Lucene search

ProgressSoftwareVULNRICHMENT:CVE-2024-5019

HistoryJun 25, 2024 - 8:29 p.m.

CVE-2024-5019 WhatsUp Gold LoadCSSUsingBasePath Directory Traversal Information Disclosure Vulnerability

2024-06-2520:29:00

CWE-22

ProgressSoftware

github.com

cve-2024-5019

whatsup gold

directory traversal

information disclosure

vulnerability

unauthenticated

arbitrary file read

iisapppool\nmconsole privileges

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

7.1 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

10.6%

JSON

In WhatsUp Gold versions released before 2023.1.3,

an unauthenticated Arbitrary File Read issue exists in Wug.UI.Areas.Wug.Controllers.SessionController.CachedCSS. This vulnerability allows reading of any file with iisapppool\NmConsole privileges.

CNA Affected

[
  {
    "vendor": "Progress Software Corporation",
    "modules": [
      "API Endpoint"
    ],
    "product": "WhatsUp Gold",
    "versions": [
      {
        "status": "affected",
        "version": "2023.1.0",
        "lessThan": "2023.1.3",
        "versionType": "semver"
      }
    ],
    "platforms": [
      "Windows"
    ],
    "defaultStatus": "affected"
  }
]

References

community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024

www.progress.com/network-monitoring

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

7.1 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

10.6%

JSON

Related for VULNRICHMENT:CVE-2024-5019