CVE-2023-6364

In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified. It is possible for an attacker to craft a XSS payload and store that value within a dashboard component. If a WhatsUp Gold user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victims browser.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-December-2023	Vendor Advisory
https://www.progress.com/network-monitoring	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:progress:whatsup_gold:*:*:*:*:*:*:*:*

History

19 Dec 2023, 15:25

Type	Values Removed	Values Added
CPE		cpe:2.3:a:progress:whatsup_gold::::::::
References	~~() https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-December-2023 -~~	() https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-December-2023 - Vendor Advisory
References	~~() https://www.progress.com/network-monitoring -~~	() https://www.progress.com/network-monitoring - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~7.6~~	v2 : unknown v3 : 5.4
First Time		Progress Progress whatsup Gold
Summary		(es) En las versiones de WhatsUp Gold lanzadas antes de la 2023.1, se identificó una vulnerabilidad de Cross-Site Scripting (XSS) Almacenada. Es posible que un atacante cree un payload XSS y almacene ese valor dentro de un componente del panel. Si un usuario de WhatsUp Gold interactúa con el payload manipulado, el atacante podría ejecutar JavaScript malicioso dentro del contexto del navegador de la víctima.

14 Dec 2023, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-12-14 16:15

Updated : 2023-12-19 15:25

NVD link : CVE-2023-6364

Mitre link : CVE-2023-6364

CVE.ORG link : CVE-2023-6364

JSON object : View

Products Affected

progress

whatsup_gold

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2023-6364", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}, {"type": "Secondary", "source": "security@progress.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.0}]}, "published": "2023-12-14T16:15:52.957", "references": [{"url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-December-2023", "tags": ["Vendor Advisory"], "source": "security@progress.com"}, {"url": "https://www.progress.com/network-monitoring", "tags": ["Vendor Advisory"], "source": "security@progress.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}, {"type": "Secondary", "source": "security@progress.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified.\u00a0 It is possible for an attacker to craft a XSS payload and store that value within a dashboard component.\u00a0\u00a0\n\nIf a WhatsUp Gold user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victims browser.\n\n"}, {"lang": "es", "value": "En las versiones de WhatsUp Gold lanzadas antes de la 2023.1, se identific\u00f3 una vulnerabilidad de Cross-Site Scripting (XSS) Almacenada. Es posible que un atacante cree un payload XSS y almacene ese valor dentro de un componente del panel. Si un usuario de WhatsUp Gold interact\u00faa con el payload manipulado, el atacante podr\u00eda ejecutar JavaScript malicioso dentro del contexto del navegador de la v\u00edctima."}], "lastModified": "2023-12-19T15:25:57.190", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:progress:whatsup_gold:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5D27D3E3-A9E8-493A-8D4A-51ED537ABC7D", "versionEndExcluding": "23.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@progress.com"}