cbcvebase.

Progress Software Corporation Whatsup Gold vulnerabilities

37 known vulnerabilities affecting progress_software_corporation/whatsup_gold.

Total CVEs
37
CISA KEV
2
actively exploited
Public exploits
3
Exploited in wild
3
Severity breakdown
CRITICAL7HIGH17MEDIUM13

Vulnerabilities

Page 1 of 2
CVE-2024-4885P1CRITICALCVSS 9.8KEVPoC≥ 2023.1.0, < 2023.1.32024-06-25
CVE-2024-4885 [CRITICAL] CWE-22 CVE-2024-4885: In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerab In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerability in Progress WhatsUpGold. The WhatsUp.ExportUtilities.Export.GetFileWithoutZip allows execution of commands with iisapppool\nmconsole privileges.
nvd
CVE-2024-6670P1CRITICALCVSS 9.8KEVPoCRansomware≥ 2023.1.0, < 2024.0.02024-08-29
CVE-2024-6670 [CRITICAL] CWE-89 CVE-2024-6670: In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthent In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.
nvd
CVE-2024-6671P1CRITICALCVSS 9.8ExploitedPoC≥ 2023.1.0, < 2024.0.02024-08-29
CVE-2024-6671 [CRITICAL] CWE-89 CVE-2024-6671: In WhatsUp Gold versions released before 2024.0.0, if the application is configured with only a sing In WhatsUp Gold versions released before 2024.0.0, if the application is configured with only a single user, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.
nvd
CVE-2024-4883P1CRITICALCVSS 9.8≥ 2023.1.0, < 2023.1.32024-06-25
CVE-2024-4883 [CRITICAL] CWE-77 CVE-2024-4883: In WhatsUp Gold versions released before 2023.1.3, a Remote Code Execution issue exists in Progress In WhatsUp Gold versions released before 2023.1.3, a Remote Code Execution issue exists in Progress WhatsUp Gold. This vulnerability allows an unauthenticated attacker to achieve the RCE as a service account through NmApi.exe.
nvd
CVE-2024-46909P1CRITICALCVSS 9.8≥ 2023.1.0, < 2024.0.12024-12-02
CVE-2024-46909 [CRITICAL] CWE-16 CVE-2024-46909: In WhatsUp Gold versions released before 2024.0.1, a remote unauthenticated attacker could leverage In WhatsUp Gold versions released before 2024.0.1, a remote unauthenticated attacker could leverage this vulnerability to execute code in the context of the service account.
nvd
CVE-2024-4884P1CRITICALCVSS 9.8≥ 2023.1.0, < 2023.1.32024-06-25
CVE-2024-4884 [CRITICAL] CWE-77 CVE-2024-4884: In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerab In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerability in Progress WhatsUpGold. The Apm.UI.Areas.APM.Controllers.CommunityController allows execution of commands with iisapppool\nmconsole privileges.
nvd
CVE-2024-46906P2HIGHCVSS 8.8≥ 2023.1.0, < 2024.0.12024-12-02
CVE-2024-46906 [HIGH] CWE-89 CVE-2024-46906: In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authentic In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account.
nvd
CVE-2024-5010P2HIGHCVSS 7.5≥ 2023.1.0, < 2023.1.32024-06-25
CVE-2024-5010 [HIGH] CWE-200 CVE-2024-5010: In WhatsUp Gold versions released before 2023.1.3, a vulnerability exists in the TestController func In WhatsUp Gold versions released before 2023.1.3, a vulnerability exists in the TestController functionality. A specially crafted unauthenticated HTTP request can lead to a disclosure of sensitive information.
nvd
CVE-2024-5008P2HIGHCVSS 8.8≥ 2023.1.0, < 2023.1.32024-06-25
CVE-2024-5008 [HIGH] CWE-434 CVE-2024-5008: In WhatsUp Gold versions released before 2023.1.3, an authenticated user with certain permissions In WhatsUp Gold versions released before 2023.1.3, an authenticated user with certain permissions can upload an arbitrary file and obtain RCE using Apm.UI.Areas.APM.Controllers.Api.Applications.AppProfileImportController.
nvd
CVE-2024-12108P2CRITICALCVSS 9.6≥ 2023.1.0, < 2024.0.22024-12-31
CVE-2024-12108 [CRITICAL] CWE-290 CVE-2024-12108: In WhatsUp Gold versions released before 2024.0.2, an attacker can gain access to the WhatsUp Gold s In WhatsUp Gold versions released before 2024.0.2, an attacker can gain access to the WhatsUp Gold server via the public API.
nvd
CVE-2024-5016P2HIGHCVSS 7.2≥ 2023.1.0, < 2023.1.32024-06-25
CVE-2024-5016 [HIGH] CWE-502 CVE-2024-5016: In WhatsUp Gold versions released before 2023.1.3, Distributed Edition installations can be exploite In WhatsUp Gold versions released before 2023.1.3, Distributed Edition installations can be exploited by using a deserialization tool to achieve a Remote Code Execution as SYSTEM. The vulnerability exists in the main message processing routines NmDistributed.DistributedServiceBehavior.OnMessage for server and NmDistributed.DistributedClient.OnMessage fo
nvd
CVE-2024-5011P3HIGHCVSS 7.5≥ 2023.1.0, < 2023.1.32024-06-25
CVE-2024-5011 [HIGH] CWE-400 CVE-2024-5011: In WhatsUp Gold versions released before 2023.1.3, an uncontrolled resource consumption vulnerabilit In WhatsUp Gold versions released before 2023.1.3, an uncontrolled resource consumption vulnerability exists. A specially crafted unauthenticated HTTP request to the TestController Chart functionality can lead to denial of service.
nvd
CVE-2024-46905P3HIGHCVSS 8.8≥ 2023.1.0, < 2024.0.12024-12-02
CVE-2024-46905 [HIGH] CWE-89 CVE-2024-46905: In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authentic In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated lower-privileged user (at least Network Manager permissions required) to achieve privilege escalation to the admin account.
nvd
CVE-2024-5009P3HIGHCVSS 8.4≥ 2023.1.0, < 2023.1.32024-06-25
CVE-2024-5009 [HIGH] CWE-269 CVE-2024-5009: In WhatsUp Gold versions released before 2023.1.3, an Improper Access Control vulnerability in Wug.U In WhatsUp Gold versions released before 2023.1.3, an Improper Access Control vulnerability in Wug.UI.Controllers.InstallController.SetAdminPassword allows local attackers to modify admin's password.
nvd
CVE-2024-46908P3HIGHCVSS 8.8≥ 2023.1.0, < 2024.0.12024-12-02
CVE-2024-46908 [HIGH] CWE-89 CVE-2024-46908: In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authentic In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account.
nvd
CVE-2024-46907P3HIGHCVSS 8.8≥ 2023.1.0, < 2024.0.12024-12-02
CVE-2024-46907 [HIGH] CWE-89 CVE-2024-46907: In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authentic In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account.
nvd
CVE-2024-6672P3HIGHCVSS 8.8≥ 2023.1.0, < 2024.0.02024-08-29
CVE-2024-6672 [HIGH] CWE-89 CVE-2024-6672: In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an authentic In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an authenticated low-privileged attacker to achieve privilege escalation by modifying a privileged user's password.
nvd
CVE-2024-5015P3HIGHCVSS 8.8≥ 2023.1.0, < 2023.1.32024-06-25
CVE-2024-5015 [HIGH] CWE-918 CVE-2024-5015: In WhatsUp Gold versions released before 2023.1.3, an authenticated SSRF vulnerability in Wug.UI.Are In WhatsUp Gold versions released before 2023.1.3, an authenticated SSRF vulnerability in Wug.UI.Areas.Wug.Controllers.SessionControler.Update allows a low privileged user to chain this SSRF with an Improper Access Control vulnerability. This can be used to escalate privileges to Admin.
nvd
CVE-2024-12105P3MEDIUMCVSS 6.5≥ 2023.1.0, < 2024.0.22024-12-31
CVE-2024-12105 [MEDIUM] CWE-22 CVE-2024-12105: In WhatsUp Gold versions released before 2024.0.2, an authenticated user can use a specially crafted In WhatsUp Gold versions released before 2024.0.2, an authenticated user can use a specially crafted HTTP request that can lead to information disclosure.
nvd
CVE-2024-12106P3HIGHCVSS 7.5≥ 2023.1.0, < 2024.0.22024-12-31
CVE-2024-12106 [HIGH] CWE-306 CVE-2024-12106: In WhatsUp Gold versions released before 2024.0.2, an unauthenticated attacker can configure LDAP se In WhatsUp Gold versions released before 2024.0.2, an unauthenticated attacker can configure LDAP settings.
nvd
Progress Software Corporation Whatsup Gold vulnerabilities | cvebase