Filtered by vendor Progress
Subscribe
Total
102 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-35036 | 1 Progress | 1 Moveit Transfer | 2023-12-10 | N/A | 9.1 CRITICAL |
| In Progress MOVEit Transfer before 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), and 2023.0.2 (15.0.2), SQL injection vulnerabilities have been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content. | |||||
| CVE-2023-34203 | 1 Progress | 3 Openedge, Openedge Explorer, Openedge Management | 2023-12-10 | N/A | 8.8 HIGH |
| In Progress OpenEdge OEM (OpenEdge Management) and OEE (OpenEdge Explorer) before 12.7, a remote user (who has any OEM or OEE role) could perform a URL injection attack to change identity or role membership, e.g., escalate to admin. This affects OpenEdge LTS before 11.7.16, 12.x before 12.2.12, and 12.3.x through 12.6.x before 12.7. | |||||
| CVE-2023-24029 | 1 Progress | 1 Ws Ftp Server | 2023-12-10 | N/A | 7.2 HIGH |
| In Progress WS_FTP Server before 8.8, it is possible for a host administrator to elevate their privileges via the administrative interface due to insufficient authorization controls applied on user modification workflows. | |||||
| CVE-2022-36968 | 1 Progress | 1 Ipswitch Ws Ftp Server | 2023-12-10 | N/A | 4.3 MEDIUM |
| In Progress WS_FTP Server prior to version 8.7.3, forms within the administrative interface did not include a nonce to mitigate the risk of cross-site request forgery (CSRF) attacks. | |||||
| CVE-2022-36967 | 1 Progress | 1 Ipswitch Ws Ftp Server | 2023-12-10 | N/A | 6.1 MEDIUM |
| In Progress WS_FTP Server prior to version 8.7.3, multiple reflected cross-site scripting (XSS) vulnerabilities exist in the administrative web interface. It is possible for a remote attacker to inject arbitrary JavaScript into a WS_FTP administrator's web session. This would allow the attacker to execute code within the context of the victim's browser. | |||||
| CVE-2022-42711 | 1 Progress | 1 Whatsup Gold | 2023-12-10 | N/A | 9.6 CRITICAL |
| In Progress WhatsUp Gold before 22.1.0, an SNMP MIB Walker application endpoint failed to adequately sanitize malicious input. This could allow an unauthenticated attacker to execute arbitrary code in a victim's browser. | |||||
| CVE-2022-29849 | 1 Progress | 1 Openedge | 2023-12-10 | 7.2 HIGH | 7.8 HIGH |
| In Progress OpenEdge before 11.7.14 and 12.x before 12.2.9, certain SUID binaries within the OpenEdge application were susceptible to privilege escalation. If exploited, a local attacker could elevate their privileges and compromise the affected system. | |||||
| CVE-2021-41318 | 1 Progress | 1 Whatsupgold | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Progress WhatsUp Gold prior to version 21.1.0, an application endpoint failed to adequately sanitize malicious input. which could allow an unauthenticated attacker to execute arbitrary code in a victim's browser. | |||||
| CVE-2021-38159 | 1 Progress | 1 Moveit Transfer | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4), SQL injection in the MOVEit Transfer web application could allow an unauthenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, or execute SQL statements that alter or delete database elements, via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.8 (11.0.8), 2019.1.7 (11.1.7), 2019.2.4 (11.2.4), 2020.0.7 (12.0.7), 2020.1.6 (12.1.6), and 2021.0.4 (13.0.4). | |||||
| CVE-2021-37614 | 1 Progress | 1 Moveit Transfer | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
| In certain Progress MOVEit Transfer versions before 2021.0.3 (aka 13.0.3), SQL injection in the MOVEit Transfer web application could allow an authenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, or execute SQL statements that alter or delete database elements, via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.7 (11.0.7), 2019.1.6 (11.1.6), 2019.2.3 (11.2.3), 2020.0.6 (12.0.6), 2020.1.5 (12.1.5), and 2021.0.3 (13.0.3). | |||||
| CVE-2021-31827 | 1 Progress | 1 Moveit Transfer | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
| In Progress MOVEit Transfer before 2021.0 (13.0), a SQL injection vulnerability has been found in the MOVEit Transfer web app that could allow an authenticated attacker to gain unauthorized access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or destroy database elements. This is in MOVEit.DMZ.WebApp in SILHuman.vb. | |||||
| CVE-2021-33894 | 1 Progress | 1 Moveit Transfer | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
| In Progress MOVEit Transfer before 2019.0.6 (11.0.6), 2019.1.x before 2019.1.5 (11.1.5), 2019.2.x before 2019.2.2 (11.2.2), 2020.x before 2020.0.5 (12.0.5), 2020.1.x before 2020.1.4 (12.1.4), and 2021.x before 2021.0.1 (13.0.1), a SQL injection vulnerability exists in SILUtility.vb in MOVEit.DMZ.WebApp in the MOVEit Transfer web app. This could allow an authenticated attacker to gain unauthorized access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database and/or execute SQL statements that alter or delete database elements. | |||||
| CVE-2020-28647 | 1 Progress | 1 Moveit Transfer | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
| In Progress MOVEit Transfer before 2020.1, a malicious user could craft and store a payload within the application. If a victim within the MOVEit Transfer instance interacts with the stored payload, it could invoke and execute arbitrary code within the context of the victim's browser (XSS). | |||||
| CVE-2020-12677 | 1 Progress | 1 Moveit Automation | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Progress MOVEit Automation Web Admin. A Web Admin application endpoint failed to adequately sanitize malicious input, which could allow an unauthenticated attacker to execute arbitrary code in a victim's browser, aka XSS. This affects 2018 - 2018.0 prior to 2018.0.3, 2018 SP1 - 2018.2 prior to 2018.2.3, 2018 SP2 - 2018.3 prior to 2018.3.7, 2019 - 2019.0 prior to 2019.0.3, 2019.1 - 2019.1 prior to 2019.1.2, and 2019.2 - 2019.2 prior to 2019.2.2. | |||||
| CVE-2020-8611 | 2 Progess, Progress | 2 Moveit Transfer, Moveit Transfer | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
| In Progress MOVEit Transfer 2019.1 before 2019.1.4 and 2019.2 before 2019.2.1, multiple SQL Injection vulnerabilities have been found in the REST API that could allow an authenticated attacker to gain unauthorized access to MOVEit Transfer's database via the REST API. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or destroy database elements. | |||||
| CVE-2019-17392 | 1 Progress | 1 Sitefinity | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| Progress Sitefinity 12.1 has a Weak Password Recovery Mechanism for a Forgotten Password because the HTTP Host header is mishandled. | |||||
| CVE-2017-18639 | 1 Progress | 1 Sitefinity Cms | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Progress Sitefinity CMS before 10.1 allows XSS via /Pages Parameter : Page Title, /Content/News Parameter : News Title, /Content/List Parameter : List Title, /Content/Documents/LibraryDocuments/incident-request-attachments Parameter : Document Title, /Content/Images/LibraryImages/newsimages Parameter : Image Title, /Content/links Parameter : Link Title, /Content/links Parameter : Link Title, or /Content/Videos/LibraryVideos/default-video-library Parameter : Video Title. | |||||
| CVE-2020-8612 | 2 Progess, Progress | 2 Moveit Transfer, Moveit Transfer | 2023-12-10 | 6.0 MEDIUM | 9.0 CRITICAL |
| In Progress MOVEit Transfer 2019.1 before 2019.1.4 and 2019.2 before 2019.2.1, a REST API endpoint failed to adequately sanitize malicious input, which could allow an authenticated attacker to execute arbitrary code in a victim's browser, aka XSS. | |||||
| CVE-2019-12143 | 1 Progress | 1 Ws Ftp Server | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
| A Directory Traversal issue was discovered in SSHServerAPI.dll in Progress ipswitch WS_FTP Server 2018 before 8.6.1. An attacker can supply a string using special patterns via the SCP protocol to disclose WS_FTP usernames as well as filenames. | |||||
| CVE-2019-7215 | 1 Progress | 1 Sitefinity | 2023-12-10 | 6.4 MEDIUM | 6.5 MEDIUM |
| Progress Sitefinity 10.1.6536 does not invalidate session cookies upon logouts. It instead tries to overwrite the cookie in the browser, but it remains valid on the server side. This means the cookie can be reused to maintain access to the account, even if the account credentials and permissions are changed. | |||||