56 matches found
CVE-2022-29846
Progress WhatsUp Gold (versions 16.1–21.1.1 and 22.0.0) is affected by a vulnerability that allows an unauthenticated attacker to obtain the product installation serial number. The publicly provided documents confirm affected versions and the disclosure impact, but do not specify the root cause d...
CVE-2022-29845
Summary: CVE-2022-29845 affects Progress Ipswitch WhatsUp Gold versions 21.1.0–21.1.1 and 22.0.0. An authenticated user can trigger an API transaction to read the contents of a local file. The Red Hat and CVE CN/CZ records corroborate this issue with the same description. The Metasploit entry sho...
CVE-2022-29847
CVE-2022-29847 affects Progress IPSWITCH WhatsUp Gold versions 21.0.0–21.1.1 and 22.0.0. An unauthenticated attacker can invoke an API transaction to relay encrypted WhatsUp Gold user credentials to an arbitrary host. Impact: credential exposure via API, enabling unauthorized access. Exploitation...
CVE-2022-29848
CVE-2022-29848 affects Progress WhatsUp Gold 17.0.0–21.1.1 and 22.0.0. An authenticated user can invoke an API transaction that enables reading sensitive operating-system attributes from a host accessible by the WhatsUp Gold system. The Red Hat, CVE, and related references corroborate the issue a...
CVE-2024-6670
Summary (CVE-2024-6670): Progress WhatsUp Gold prior to version 24.0.0 contains a SQL Injection vulnerability that can allow an unauthenticated attacker to retrieve a user’s encrypted password. Public references confirm exploitation guidance (e.g., Metasploit module) and acknowledgments by CISA K...
CVE-2024-4885
Progress WhatsUp Gold GetFileWithoutZip Directory Traversal (CVE-2024-4885) allows unauthenticated remote code execution. The flaw stems from unvalidated user-supplied paths used in file operations within GetFileWithoutZip, enabling commands to run with iisapppool\nmconsole/service account privil...
CVE-2023-35759
WhatsUp Gold before 23.0.0 contains a cross-site scripting (XSS) vulnerability in a SNMP-related application endpoint that fails to sanitize input, allowing an unauthenticated attacker to execute arbitrary code in a victim’s browser. The issue is reported as stored XSS in the sysName SNMP paramet...
CVE-2024-12108
CVE-2024-12108 affects Progress WhatsUp Gold versions before 2024.0.2. The available connected sources indicate that an attacker can gain unauthorized access to the WhatsUp Gold server through the public API. The impact is described as high/critical in CVSS terms (network access, low attack compl...
CVE-2024-8785
CVE-2024-8785 affects Progress WhatsUp Gold pre-2024.0.1. The vulnerability stems from NmAPI.exe enabling remote unauthenticated actors to create or modify a registry value at HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Ipswitch, potentially enabling remote code execution. Connected documents confirm...
CVE-2024-4884
The CVE-2024-4884 family affects Progress WhatsUp Gold versions released before 2023.1.3, with unauthenticated remote code execution via the CommunityController (Apm.UI.Areas.APM.Controllers.CommunityController) and related paths (GetFileWithoutZip) that allow command execution with iisapppool\nm...
CVE-2024-6671
WhatsUp Gold (Progress) is affected in versions released before 2024.0.0 where, in single-user configurations, an unauthenticated attacker can perform SQL injection to retrieve encrypted user passwords (authentication bypass risk). The connected Nuclei template confirms the vulnerability as a SQL...
CVE-2024-12105
Talos TALOS-2024-2089 describes a path traversal vulnerability in Progress WhatsUp Gold 24.0.1 Build 2177 (Total Plus Edition) via the SnmpExtendedActiveMonitor functionality. An authenticated user can craft a request to SNMP Extended Monitor actions (xmlFileName parameter) which is used unsafely...
CVE-2025-2572
CVE-2025-2572 affects Progress WhatsUp Gold before 2024.0.3. A database manipulation vulnerability allows an unauthenticated attacker to modify WhatsUp.dbo.WrlsMacAddressGroup. Impact is integrity loss of that table; no explicit exploit details provided in the documents. Remediation: upgrade to v...
CVE-2004-0798
CVE-2004-0798 affects Ipswitch WhatsUp Gold web server (versions 8.03 and earlier). A buffer overflow in the internal _maincfgret.cgi when processing a long instancename parameter allows remote attackers to execute arbitrary code, as documented by multiple sources. Public exploit references exist...
CVE-2024-4883
Progress WhatsUp Gold is affected pre-2023.1.3 by an unauthenticated remote code execution via NmApi.exe (CVE-2024-4883). The root cause involves improper handling/validation in the NmApi surface enabling code execution as the service account. Impact is high (RCE, remote compromise). A PoC/exploi...
CVE-2015-8261
Ipswitch WhatsUp Gold before 16.4 is vulnerable to SQL injection via the DroneDeleteOldMeasurements SOAP handler, caused by improper validation of serialized XML objects. A remote attacker can craft a SOAP request to inject/manipulate SQL in the back-end database, potentially exposing or altering...
CVE-2024-5009
CVE-2024-5009 : Progress WhatsUp Gold pre-2023.1.3 contains an improper access control in Wug.UI.Controllers.InstallController.SetAdminPassword that allows local attackers to modify the admin password (privilege escalation). Affected product: Progress WhatsUp Gold; vulnerability appears in the Se...
CVE-2024-5018
Progress WhatsUp Gold contains a Path Traversal vulnerability (CVE-2024-5018) in the LoadNMScript path, affecting versions released before 2023.1.3. The issue resides in Wug.UI.Areas.Wug.Controllers.SessionController.LoadNMScript and allows reading files from the application's web-root without au...
CVE-2016-1000000
CVE-2016-1000000 concerns a SQL injection in Ipswitch WhatsUp Gold, specifically in the web page WrFreeFormText.asp via the sUniqueID parameter (and related fields). The vulnerability is described as a Blind SQL Injection in version 16.4.1, with potential for an authenticated, remote attacker to ...
CVE-2024-6672
Summary: CVE-2024-6672 affects Progress WhatsUp Gold versions prior to 2024.0.0. A SQL injection in the getMonitorJoin path allows an authenticated, low-privileged attacker to escalate privileges by modifying a privileged user’s password. The vulnerability relies on unsafely constructed SQL using...
CVE-2024-46905
CVE-2024-46905 affects Progress WhatsUp Gold prior to 2024.0.1. A SQL Injection vulnerability in the GetOrderByClause function allows an authenticated, lower-privileged user (at least Network Manager permissions) to escalate to the admin account. The issue is mitigated by upgrading to 2024.0.1 or...
CVE-2024-46909
Progress WhatsUp Gold prior to 2024.0.1 is affected by a directory traversal that can lead to remote code execution. The root cause is exposed WriteDataFile handling, allowing an unauthenticated remote attacker to execute code in the service account context. Remediation: update to version 2024.0....
CVE-2024-7763
Summary: CVE-2024-7763 affects Progress Software WhatsUp Gold prior to 2024.0.0. The vulnerability is an authentication bypass in the getReport feature, enabling an attacker to obtain encrypted user credentials. Affected software: Progress WhatsUp Gold (versions before 2024.0.0). Root cause / vul...
CVE-2012-2601
Ipswitch WhatsUp Gold 15.02 is affected by CVE-2012-2601 due to a blind SQL injection in WrVMwareHostList.asp via the sGroupList parameter, allowing remote SQL command execution. The issue is documented in multiple sources (NVD, CERT, Nessus) with PoC-like references and a CVSS base score of 7.5....
CVE-2015-6004
Ipswitch WhatsUp Gold prior to 16.4 is affected by CVE-2015-6004 (SQL injection) via the sUniqueID/Find Device inputs in the Reports component, enabling an authenticated remote attacker to manipulate or disclose data in the backend database. The issue is complemented by CVE-2015-6005 (stored XSS)...
CVE-2022-42711
CVE-2022-42711 affects Progress WhatsUp Gold prior to 22.1.0. The SNMP MIB Walker endpoint fails to sanitize input, enabling an unauthenticated attacker to execute arbitrary code in a victim’s browser. Documented by multiple sources (Red Hat, NVD/CVE records, CNNVD, PT-Security) with a high-sever...
CVE-2024-12106
CVE-2024-12106 affects Progress WhatsUp Gold versions before 2024.0.2. The vulnerability is an authentication-bypass-like issue where an unauthenticated attacker can configure LDAP settings through the product, exposing risk to access control and data integrity. Multiple connected sources corrobo...
CVE-2024-5016
Progress WhatsUp Gold before 2023.1.3 is affected by an OnMessage deserialization vulnerability that allows remote code execution as SYSTEM. The issue occurs in the main message processing routines NmDistributed.DistributedServiceBehavior.OnMessage (server) and NmDistributed.DistributedClient.OnM...
CVE-2018-8939
CVE-2018-8939 describes a Server-Side Request Forgery (SSRF) in NmAPI.exe of Ipswitch WhatsUp Gold, affecting versions prior to 18.0. An attacker can submit specially crafted requests via NmAPI.exe to gain unauthorized access, obtain information about the WhatsUp Gold system, or execute remote co...
CVE-2024-46908
WhatsUp Gold (Progress) has a SQL Injection vulnerability (CVE-2024-46908) exploitable by an authenticated, low-privileged user with at least Report Viewer permissions, enabling privilege escalation to admin. Affected are versions released before 2024.0.1, where the GetFilterCriteria function is ...
CVE-2024-5008
Progress WhatsUp Gold is affected in versions released before 2023.1.3 where an authenticated user with certain permissions can upload an arbitrary file via Apm.UI.Areas.APM.Controllers.Api.Applications.AppProfileImportController to achieve remote code execution. The issue is documented across mu...
CVE-2024-5015
CVE-2024-5015 – Progress WhatsUp Gold : Affected product is Progress WhatsUp Gold, versions released before 2023.1.3. An authenticated SSRF in Wug.UI.Areas.Wug.Controllers.SessionControler.Update allows a low-privileged user to chain this SSRF with an Improper Access Control vulnerability to esca...
CVE-2024-5017
Summary of CVE-2024-5017 : In Progress WhatsUp Gold, the AppProfileImport endpoint (authenticated path) is vulnerable to a path traversal flaw. A crafted HTTP request with a manipulated fileName parameter enables an attacker to probe for file existence and potentially disclose information from th...
CVE-2004-0799
Ipswitch WhatsUp Gold 8.03 and 8.03 Hotfix 1 are affected by a vulnerability in the HTTP daemon where processing a GET request containing an MS-DOS device name (notably prn.htm) triggers an unhandled exception, causing the web server component to crash and resulting in a denial of service. The is...
CVE-2024-46907
WhatsUp Gold (Progress) versions prior to 2024.0.1 are affected by a SQL Injection in the GetFilterCriteria path that can be exploited by an authenticated low-privileged user (at least Report Viewer) to escalate to admin. Affected component: GetFilterCriteria SQL path; root cause: SQL Injection d...
CVE-2024-5012
Progress WhatsUp Gold
CVE-2015-6005
Ipswitch WhatsUp Gold (pre-16.4) is affected by multiple XSS vulnerabilities (CVE-2015-6005) due to improper validation in various fields (e.g., SNMP OID objects, SNMP traps, View/Group/Policy/Template Libraries, System Script Library, CLI Settings, etc.). An authenticated remote attacker could i...
CVE-2023-6367
Progress WhatsUp Gold versions released before 2023.1 are affected by a stored cross-site scripting (XSS) vulnerability in Roles. An attacker can store a crafted XSS payload in Roles, and when a user interacts with it, malicious JavaScript could run in the victim’s browser. Root cause: input stor...
CVE-2024-46906
Progress WhatsUp Gold before 24.0.1 is affected by a GetSqlWhereClause SQL Injection that can escalate an authenticated, low-privilege user (Report Viewer) to admin. Affected product: Progress WhatsUp Gold. Root cause: improper validation of a user-supplied string used to build SQL queries. Impac...
CVE-2024-5010
Progress Software’s WhatsUp Gold TestController contains an information-disclosure vulnerability (CVE-2024-5010) affecting versions such as 23.1.0 Build 1697 prior to 23.1.3. An unauthenticated HTTP request can disclose sensitive data (e.g., Devices and NetworkInterfaces), enabling disclosure of ...
CVE-2024-5014
CVE-2024-5014 affects Progress WhatsUp Gold prior to 2023.1.3, where the GetASPReport feature permits an authenticated user to retrieve ASP reports, revealing sensitive information. The root cause is an information-disclosure vulnerability in GetASPReport, enabling SSRF-style access to reports. T...
CVE-2023-6368
CVE-2023-6368 affects Progress WhatsUp Gold versions prior to 2023.1, where an API endpoint is missing authentication. This allows an unauthenticated attacker to enumerate information about a registered device being monitored. Connected sources also show an associated advisory that generally reco...
CVE-2024-5011
CVE-2024-5011 affects Progress WhatsUp Gold. Talos confirms an unauthenticated HTTP request to the TestController Chart endpoint can trigger denial of service, via the CreateChart path when pieces is large. Vulnerable version: WhatsUp Gold 23.1.0 Build 1697 (and likely prior to 2023.1.3 per CVE d...
CVE-2024-5013
Affected product: Progress WhatsUp Gold (pre-2023.1.3 builds). Vulnerability: Unauthenticated Denial of Service via the InstallController flow, where an attacker can force the application into the SetAdminPassword installation step, rendering the app unavailable. Impact: Availability impact (serv...
CVE-2018-5778
Ipswitch WhatsUp Gold (before 2017 Plus SP1 17.1.1) contains SQL injection vulnerabilities in legacy .ASP pages. The root cause is insufficient input validation in those pages, enabling remote attackers to execute arbitrary SQL commands via unspecified vectors. Documented impacts include potentia...
CVE-2023-6366
Progress WhatsUp Gold pre-2023.1 has a stored XSS in Alert Center (CVE-2023-6366). An attacker can store a payload, and when a user interacts with it, malicious JavaScript runs in the victim’s browser context. Affected product: WhatsUp Gold; vulnerability originates from storing payloads in Alert...
CVE-2024-5019
CVE-2024-5019 relates to Progress/WhatsUp Gold prior to version 2023.1.3. The vulnerability is an unauthenticated Arbitrary File Read in the Wug.UI.Areas.Wug.Controllers.SessionController.CachedCSS, allowing reading of files with the iisapppool\NmConsole privileges. The affected software is Whats...
CVE-2023-6364
Concrete details available: Progress WhatsUp Gold before version 2023.1 contains a stored XSS vulnerability in dashboard components. An attacker can craft a payload stored in a dashboard element; when a user interacts with it, the attacker could execute malicious JavaScript in the victim’s browse...
CVE-2012-4344
CVE-2012-4344 affects Ipswitch WhatsUp Gold 15.02, with a cross-site scripting (XSS) vulnerability in the web interface that allows remote attackers to inject arbitrary script via unspecified vectors involving the SNMP system name. The available documents identify the affected product/version and...
CVE-2007-2602
CVE-2007-2602 describes a buffer overflow in Ipswitch WhatsUp Gold 11, specifically in the MIBEXTRA.EXE component, triggered by a long MIB filename argument. The underlying issue may allow a denial of service (application crash) and can potentially enable arbitrary code execution. Affected softwa...