cbcvebase.

Progress Whatsup Gold vulnerabilities

56 known vulnerabilities affecting progress/whatsup_gold.

Total CVEs
56
CISA KEV
2
actively exploited
Public exploits
12
Exploited in wild
3
Severity breakdown
CRITICAL13HIGH22MEDIUM21

Vulnerabilities

Page 2 of 3
CVE-2024-46905P3HIGHCVSS 8.8fixed in 24.0.12024-12-02
CVE-2024-46905 [HIGH] CWE-89 CVE-2024-46905: In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authentic In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated lower-privileged user (at least Network Manager permissions required) to achieve privilege escalation to the admin account.
nvd
CVE-2018-8938P3CRITICALCVSS 9.8fixed in 18.02018-05-01
CVE-2018-8938 [CRITICAL] CWE-94 CVE-2018-8938: A Code Injection issue was discovered in DlgSelectMibFile.asp in Ipswitch WhatsUp Gold before 2018 ( A Code Injection issue was discovered in DlgSelectMibFile.asp in Ipswitch WhatsUp Gold before 2018 (18.0). Malicious actors can inject a specially crafted SNMP MIB file that could allow them to execute arbitrary commands and code on the WhatsUp Gold server.
nvd
CVE-2024-5009P3HIGHCVSS 8.4fixed in 23.1.32024-06-25
CVE-2024-5009 [HIGH] CWE-269 CVE-2024-5009: In WhatsUp Gold versions released before 2023.1.3, an Improper Access Control vulnerability in Wug.U In WhatsUp Gold versions released before 2023.1.3, an Improper Access Control vulnerability in Wug.UI.Controllers.InstallController.SetAdminPassword allows local attackers to modify admin's password.
nvd
CVE-2024-46908P3HIGHCVSS 8.8fixed in 24.0.12024-12-02
CVE-2024-46908 [HIGH] CWE-89 CVE-2024-46908: In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authentic In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account.
nvd
CVE-2024-46907P3HIGHCVSS 8.8fixed in 24.0.12024-12-02
CVE-2024-46907 [HIGH] CWE-89 CVE-2024-46907: In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authentic In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account.
nvd
CVE-2024-6672P3HIGHCVSS 8.8fixed in 24.02024-08-29
CVE-2024-6672 [HIGH] CWE-89 CVE-2024-6672: In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an authentic In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an authenticated low-privileged attacker to achieve privilege escalation by modifying a privileged user's password.
nvd
CVE-2024-5015P3HIGHCVSS 8.8fixed in 23.1.32024-06-25
CVE-2024-5015 [HIGH] CWE-918 CVE-2024-5015: In WhatsUp Gold versions released before 2023.1.3, an authenticated SSRF vulnerability in Wug.UI.Are In WhatsUp Gold versions released before 2023.1.3, an authenticated SSRF vulnerability in Wug.UI.Areas.Wug.Controllers.SessionControler.Update allows a low privileged user to chain this SSRF with an Improper Access Control vulnerability. This can be used to escalate privileges to Admin.
nvd
CVE-2018-5777P3CRITICALCVSS 9.8fixed in 17.1.12018-01-24
CVE-2018-5777 [CRITICAL] CVE-2018-5777: An issue was discovered in Ipswitch WhatsUp Gold before 2017 Plus SP1 (17.1.1). Remote clients can t An issue was discovered in Ipswitch WhatsUp Gold before 2017 Plus SP1 (17.1.1). Remote clients can take advantage of a misconfiguration in the TFTP server that could allow attackers to execute arbitrary commands on the TFTP server via unspecified vectors.
nvd
CVE-2024-12105P3MEDIUMCVSS 6.5≥ 23.1.0, < 24.0.22024-12-31
CVE-2024-12105 [MEDIUM] CWE-22 CVE-2024-12105: In WhatsUp Gold versions released before 2024.0.2, an authenticated user can use a specially crafted In WhatsUp Gold versions released before 2024.0.2, an authenticated user can use a specially crafted HTTP request that can lead to information disclosure.
nvd
CVE-2024-12106P3HIGHCVSS 7.5≥ 23.1.0, < 24.0.22024-12-31
CVE-2024-12106 [HIGH] CWE-306 CVE-2024-12106: In WhatsUp Gold versions released before 2024.0.2, an unauthenticated attacker can configure LDAP se In WhatsUp Gold versions released before 2024.0.2, an unauthenticated attacker can configure LDAP settings.
nvd
CVE-2024-5012P3HIGHCVSS 8.6fixed in 23.1.32024-06-25
CVE-2024-5012 [HIGH] CWE-287 CVE-2024-5012: In WhatsUp Gold versions released before 2023.1.3, there is a missing authentication vulnerability i In WhatsUp Gold versions released before 2023.1.3, there is a missing authentication vulnerability in WUGDataAccess.Credentials. This vulnerability allows unauthenticated attackers to disclose Windows Credentials stored in the product Credential Library.
nvd
CVE-2018-8939P3CRITICALCVSS 9.8fixed in 18.02018-05-01
CVE-2018-8939 [CRITICAL] CWE-918 CVE-2018-8939: An SSRF issue was discovered in NmAPI.exe in Ipswitch WhatsUp Gold before 2018 (18.0). Malicious act An SSRF issue was discovered in NmAPI.exe in Ipswitch WhatsUp Gold before 2018 (18.0). Malicious actors can submit specially crafted requests via the NmAPI executable to (1) gain unauthorized access to the WhatsUp Gold system, (2) obtain information about the WhatsUp Gold system, or (3) execute remote commands.
nvd
CVE-2022-42711P3CRITICALCVSS 9.6fixed in 22.1.02022-10-12
CVE-2022-42711 [CRITICAL] CWE-79 CVE-2022-42711: In Progress WhatsUp Gold before 22.1.0, an SNMP MIB Walker application endpoint failed to adequately In Progress WhatsUp Gold before 22.1.0, an SNMP MIB Walker application endpoint failed to adequately sanitize malicious input. This could allow an unauthenticated attacker to execute arbitrary code in a victim's browser.
nvd
CVE-2018-5778P3CRITICALCVSS 9.8fixed in 17.1.12018-01-24
CVE-2018-5778 [CRITICAL] CWE-89 CVE-2018-5778: An issue was discovered in Ipswitch WhatsUp Gold before 2017 Plus SP1 (17.1.1). Multiple SQL injecti An issue was discovered in Ipswitch WhatsUp Gold before 2017 Plus SP1 (17.1.1). Multiple SQL injection vulnerabilities are present in the legacy .ASP pages, which could allow attackers to execute arbitrary SQL commands via unspecified vectors.
nvd
CVE-2016-1000000P3HIGHCVSS 8.8≤ 16.42016-10-06
CVE-2016-1000000 [HIGH] CWE-89 CVE-2016-1000000: Ipswitch WhatsUp Gold 16.4.1 WrFreeFormText.asp sUniqueID Parameter Blind SQL Injection Ipswitch WhatsUp Gold 16.4.1 WrFreeFormText.asp sUniqueID Parameter Blind SQL Injection
nvd
CVE-2024-5018P3HIGHCVSS 7.5fixed in 23.1.32024-06-25
CVE-2024-5018 [HIGH] CWE-22 CVE-2024-5018: In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Path Traversal vulnerability e In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Path Traversal vulnerability exists Wug.UI.Areas.Wug.Controllers.SessionController.LoadNMScript. This allows allows reading of any file from the applications web-root directory .
nvd
CVE-2024-7763P3HIGHCVSS 7.5fixed in 24.02024-10-24
CVE-2024-7763 [HIGH] CWE-287 CVE-2024-7763: In WhatsUp Gold versions released before 2024.0.0, an Authentication Bypass issue exists which all In WhatsUp Gold versions released before 2024.0.0, an Authentication Bypass issue exists which allows an attacker to obtain encrypted user credentials.
nvd
CVE-2024-5019P3HIGHCVSS 7.5fixed in 23.1.32024-06-25
CVE-2024-5019 [HIGH] CWE-22 CVE-2024-5019: In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Arbitrary File Read issue ex In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Arbitrary File Read issue exists in Wug.UI.Areas.Wug.Controllers.SessionController.CachedCSS. This vulnerability allows reading of any file with iisapppool\NmConsole privileges.
nvd
CVE-2015-6004P3MEDIUMCVSS 6.5≤ 16.32015-12-27
CVE-2015-6004 [MEDIUM] CWE-89 CVE-2015-6004: Multiple SQL injection vulnerabilities in IPSwitch WhatsUp Gold before 16.4 allow remote attackers t Multiple SQL injection vulnerabilities in IPSwitch WhatsUp Gold before 16.4 allow remote attackers to execute arbitrary SQL commands via (1) the UniqueID (aka sUniqueID) parameter to WrFreeFormText.asp in the Reports component or (2) the Find Device parameter.
nvd
CVE-2012-4344P4MEDIUMCVSS 4.3PoCv15.022012-08-15
CVE-2012-4344 [MEDIUM] CWE-79 CVE-2012-4344: Cross-site scripting (XSS) vulnerability in Ipswitch WhatsUp Gold 15.02 allows remote attackers to i Cross-site scripting (XSS) vulnerability in Ipswitch WhatsUp Gold 15.02 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving the SNMP system name of the attacking host.
nvd
Progress Whatsup Gold vulnerabilities | cvebase