately sanitize malicious input. This could allow an unauthenticated attacker to execute arbitrary code in a victim's browser, aka XSS. | |||
| CVE-2023-34203 | 0.00 | — | 0.01 | Jun 23, 2023 | In Progress OpenEdge OEM (OpenEdge Management) and OEE (OpenEdge Explorer) before 12.7, a remote user (who has any OEM or OEE role) could perform a URL injection attack to change identity or role membership, e.g., escalate to admin. This affects OpenEdge LTS before 11.7.16, 12.x… | |||
| CVE-2023-34363 | 0.00 | — | 0.00 | Jun 9, 2023 | An issue was discovered in Progress DataDirect Connect for ODBC before 08.02.2770 for Oracle. When using Oracle Advanced Security (OAS) encryption, if an error is encountered initializing the encryption object used to encrypt data, the code falls back to a different encryption… | |||
| CVE-2023-34364 | 0.00 | — | 0.02 | Jun 9, 2023 | A buffer overflow was discovered in Progress DataDirect Connect for ODBC before 08.02.2770 for Oracle. An overly large value for certain options of a connection string may overrun the buffer allocated to process the string value. This allows an attacker to execute code of their… | |||
| CVE-2023-26100 | 0.00 | — | 0.00 | Apr 21, 2023 | In Progress Flowmon before 12.2.0, an application endpoint failed to sanitize user-supplied input. A threat actor could leverage a reflected XSS vulnerability to execute arbitrary code within the context of a Flowmon user's web browser. | |||
| CVE-2023-26101 | 0.00 | — | 0.01 | Apr 21, 2023 | In Progress Flowmon Packet Investigator before 12.1.0, a Flowmon user with access to Flowmon Packet Investigator could leverage a path-traversal vulnerability to retrieve files on the Flowmon appliance's local filesystem. | |||
| CVE-2023-29375 | 0.00 | — | 0.01 | Apr 10, 2023 | An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2 before 14.2.7930, and 14.3 before 14.3.8025. There is potentially dangerous file upload through the SharePoint connector. | |||
| CVE-2023-29376 | 0.00 | — | 0.00 | Apr 10, 2023 | An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2 before 14.2.7930, and 14.3 before 14.3.8025. There is potential XSS by privileged users in Sitefinity to media libraries. | |||
| CVE-2022-27665 | 0.00 | — | 0.33 | Apr 3, 2023 | Reflected XSS (via AngularJS sandbox escape expressions) exists in Progress Ipswitch WS_FTP Server 8.6.0. This can lead to execution of malicious code and commands on the client due to improper handling of user-provided input. By inputting malicious payloads in the subdirectory… | |||
| CVE-2023-24029 | 0.00 | — | 0.01 | Feb 3, 2023 | In Progress WS_FTP Server before 8.8, it is possible for a host administrator to elevate their privileges via the administrative interface due to insufficient authorization controls applied on user modification workflows. | |||
| CVE-2021-41823 | 0.00 | — | 0.00 | Jan 1, 2023 | The Web Application Firewall (WAF) in Kemp LoadMaster 7.2.54.1 allows certain uses of onmouseover to bypass an XSS protection mechanism. | |||
| CVE-2022-42711 | 0.00 | — | 0.01 | Oct 12, 2022 | In Progress WhatsUp Gold before 22.1.0, an SNMP MIB Walker application endpoint failed to adequately sanitize malicious input. This could allow an unauthenticated attacker to execute arbitrary code in a victim's browser. | |||
| CVE-2022-36968 | 0.00 | — | 0.00 | Aug 2, 2022 | In Progress WS_FTP Server prior to version 8.7.3, forms within the administrative interface did not include a nonce to mitigate the risk of cross-site request forgery (CSRF) attacks. | |||
| CVE-2022-36967 | 0.00 | — | 0.01 | Aug 2, 2022 | In Progress WS_FTP Server prior to version 8.7.3, multiple reflected cross-site scripting (XSS) vulnerabilities exist in the administrative web interface. It is possible for a remote attacker to inject arbitrary JavaScript into a WS_FTP administrator's web session. This would… | |||
| CVE-2022-29849 | 0.00 | — | 0.00 | May 1, 2022 | In Progress OpenEdge before 11.7.14 and 12.x before 12.2.9, certain SUID binaries within the OpenEdge application were susceptible to privilege escalation. If exploited, a local attacker could elevate their privileges and compromise the affected system. | |||
| CVE-2021-22891 | 0.00 | — | 0.01 | May 27, 2021 | A missing authorization vulnerability exists in Citrix ShareFile Storage Zones Controller before 5.7.3, 5.8.3, 5.9.3, 5.10.1 and 5.11.18 may allow unauthenticated remote compromise of the Storage Zones Controller. | |||
| CVE-2021-28141 | 0.00 | — | 0.02 | Mar 11, 2021 | An issue was discovered in Progress Telerik UI for ASP.NET AJAX 2021.1.224. It allows unauthorized access to MicrosoftAjax.js through the Telerik.Web.UI.WebResource.axd file. This may allow the attacker to gain unauthorized access to the server and execute code. To exploit, one… | |||
| CVE-2020-12677 | 0.00 | — | 0.02 | May 14, 2020 | An issue was discovered in Progress MOVEit Automation Web Admin. A Web Admin application endpoint failed to adequately sanitize malicious input, which could allow an unauthenticated attacker to execute arbitrary code in a victim's browser, aka XSS. This affects 2018 - 2018.0… |
- CVE-2024-6096Jul 24, 2024risk 0.00cvss —epss 0.01
In Progress® Telerik® Reporting versions prior to 18.1.24.709, a code execution attack is possible through object injection via an insecure type resolution vulnerability.
- CVE-2024-6327Jul 24, 2024risk 0.00cvss —epss 0.02
In Progress® Telerik® Report Server versions prior to 2024 Q2 (10.1.24.709), a remote code execution attack is possible through an insecure deserialization vulnerability.
- CVE-2024-5019Jun 25, 2024risk 0.00cvss —epss 0.01
In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Arbitrary File Read issue exists in Wug.UI.Areas.Wug.Controllers.SessionController.CachedCSS. This vulnerability allows reading of any file with iisapppool\NmConsole privileges.
- CVE-2024-5015Jun 25, 2024risk 0.00cvss —epss 0.01
In WhatsUp Gold versions released before 2023.1.3, an authenticated SSRF vulnerability in Wug.UI.Areas.Wug.Controllers.SessionControler.Update allows a low privileged user to chain this SSRF with an Improper Access Control vulnerability. This can be used to escalate privileges…
- CVE-2024-5805Jun 25, 2024risk 0.00cvss —epss 0.08
Improper Authentication vulnerability in Progress MOVEit Gateway (SFTP modules) allows Authentication Bypass.This issue affects MOVEit Gateway: 2024.0.0.
- CVE-2024-4563May 22, 2024risk 0.00cvss —epss 0.00
The Progress MOVEit Automation configuration export function prior to 2024.0.0 uses a cryptographic method with insufficient bit length.
- CVE-2024-4837May 15, 2024risk 0.00cvss —epss 0.00
In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via a trust boundary violation vulnerability.
- CVE-2024-4357May 15, 2024risk 0.00cvss —epss 0.01
An information disclosure vulnerability exists in Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, allows low-privilege attacker to read systems file via XML External Entity Processing.
- CVE-2024-4200May 15, 2024risk 0.00cvss —epss 0.00
In Progress® Telerik® Reporting versions prior to 2024 Q2 (18.1.24.2.514), a code execution attack is possible by a local threat actor through an insecure deserialization vulnerability.
- CVE-2024-4202May 15, 2024risk 0.00cvss —epss 0.00
In Progress® Telerik® Reporting versions prior to 2024 Q2 (18.1.24.514), a code execution attack is possible through an insecure instantiation vulnerability.
- CVE-2024-3544May 2, 2024risk 0.00cvss —epss 0.00
Unauthenticated attackers can perform actions, using SSH private keys, by knowing the IP address and having access to the same network of one of the machines in the HA or Cluster group. This vulnerability has been closed by enhancing LoadMaster partner communications to require…
- CVE-2024-2449Mar 22, 2024risk 0.00cvss —epss 0.13
A cross-site request forgery vulnerability has been identified in LoadMaster. It is possible for a malicious actor, who has prior knowledge of the IP or hostname of a specific LoadMaster, to direct an authenticated LoadMaster administrator to a third-party site. In such a…
- CVE-2024-1856Mar 20, 2024risk 0.00cvss —epss 0.01
In Progress® Telerik® Reporting versions prior to 2024 Q1 (18.0.24.130), a code execution attack is possible by a remote threat actor through an insecure deserialization vulnerability.
- CVE-2024-1801Mar 20, 2024risk 0.00cvss —epss 0.00
In Progress® Telerik® Reporting versions prior to 2024 Q1 (18.0.24.130), a code execution attack is possible by a local threat actor through an insecure deserialization vulnerability.
- CVE-2024-1632Feb 28, 2024risk 0.00cvss —epss 0.01
Low-privileged users with access to the Sitefinity backend may obtain sensitive information from the site's administrative area.
- CVE-2024-1474Feb 21, 2024risk 0.00cvss —epss 0.00
In WS_FTP Server versions before 8.8.5, reflected cross-site scripting issues have been identified on various user supplied inputs on the WS_FTP Server administrative interface.
- CVE-2023-40052Jan 18, 2024risk 0.00cvss —epss 0.01
This issue affects Progress Application Server (PAS) for OpenEdge in versions 11.7 prior to 11.7.18, 12.2 prior to 12.2.13, and innovation releases prior to 12.8.0 . An attacker who can produce a malformed web request may cause the crash of a PASOE agent potentially…
- CVE-2023-40051Jan 18, 2024risk 0.00cvss —epss 0.01
This issue affects Progress Application Server (PAS) for OpenEdge in versions 11.7 prior to 11.7.18, 12.2 prior to 12.2.13, and innovation releases prior to 12.8.0. An attacker can formulate a request for a WEB transport that allows unintended file uploads to a server directory…
- CVE-2023-6784Dec 20, 2023risk 0.00cvss —epss 0.00
A malicious user could potentially use the Sitefinity system for the distribution of phishing emails.
- CVE-2023-6368Dec 14, 2023risk 0.00cvss —epss 0.01
In WhatsUp Gold versions released before 2023.1, an API endpoint was found to be missing an authentication mechanism. It is possible for an unauthenticated attacker to enumerate information related to a registered device being monitored by WhatsUp Gold.
- CVE-2023-6595Dec 14, 2023risk 0.00cvss —epss 0.01
In WhatsUp Gold versions released before 2023.1, an API endpoint was found to be missing an authentication mechanism. It is possible for an unauthenticated attacker to enumerate ancillary credential information stored within WhatsUp Gold.
- CVE-2023-6367Dec 14, 2023risk 0.00cvss —epss 0.01
In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified. It is possible for an attacker to craft a XSS payload and store that value within Roles. If a WhatsUp Gold user interacts with the crafted payload, the…
- CVE-2023-6366Dec 14, 2023risk 0.00cvss —epss 0.01
In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified. It is possible for an attacker to craft a XSS payload and store that value within Alert Center. If a WhatsUp Gold user interacts with the crafted…
- CVE-2023-6365Dec 14, 2023risk 0.00cvss —epss 0.01
In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified. It is possible for an attacker to craft a XSS payload and store that value within a device group. If a WhatsUp Gold user interacts with the crafted…
- CVE-2023-6364Dec 14, 2023risk 0.00cvss —epss 0.01
In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified. It is possible for an attacker to craft a XSS payload and store that value within a dashboard component. If a WhatsUp Gold user interacts with the…
- CVE-2023-40049Sep 27, 2023risk 0.00cvss —epss 0.01
In WS_FTP Server version prior to 8.8.2, an unauthenticated user could enumerate files under the 'WebServiceHost' directory listing.
- CVE-2023-40048Sep 27, 2023risk 0.00cvss —epss 0.00
In WS_FTP Server version prior to 8.8.2, the WS_FTP Server Manager interface was missing cross-site request forgery (CSRF) protection on a POST transaction corresponding to a WS_FTP Server administrative function.
- CVE-2023-40047Sep 27, 2023risk 0.00cvss —epss 0.00
In WS_FTP Server version prior to 8.8.2, a stored cross-site scripting (XSS) vulnerability exists in WS_FTP Server's Management module. An attacker with administrative privileges could import a SSL certificate with malicious attributes containing cross-site scripting…
- CVE-2023-40046Sep 27, 2023risk 0.00cvss —epss 0.01
In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a SQL injection vulnerability exists in the WS_FTP Server manager interface. An attacker may be able to infer information about the structure and contents of the database and execute SQL statements that alter or delete…
- CVE-2023-40045Sep 27, 2023risk 0.00cvss —epss 0.01
In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a reflected cross-site scripting (XSS) vulnerability exists in WS_FTP Server's Ad Hoc Transfer module. An attacker could leverage this vulnerability to target WS_FTP Server users with a specialized payload which results…
- CVE-2023-42657Sep 27, 2023risk 0.00cvss —epss 0.17
In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a directory traversal vulnerability was discovered. An attacker could leverage this vulnerability to perform file operations (delete, rename, rmdir, mkdir) on files and folders outside of their authorized WS_FTP folder…
- CVE-2023-28864Jul 17, 2023risk 0.00cvss —epss 0.00
Progress Chef Infra Server before 15.7 allows a local attacker to exploit a /var/opt/opscode/local-mode-cache/backup world-readable temporary backup path to access sensitive information, resulting in the disclosure of all indexed node data, because OpenSearch credentials are…
- CVE-2023-35759Jun 23, 2023risk 0.00cvss —epss 0.02
In Progress WhatsUp Gold before 23.0.0, an SNMP-related application endpoint failed to adequately sanitize malicious input. This could allow an unauthenticated attacker to execute arbitrary code in a victim's browser, aka XSS.
- CVE-2023-34203Jun 23, 2023risk 0.00cvss —epss 0.01
In Progress OpenEdge OEM (OpenEdge Management) and OEE (OpenEdge Explorer) before 12.7, a remote user (who has any OEM or OEE role) could perform a URL injection attack to change identity or role membership, e.g., escalate to admin. This affects OpenEdge LTS before 11.7.16, 12.x…
- CVE-2023-34363Jun 9, 2023risk 0.00cvss —epss 0.00
An issue was discovered in Progress DataDirect Connect for ODBC before 08.02.2770 for Oracle. When using Oracle Advanced Security (OAS) encryption, if an error is encountered initializing the encryption object used to encrypt data, the code falls back to a different encryption…
- CVE-2023-34364Jun 9, 2023risk 0.00cvss —epss 0.02
A buffer overflow was discovered in Progress DataDirect Connect for ODBC before 08.02.2770 for Oracle. An overly large value for certain options of a connection string may overrun the buffer allocated to process the string value. This allows an attacker to execute code of their…
- CVE-2023-26100Apr 21, 2023risk 0.00cvss —epss 0.00
In Progress Flowmon before 12.2.0, an application endpoint failed to sanitize user-supplied input. A threat actor could leverage a reflected XSS vulnerability to execute arbitrary code within the context of a Flowmon user's web browser.
- CVE-2023-26101Apr 21, 2023risk 0.00cvss —epss 0.01
In Progress Flowmon Packet Investigator before 12.1.0, a Flowmon user with access to Flowmon Packet Investigator could leverage a path-traversal vulnerability to retrieve files on the Flowmon appliance's local filesystem.
- CVE-2023-29375Apr 10, 2023risk 0.00cvss —epss 0.01
An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2 before 14.2.7930, and 14.3 before 14.3.8025. There is potentially dangerous file upload through the SharePoint connector.
- CVE-2023-29376Apr 10, 2023risk 0.00cvss —epss 0.00
An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2 before 14.2.7930, and 14.3 before 14.3.8025. There is potential XSS by privileged users in Sitefinity to media libraries.
- CVE-2022-27665Apr 3, 2023risk 0.00cvss —epss 0.33
Reflected XSS (via AngularJS sandbox escape expressions) exists in Progress Ipswitch WS_FTP Server 8.6.0. This can lead to execution of malicious code and commands on the client due to improper handling of user-provided input. By inputting malicious payloads in the subdirectory…
- CVE-2023-24029Feb 3, 2023risk 0.00cvss —epss 0.01
In Progress WS_FTP Server before 8.8, it is possible for a host administrator to elevate their privileges via the administrative interface due to insufficient authorization controls applied on user modification workflows.
- CVE-2021-41823Jan 1, 2023risk 0.00cvss —epss 0.00
The Web Application Firewall (WAF) in Kemp LoadMaster 7.2.54.1 allows certain uses of onmouseover to bypass an XSS protection mechanism.
- CVE-2022-42711Oct 12, 2022risk 0.00cvss —epss 0.01
In Progress WhatsUp Gold before 22.1.0, an SNMP MIB Walker application endpoint failed to adequately sanitize malicious input. This could allow an unauthenticated attacker to execute arbitrary code in a victim's browser.
- CVE-2022-36968Aug 2, 2022risk 0.00cvss —epss 0.00
In Progress WS_FTP Server prior to version 8.7.3, forms within the administrative interface did not include a nonce to mitigate the risk of cross-site request forgery (CSRF) attacks.
- CVE-2022-36967Aug 2, 2022risk 0.00cvss —epss 0.01
In Progress WS_FTP Server prior to version 8.7.3, multiple reflected cross-site scripting (XSS) vulnerabilities exist in the administrative web interface. It is possible for a remote attacker to inject arbitrary JavaScript into a WS_FTP administrator's web session. This would…
- CVE-2022-29849May 1, 2022risk 0.00cvss —epss 0.00
In Progress OpenEdge before 11.7.14 and 12.x before 12.2.9, certain SUID binaries within the OpenEdge application were susceptible to privilege escalation. If exploited, a local attacker could elevate their privileges and compromise the affected system.
- CVE-2021-22891May 27, 2021risk 0.00cvss —epss 0.01
A missing authorization vulnerability exists in Citrix ShareFile Storage Zones Controller before 5.7.3, 5.8.3, 5.9.3, 5.10.1 and 5.11.18 may allow unauthenticated remote compromise of the Storage Zones Controller.
- CVE-2021-28141Mar 11, 2021risk 0.00cvss —epss 0.02
An issue was discovered in Progress Telerik UI for ASP.NET AJAX 2021.1.224. It allows unauthorized access to MicrosoftAjax.js through the Telerik.Web.UI.WebResource.axd file. This may allow the attacker to gain unauthorized access to the server and execute code. To exploit, one…
- CVE-2020-12677May 14, 2020risk 0.00cvss —epss 0.02
An issue was discovered in Progress MOVEit Automation Web Admin. A Web Admin application endpoint failed to adequately sanitize malicious input, which could allow an unauthenticated attacker to execute arbitrary code in a victim's browser, aka XSS. This affects 2018 - 2018.0…
Page 4 of 5