39 matches found
CVE-2024-6670
Summary (CVE-2024-6670): Progress WhatsUp Gold prior to version 24.0.0 contains a SQL Injection vulnerability that can allow an unauthenticated attacker to retrieve a user’s encrypted password. Public references confirm exploitation guidance (e.g., Metasploit module) and acknowledgments by CISA K...
CVE-2024-4885
Progress WhatsUp Gold GetFileWithoutZip Directory Traversal (CVE-2024-4885) allows unauthenticated remote code execution. The flaw stems from unvalidated user-supplied paths used in file operations within GetFileWithoutZip, enabling commands to run with iisapppool\nmconsole/service account privil...
CVE-2023-35759
WhatsUp Gold before 23.0.0 contains a cross-site scripting (XSS) vulnerability in a SNMP-related application endpoint that fails to sanitize input, allowing an unauthenticated attacker to execute arbitrary code in a victim’s browser. The issue is reported as stored XSS in the sysName SNMP paramet...
CVE-2024-8785
CVE-2024-8785 affects Progress WhatsUp Gold pre-2024.0.1. The vulnerability stems from NmAPI.exe enabling remote unauthenticated actors to create or modify a registry value at HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Ipswitch, potentially enabling remote code execution. Connected documents confirm...
CVE-2024-4884
The CVE-2024-4884 family affects Progress WhatsUp Gold versions released before 2023.1.3, with unauthenticated remote code execution via the CommunityController (Apm.UI.Areas.APM.Controllers.CommunityController) and related paths (GetFileWithoutZip) that allow command execution with iisapppool\nm...
CVE-2025-2572
CVE-2025-2572 affects Progress WhatsUp Gold before 2024.0.3. A database manipulation vulnerability allows an unauthenticated attacker to modify WhatsUp.dbo.WrlsMacAddressGroup. Impact is integrity loss of that table; no explicit exploit details provided in the documents. Remediation: upgrade to v...
CVE-2024-4883
Progress WhatsUp Gold is affected pre-2023.1.3 by an unauthenticated remote code execution via NmApi.exe (CVE-2024-4883). The root cause involves improper handling/validation in the NmApi surface enabling code execution as the service account. Impact is high (RCE, remote compromise). A PoC/exploi...
CVE-2024-5018
Progress WhatsUp Gold contains a Path Traversal vulnerability (CVE-2024-5018) in the LoadNMScript path, affecting versions released before 2023.1.3. The issue resides in Wug.UI.Areas.Wug.Controllers.SessionController.LoadNMScript and allows reading files from the application's web-root without au...
CVE-2024-5009
CVE-2024-5009 : Progress WhatsUp Gold pre-2023.1.3 contains an improper access control in Wug.UI.Controllers.InstallController.SetAdminPassword that allows local attackers to modify the admin password (privilege escalation). Affected product: Progress WhatsUp Gold; vulnerability appears in the Se...
CVE-2024-6672
Summary: CVE-2024-6672 affects Progress WhatsUp Gold versions prior to 2024.0.0. A SQL injection in the getMonitorJoin path allows an authenticated, low-privileged attacker to escalate privileges by modifying a privileged user’s password. The vulnerability relies on unsafely constructed SQL using...
CVE-2024-7763
Summary: CVE-2024-7763 affects Progress Software WhatsUp Gold prior to 2024.0.0. The vulnerability is an authentication bypass in the getReport feature, enabling an attacker to obtain encrypted user credentials. Affected software: Progress WhatsUp Gold (versions before 2024.0.0). Root cause / vul...
CVE-2024-46905
CVE-2024-46905 affects Progress WhatsUp Gold prior to 2024.0.1. A SQL Injection vulnerability in the GetOrderByClause function allows an authenticated, lower-privileged user (at least Network Manager permissions) to escalate to the admin account. The issue is mitigated by upgrading to 2024.0.1 or...
CVE-2024-46909
Progress WhatsUp Gold prior to 2024.0.1 is affected by a directory traversal that can lead to remote code execution. The root cause is exposed WriteDataFile handling, allowing an unauthenticated remote attacker to execute code in the service account context. Remediation: update to version 2024.0....
CVE-2022-42711
CVE-2022-42711 affects Progress WhatsUp Gold prior to 22.1.0. The SNMP MIB Walker endpoint fails to sanitize input, enabling an unauthenticated attacker to execute arbitrary code in a victim’s browser. Documented by multiple sources (Red Hat, NVD/CVE records, CNNVD, PT-Security) with a high-sever...
CVE-2024-46907
WhatsUp Gold (Progress) versions prior to 2024.0.1 are affected by a SQL Injection in the GetFilterCriteria path that can be exploited by an authenticated low-privileged user (at least Report Viewer) to escalate to admin. Affected component: GetFilterCriteria SQL path; root cause: SQL Injection d...
CVE-2024-5016
Progress WhatsUp Gold before 2023.1.3 is affected by an OnMessage deserialization vulnerability that allows remote code execution as SYSTEM. The issue occurs in the main message processing routines NmDistributed.DistributedServiceBehavior.OnMessage (server) and NmDistributed.DistributedClient.OnM...
CVE-2024-5017
Summary of CVE-2024-5017 : In Progress WhatsUp Gold, the AppProfileImport endpoint (authenticated path) is vulnerable to a path traversal flaw. A crafted HTTP request with a manipulated fileName parameter enables an attacker to probe for file existence and potentially disclose information from th...
CVE-2018-8939
CVE-2018-8939 describes a Server-Side Request Forgery (SSRF) in NmAPI.exe of Ipswitch WhatsUp Gold, affecting versions prior to 18.0. An attacker can submit specially crafted requests via NmAPI.exe to gain unauthorized access, obtain information about the WhatsUp Gold system, or execute remote co...
CVE-2024-46908
WhatsUp Gold (Progress) has a SQL Injection vulnerability (CVE-2024-46908) exploitable by an authenticated, low-privileged user with at least Report Viewer permissions, enabling privilege escalation to admin. Affected are versions released before 2024.0.1, where the GetFilterCriteria function is ...
CVE-2024-5008
Progress WhatsUp Gold is affected in versions released before 2023.1.3 where an authenticated user with certain permissions can upload an arbitrary file via Apm.UI.Areas.APM.Controllers.Api.Applications.AppProfileImportController to achieve remote code execution. The issue is documented across mu...
CVE-2024-5015
CVE-2024-5015 – Progress WhatsUp Gold : Affected product is Progress WhatsUp Gold, versions released before 2023.1.3. An authenticated SSRF in Wug.UI.Areas.Wug.Controllers.SessionControler.Update allows a low-privileged user to chain this SSRF with an Improper Access Control vulnerability to esca...
CVE-2024-5012
Progress WhatsUp Gold
CVE-2024-46906
Progress WhatsUp Gold before 24.0.1 is affected by a GetSqlWhereClause SQL Injection that can escalate an authenticated, low-privilege user (Report Viewer) to admin. Affected product: Progress WhatsUp Gold. Root cause: improper validation of a user-supplied string used to build SQL queries. Impac...
CVE-2023-6367
Progress WhatsUp Gold versions released before 2023.1 are affected by a stored cross-site scripting (XSS) vulnerability in Roles. An attacker can store a crafted XSS payload in Roles, and when a user interacts with it, malicious JavaScript could run in the victim’s browser. Root cause: input stor...
CVE-2024-5010
Progress Software’s WhatsUp Gold TestController contains an information-disclosure vulnerability (CVE-2024-5010) affecting versions such as 23.1.0 Build 1697 prior to 23.1.3. An unauthenticated HTTP request can disclose sensitive data (e.g., Devices and NetworkInterfaces), enabling disclosure of ...
CVE-2024-5013
Affected product: Progress WhatsUp Gold (pre-2023.1.3 builds). Vulnerability: Unauthenticated Denial of Service via the InstallController flow, where an attacker can force the application into the SetAdminPassword installation step, rendering the app unavailable. Impact: Availability impact (serv...
CVE-2023-6368
CVE-2023-6368 affects Progress WhatsUp Gold versions prior to 2023.1, where an API endpoint is missing authentication. This allows an unauthenticated attacker to enumerate information about a registered device being monitored. Connected sources also show an associated advisory that generally reco...
CVE-2024-5014
CVE-2024-5014 affects Progress WhatsUp Gold prior to 2023.1.3, where the GetASPReport feature permits an authenticated user to retrieve ASP reports, revealing sensitive information. The root cause is an information-disclosure vulnerability in GetASPReport, enabling SSRF-style access to reports. T...
CVE-2024-5011
CVE-2024-5011 affects Progress WhatsUp Gold. Talos confirms an unauthenticated HTTP request to the TestController Chart endpoint can trigger denial of service, via the CreateChart path when pieces is large. Vulnerable version: WhatsUp Gold 23.1.0 Build 1697 (and likely prior to 2023.1.3 per CVE d...
CVE-2018-5778
Ipswitch WhatsUp Gold (before 2017 Plus SP1 17.1.1) contains SQL injection vulnerabilities in legacy .ASP pages. The root cause is insufficient input validation in those pages, enabling remote attackers to execute arbitrary SQL commands via unspecified vectors. Documented impacts include potentia...
CVE-2024-5019
CVE-2024-5019 relates to Progress/WhatsUp Gold prior to version 2023.1.3. The vulnerability is an unauthenticated Arbitrary File Read in the Wug.UI.Areas.Wug.Controllers.SessionController.CachedCSS, allowing reading of files with the iisapppool\NmConsole privileges. The affected software is Whats...
CVE-2023-6366
Progress WhatsUp Gold pre-2023.1 has a stored XSS in Alert Center (CVE-2023-6366). An attacker can store a payload, and when a user interacts with it, malicious JavaScript runs in the victim’s browser context. Affected product: WhatsUp Gold; vulnerability originates from storing payloads in Alert...
CVE-2023-6364
Concrete details available: Progress WhatsUp Gold before version 2023.1 contains a stored XSS vulnerability in dashboard components. An attacker can craft a payload stored in a dashboard element; when a user interacts with it, the attacker could execute malicious JavaScript in the victim’s browse...
CVE-2023-6365
CVE-2023-6365 affects Progress WhatsUp Gold versions released before 2023.1. It is a stored cross-site scripting (XSS) vulnerability where an attacker can craft an XSS payload and store it in a device group; if a user interacts with the payload, malicious JavaScript can execute in the victim’s br...
CVE-2018-5777
CVE-2018-5777 affects Ipswitch WhatsUp Gold versions prior to 2017 Plus SP1 (17.1.1). The issue arises from a misconfiguration in the TFTP server, allowing a remote attacker to execute arbitrary commands on the TFTP server via unspecified vectors. The CVE is rated with high/critical impact in the...
CVE-2023-6595
CVE-2023-6595 affects Progress WhatsUp Gold versions released before 2023.1. The issue is an API endpoint that lacks authentication, allowing an unauthenticated attacker to enumerate ancillary credential information stored within WhatsUp Gold. Red Hat and Nessus/NASL reports corroborate the core ...
CVE-2024-4561
Progress WhatsUp Gold before version 23.1.2 contains a blind SSRF in the FaviconController that lets an attacker issue arbitrary HTTP requests from the affected server (CVE-2024-4561). Affected product is Progress WhatsUp Gold; root cause is SSRF handling in FaviconController. Impact is informati...
CVE-2018-8938
Ipswitch WhatsUp Gold before 18.0 is affected by a Code Injection vulnerability in DlgSelectMibFile.asp. A specially crafted SNMP MIB file can cause arbitrary command/code execution on the WhatsUp Gold server. Affected: WhatsUp Gold versions prior to 18.0. Root cause: errors in code generation/ha...
CVE-2024-4562
CVE-2024-4562 affects Progress WhatsUp Gold versions prior to 2023.1.2. A Server-Side Request Forgery exists in the HTTP Monitoring functionality due to insufficient authorization, allowing an authenticated user to trigger SSRF. Related advisories/XDR reports (ZDI-24-516, Nessus plugin 198215) co...