Progress Software Corporation Whatsup Gold vulnerabilities
37 known vulnerabilities affecting progress_software_corporation/whatsup_gold.
Total CVEs
37
CISA KEV
2
actively exploited
Public exploits
3
Exploited in wild
3
Severity breakdown
CRITICAL7HIGH17MEDIUM13
Vulnerabilities
Page 1 of 2
CVE-2024-4885P1CRITICALCVSS 9.8KEVPoC≥ 2023.1.0, < 2023.1.32024-06-25
CVE-2024-4885 [CRITICAL] CWE-22 CVE-2024-4885: In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerab
In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerability in Progress WhatsUpGold. The
WhatsUp.ExportUtilities.Export.GetFileWithoutZip
allows execution of commands with iisapppool\nmconsole privileges.
nvd
CVE-2024-6670P1CRITICALCVSS 9.8KEVPoCRansomware≥ 2023.1.0, < 2024.0.02024-08-29
CVE-2024-6670 [CRITICAL] CWE-89 CVE-2024-6670: In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthent
In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.
nvd
CVE-2024-6671P1CRITICALCVSS 9.8ExploitedPoC≥ 2023.1.0, < 2024.0.02024-08-29
CVE-2024-6671 [CRITICAL] CWE-89 CVE-2024-6671: In WhatsUp Gold versions released before 2024.0.0, if the application is configured with only a sing
In WhatsUp Gold versions released before 2024.0.0, if the application is configured with only a single user, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.
nvd
CVE-2024-4883P1CRITICALCVSS 9.8≥ 2023.1.0, < 2023.1.32024-06-25
CVE-2024-4883 [CRITICAL] CWE-77 CVE-2024-4883: In WhatsUp Gold versions released before 2023.1.3, a Remote Code Execution issue exists in Progress
In WhatsUp Gold versions released before 2023.1.3, a Remote Code Execution issue exists in Progress WhatsUp Gold. This vulnerability allows an unauthenticated attacker to achieve the RCE as a service account through NmApi.exe.
nvd
CVE-2024-46909P1CRITICALCVSS 9.8≥ 2023.1.0, < 2024.0.12024-12-02
CVE-2024-46909 [CRITICAL] CWE-16 CVE-2024-46909: In WhatsUp Gold versions released before 2024.0.1, a remote unauthenticated attacker could leverage
In WhatsUp Gold versions released before 2024.0.1, a remote unauthenticated attacker could leverage this vulnerability to execute code in the context of the service account.
nvd
CVE-2024-4884P1CRITICALCVSS 9.8≥ 2023.1.0, < 2023.1.32024-06-25
CVE-2024-4884 [CRITICAL] CWE-77 CVE-2024-4884: In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerab
In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerability in Progress WhatsUpGold. The Apm.UI.Areas.APM.Controllers.CommunityController
allows execution of commands with iisapppool\nmconsole privileges.
nvd
CVE-2024-46906P2HIGHCVSS 8.8≥ 2023.1.0, < 2024.0.12024-12-02
CVE-2024-46906 [HIGH] CWE-89 CVE-2024-46906: In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authentic
In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account.
nvd
CVE-2024-5010P2HIGHCVSS 7.5≥ 2023.1.0, < 2023.1.32024-06-25
CVE-2024-5010 [HIGH] CWE-200 CVE-2024-5010: In WhatsUp Gold versions released before 2023.1.3, a vulnerability exists in the TestController func
In WhatsUp Gold versions released before 2023.1.3, a vulnerability exists in the TestController functionality. A specially crafted
unauthenticated
HTTP request can lead to a disclosure of sensitive information.
nvd
CVE-2024-5008P2HIGHCVSS 8.8≥ 2023.1.0, < 2023.1.32024-06-25
CVE-2024-5008 [HIGH] CWE-434 CVE-2024-5008: In WhatsUp Gold versions released before 2023.1.3, an authenticated user with certain permissions
In WhatsUp Gold versions released before 2023.1.3,
an authenticated user with certain permissions can upload an arbitrary file and obtain RCE using Apm.UI.Areas.APM.Controllers.Api.Applications.AppProfileImportController.
nvd
CVE-2024-12108P2CRITICALCVSS 9.6≥ 2023.1.0, < 2024.0.22024-12-31
CVE-2024-12108 [CRITICAL] CWE-290 CVE-2024-12108: In WhatsUp Gold versions released before 2024.0.2, an attacker can gain access to the WhatsUp Gold s
In WhatsUp Gold versions released before 2024.0.2, an attacker can gain access to the WhatsUp Gold server via the public API.
nvd
CVE-2024-5016P2HIGHCVSS 7.2≥ 2023.1.0, < 2023.1.32024-06-25
CVE-2024-5016 [HIGH] CWE-502 CVE-2024-5016: In WhatsUp Gold versions released before 2023.1.3, Distributed Edition installations can be exploite
In WhatsUp Gold versions released before 2023.1.3, Distributed Edition installations can be exploited by using a deserialization tool to achieve a Remote Code Execution as SYSTEM.
The vulnerability exists in the main message processing routines NmDistributed.DistributedServiceBehavior.OnMessage for server and NmDistributed.DistributedClient.OnMessage fo
nvd
CVE-2024-5011P3HIGHCVSS 7.5≥ 2023.1.0, < 2023.1.32024-06-25
CVE-2024-5011 [HIGH] CWE-400 CVE-2024-5011: In WhatsUp Gold versions released before 2023.1.3, an uncontrolled resource consumption vulnerabilit
In WhatsUp Gold versions released before 2023.1.3, an uncontrolled resource consumption vulnerability exists. A specially crafted unauthenticated HTTP request to the TestController Chart functionality can lead to denial of service.
nvd
CVE-2024-46905P3HIGHCVSS 8.8≥ 2023.1.0, < 2024.0.12024-12-02
CVE-2024-46905 [HIGH] CWE-89 CVE-2024-46905: In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authentic
In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated lower-privileged user (at least Network Manager permissions required) to achieve privilege escalation to the admin account.
nvd
CVE-2024-5009P3HIGHCVSS 8.4≥ 2023.1.0, < 2023.1.32024-06-25
CVE-2024-5009 [HIGH] CWE-269 CVE-2024-5009: In WhatsUp Gold versions released before 2023.1.3, an Improper Access Control vulnerability in Wug.U
In WhatsUp Gold versions released before 2023.1.3, an Improper Access Control vulnerability in Wug.UI.Controllers.InstallController.SetAdminPassword allows local attackers to modify admin's password.
nvd
CVE-2024-46908P3HIGHCVSS 8.8≥ 2023.1.0, < 2024.0.12024-12-02
CVE-2024-46908 [HIGH] CWE-89 CVE-2024-46908: In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authentic
In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required)
to achieve privilege escalation to the admin account.
nvd
CVE-2024-46907P3HIGHCVSS 8.8≥ 2023.1.0, < 2024.0.12024-12-02
CVE-2024-46907 [HIGH] CWE-89 CVE-2024-46907: In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authentic
In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account.
nvd
CVE-2024-6672P3HIGHCVSS 8.8≥ 2023.1.0, < 2024.0.02024-08-29
CVE-2024-6672 [HIGH] CWE-89 CVE-2024-6672: In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an authentic
In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an authenticated low-privileged attacker to achieve privilege escalation by modifying a privileged user's password.
nvd
CVE-2024-5015P3HIGHCVSS 8.8≥ 2023.1.0, < 2023.1.32024-06-25
CVE-2024-5015 [HIGH] CWE-918 CVE-2024-5015: In WhatsUp Gold versions released before 2023.1.3, an authenticated SSRF vulnerability in Wug.UI.Are
In WhatsUp Gold versions released before 2023.1.3, an authenticated SSRF vulnerability in Wug.UI.Areas.Wug.Controllers.SessionControler.Update allows a low privileged user to chain this SSRF with an Improper Access Control vulnerability. This can be used to escalate privileges to Admin.
nvd
CVE-2024-12105P3MEDIUMCVSS 6.5≥ 2023.1.0, < 2024.0.22024-12-31
CVE-2024-12105 [MEDIUM] CWE-22 CVE-2024-12105: In WhatsUp Gold versions released before 2024.0.2, an authenticated user can use a specially crafted
In WhatsUp Gold versions released before 2024.0.2, an authenticated user can use a specially crafted HTTP request that can lead to information disclosure.
nvd
CVE-2024-12106P3HIGHCVSS 7.5≥ 2023.1.0, < 2024.0.22024-12-31
CVE-2024-12106 [HIGH] CWE-306 CVE-2024-12106: In WhatsUp Gold versions released before 2024.0.2, an unauthenticated attacker can configure LDAP se
In WhatsUp Gold versions released before 2024.0.2, an unauthenticated attacker can configure LDAP settings.
nvd
1 / 2Next →