Progress Openedge vulnerabilities
12 known vulnerabilities affecting progress/openedge.
Total CVEs
12
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL5HIGH4MEDIUM3
Vulnerabilities
Page 1 of 1
CVE-2024-1403P2CRITICALCVSS 9.8fixed in 11.7.19≥ 11.8, < 12.2.14+4 more2024-02-27
CVE-2024-1403 [CRITICAL] CWE-305 CVE-2024-1403: In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platform
In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been identified. The
vulnerability is a bypass to authentication based on a failure to properly
handle username and password. Certain unexpected
content passed into the cr
nvd
CVE-2023-40051P2CRITICALCVSS 9.9≥ 11.7, < 11.7.18≥ 12.2, < 12.2.132024-01-18
CVE-2023-40051 [CRITICAL] CWE-434 CVE-2023-40051: This issue affects Progress Application Server (PAS) for OpenEdge in versions 11.7 prior to 11.7.18,
This issue affects Progress Application Server (PAS) for OpenEdge in versions 11.7 prior to 11.7.18, 12.2 prior to 12.2.13, and innovation releases prior to 12.8.0. An attacker can formulate a request for a WEB transport that allows unintended file uploads to a server directory path on the system running PASOE. If the upload contains a payload tha
nvd
CVE-2015-9245P2CRITICALCVSS 9.8v10.2av10.2b+8 more2017-10-31
CVE-2015-9245 [CRITICAL] CWE-284 CVE-2015-9245: Insecure default configuration in Progress Software OpenEdge 10.2x and 11.x allows unauthenticated r
Insecure default configuration in Progress Software OpenEdge 10.2x and 11.x allows unauthenticated remote attackers to specify arbitrary URLs from which to load and execute malicious Java classes via port 20931.
nvd
CVE-2014-8555P3MEDIUMCVSS 5.0PoCv11.22014-11-12
CVE-2014-8555 [MEDIUM] CWE-22 CVE-2014-8555: Directory traversal vulnerability in report/reportViewAction.jsp in Progress Software OpenEdge 11.2
Directory traversal vulnerability in report/reportViewAction.jsp in Progress Software OpenEdge 11.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the selection parameter.
nvd
CVE-2007-2417P3CRITICALCVSS 10.0v10.1av10.1b2007-07-15
CVE-2007-2417 [CRITICAL] CVE-2007-2417: Heap-based buffer overflow in _mprosrv.exe in Progress Software Progress 9.1E and OpenEdge 10.1x, as
Heap-based buffer overflow in _mprosrv.exe in Progress Software Progress 9.1E and OpenEdge 10.1x, as used by the RSA Authentication Manager 6.0 and 6.1, SecurID Appliance 2.0, ACE/Server 5.2, and possibly other products, allows remote attackers to execute arbitrary code via crafted packets. NOTE: this issue might overlap CVE-2007-3491.
nvd
CVE-2023-34203P3HIGHCVSS 8.8fixed in 11.7.16≥ 12.0, < 12.2.12+1 more2023-06-23
CVE-2023-34203 [HIGH] CWE-74 CVE-2023-34203: In Progress OpenEdge OEM (OpenEdge Management) and OEE (OpenEdge Explorer) before 12.7, a remote use
In Progress OpenEdge OEM (OpenEdge Management) and OEE (OpenEdge Explorer) before 12.7, a remote user (who has any OEM or OEE role) could perform a URL injection attack to change identity or role membership, e.g., escalate to admin. This affects OpenEdge LTS before 11.7.16, 12.x before 12.2.12, and 12.3.x through 12.6.x before 12.7.
nvd
CVE-2024-7345P3CRITICALCVSS 9.6≤ 11.7.18≥ 12.0, ≤ 12.2.13+2 more2024-09-03
CVE-2024-7345 [CRITICAL] CWE-94 CVE-2024-7345: Local ABL Client bypass of the required PASOE security checks may allow an attacker to commit unauth
Local ABL Client bypass of the required PASOE security checks may allow an attacker to commit unauthorized code injection into Multi-Session Agents on supported OpenEdge LTS platforms up to OpenEdge LTS 11.7.18 and LTS 12.2.13 on all supported release platforms
nvd
CVE-2023-40052P3HIGHCVSS 7.5≥ 11.7, < 11.7.18≥ 12.2, < 12.2.132024-01-18
CVE-2023-40052 [HIGH] CWE-119 CVE-2023-40052: This issue affects Progress Application Server (PAS) for OpenEdge in versions 11.7 prior to 11.7.
This issue affects Progress Application Server (PAS) for OpenEdge in versions 11.7 prior to 11.7.18, 12.2 prior to 12.2.13, and innovation releases prior to 12.8.0
.
An attacker who can produce a malformed web request may cause the crash of a PASOE agent potentially disrupting the thread activities of many web application clients. Multiple of these DoS
nvd
CVE-2022-29849P3HIGHCVSS 7.8≥ 11.7, < 11.7.14≥ 12.0.0, < 12.2.92022-05-02
CVE-2022-29849 [HIGH] CVE-2022-29849: In Progress OpenEdge before 11.7.14 and 12.x before 12.2.9, certain SUID binaries within the OpenEdg
In Progress OpenEdge before 11.7.14 and 12.x before 12.2.9, certain SUID binaries within the OpenEdge application were susceptible to privilege escalation. If exploited, a local attacker could elevate their privileges and compromise the affected system.
nvd
CVE-2007-3491P3HIGHCVSS 7.5v9.1ev10.1a+1 more2007-06-29
CVE-2007-3491 [HIGH] CVE-2007-3491: Buffer overflow in _mprosrv in Progress Software OpenEdge before 9.1E0422, and 10.x before 10.1B01,
Buffer overflow in _mprosrv in Progress Software OpenEdge before 9.1E0422, and 10.x before 10.1B01, allows remote attackers to have an unknown impact via a malformed TCP/IP message.
nvd
CVE-2024-7654P4MEDIUMCVSS 6.1≤ 11.7.19≥ 12.2, ≤ 12.2.14+4 more2024-09-03
CVE-2024-7654 [MEDIUM] CWE-79 CVE-2024-7654: An ActiveMQ Discovery service was reachable by default from an OpenEdge Management installation when
An ActiveMQ Discovery service was reachable by default from an OpenEdge Management installation when an OEE/OEM auto-discovery feature was activated. Unauthorized access to the discovery service's UDP port allowed content injection into parts of the OEM web interface making it possible for other types of attack that could spoof or deceive web interface
nvd
CVE-2024-7346P4MEDIUMCVSS 4.8≤ 11.7.19≥ 12.0, ≤ 12.2.14+2 more2024-09-03
CVE-2024-7346 [MEDIUM] CWE-297 CVE-2024-7346: Host name validation for TLS certificates is bypassed when the installed OpenEdge default certificat
Host name validation for TLS certificates is bypassed when the installed OpenEdge default certificates are used to perform the TLS handshake for a networked connection. This has been corrected so that default certificates are no longer capable of overriding host name validation and will need to be replaced where full TLS certificate validation is need
nvd