Vulnerabilities (CVE)

Filtered by vendor Progress Subscribe
Total 158 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-26100 1 Progress 1 Flowmon Os 2024-11-21 N/A 6.1 MEDIUM
In Progress Flowmon before 12.2.0, an application endpoint failed to sanitize user-supplied input. A threat actor could leverage a reflected XSS vulnerability to execute arbitrary code within the context of a Flowmon user's web browser.
CVE-2023-24029 1 Progress 1 Ws Ftp Server 2024-11-21 N/A 7.2 HIGH
In Progress WS_FTP Server before 8.8, it is possible for a host administrator to elevate their privileges via the administrative interface due to insufficient authorization controls applied on user modification workflows.
CVE-2022-42711 1 Progress 1 Whatsup Gold 2024-11-21 N/A 9.6 CRITICAL
In Progress WhatsUp Gold before 22.1.0, an SNMP MIB Walker application endpoint failed to adequately sanitize malicious input. This could allow an unauthenticated attacker to execute arbitrary code in a victim's browser.
CVE-2022-36968 1 Progress 1 Ipswitch Ws Ftp Server 2024-11-21 N/A 4.3 MEDIUM
In Progress WS_FTP Server prior to version 8.7.3, forms within the administrative interface did not include a nonce to mitigate the risk of cross-site request forgery (CSRF) attacks.
CVE-2022-36967 1 Progress 1 Ipswitch Ws Ftp Server 2024-11-21 N/A 6.1 MEDIUM
In Progress WS_FTP Server prior to version 8.7.3, multiple reflected cross-site scripting (XSS) vulnerabilities exist in the administrative web interface. It is possible for a remote attacker to inject arbitrary JavaScript into a WS_FTP administrator's web session. This would allow the attacker to execute code within the context of the victim's browser.
CVE-2022-29849 1 Progress 1 Openedge 2024-11-21 7.2 HIGH 7.8 HIGH
In Progress OpenEdge before 11.7.14 and 12.x before 12.2.9, certain SUID binaries within the OpenEdge application were susceptible to privilege escalation. If exploited, a local attacker could elevate their privileges and compromise the affected system.
CVE-2022-29848 1 Progress 1 Whatsup Gold 2024-11-21 4.0 MEDIUM 6.5 MEDIUM
In Progress Ipswitch WhatsUp Gold 17.0.0 through 21.1.1, and 22.0.0, it is possible for an authenticated user to invoke an API transaction that would allow them to read sensitive operating-system attributes from a host that is accessible by the WhatsUp Gold system.
CVE-2022-29847 1 Progress 1 Whatsup Gold 2024-11-21 5.0 MEDIUM 7.5 HIGH
In Progress Ipswitch WhatsUp Gold 21.0.0 through 21.1.1, and 22.0.0, it is possible for an unauthenticated attacker to invoke an API transaction that would allow them to relay encrypted WhatsUp Gold user credentials to an arbitrary host.
CVE-2022-29846 1 Progress 1 Whatsup Gold 2024-11-21 5.0 MEDIUM 5.3 MEDIUM
In Progress Ipswitch WhatsUp Gold 16.1 through 21.1.1, and 22.0.0, it is possible for an unauthenticated attacker to obtain the WhatsUp Gold installation serial number.
CVE-2022-29845 1 Progress 1 Whatsup Gold 2024-11-21 4.0 MEDIUM 6.5 MEDIUM
In Progress Ipswitch WhatsUp Gold 21.1.0 through 21.1.1, and 22.0.0, it is possible for an authenticated user to invoke an API transaction that would allow them to read the contents of a local file.
CVE-2022-27665 1 Progress 1 Ws Ftp Server 2024-11-21 N/A 6.1 MEDIUM
Reflected XSS (via AngularJS sandbox escape expressions) exists in Progress Ipswitch WS_FTP Server 8.6.0. This can lead to execution of malicious code and commands on the client due to improper handling of user-provided input. By inputting malicious payloads in the subdirectory searchbar or Add folder filename boxes, it is possible to execute client-side commands. For example, there is Client-Side Template Injection via subFolderPath to the ThinClient/WtmApiService.asmx/GetFileSubTree URI.
CVE-2021-41318 1 Progress 1 Whatsupgold 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
In Progress WhatsUp Gold prior to version 21.1.0, an application endpoint failed to adequately sanitize malicious input. which could allow an unauthenticated attacker to execute arbitrary code in a victim's browser.
CVE-2021-38159 1 Progress 1 Moveit Transfer 2024-11-21 7.5 HIGH 9.8 CRITICAL
In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4), SQL injection in the MOVEit Transfer web application could allow an unauthenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, or execute SQL statements that alter or delete database elements, via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.8 (11.0.8), 2019.1.7 (11.1.7), 2019.2.4 (11.2.4), 2020.0.7 (12.0.7), 2020.1.6 (12.1.6), and 2021.0.4 (13.0.4).
CVE-2021-37614 1 Progress 1 Moveit Transfer 2024-11-21 6.5 MEDIUM 8.8 HIGH
In certain Progress MOVEit Transfer versions before 2021.0.3 (aka 13.0.3), SQL injection in the MOVEit Transfer web application could allow an authenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, or execute SQL statements that alter or delete database elements, via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.7 (11.0.7), 2019.1.6 (11.1.6), 2019.2.3 (11.2.3), 2020.0.6 (12.0.6), 2020.1.5 (12.1.5), and 2021.0.3 (13.0.3).
CVE-2021-33894 1 Progress 1 Moveit Transfer 2024-11-21 6.5 MEDIUM 8.8 HIGH
In Progress MOVEit Transfer before 2019.0.6 (11.0.6), 2019.1.x before 2019.1.5 (11.1.5), 2019.2.x before 2019.2.2 (11.2.2), 2020.x before 2020.0.5 (12.0.5), 2020.1.x before 2020.1.4 (12.1.4), and 2021.x before 2021.0.1 (13.0.1), a SQL injection vulnerability exists in SILUtility.vb in MOVEit.DMZ.WebApp in the MOVEit Transfer web app. This could allow an authenticated attacker to gain unauthorized access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database and/or execute SQL statements that alter or delete database elements.
CVE-2021-31827 1 Progress 1 Moveit Transfer 2024-11-21 6.5 MEDIUM 8.8 HIGH
In Progress MOVEit Transfer before 2021.0 (13.0), a SQL injection vulnerability has been found in the MOVEit Transfer web app that could allow an authenticated attacker to gain unauthorized access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or destroy database elements. This is in MOVEit.DMZ.WebApp in SILHuman.vb.
CVE-2020-8612 2 Progess, Progress 2 Moveit Transfer, Moveit Transfer 2024-11-21 6.0 MEDIUM 9.0 CRITICAL
In Progress MOVEit Transfer 2019.1 before 2019.1.4 and 2019.2 before 2019.2.1, a REST API endpoint failed to adequately sanitize malicious input, which could allow an authenticated attacker to execute arbitrary code in a victim's browser, aka XSS.
CVE-2020-8611 2 Progess, Progress 2 Moveit Transfer, Moveit Transfer 2024-11-21 6.5 MEDIUM 8.8 HIGH
In Progress MOVEit Transfer 2019.1 before 2019.1.4 and 2019.2 before 2019.2.1, multiple SQL Injection vulnerabilities have been found in the REST API that could allow an authenticated attacker to gain unauthorized access to MOVEit Transfer's database via the REST API. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or destroy database elements.
CVE-2020-28647 1 Progress 1 Moveit Transfer 2024-11-21 3.5 LOW 5.4 MEDIUM
In Progress MOVEit Transfer before 2020.1, a malicious user could craft and store a payload within the application. If a victim within the MOVEit Transfer instance interacts with the stored payload, it could invoke and execute arbitrary code within the context of the victim's browser (XSS).
CVE-2020-12677 1 Progress 1 Moveit Automation 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in Progress MOVEit Automation Web Admin. A Web Admin application endpoint failed to adequately sanitize malicious input, which could allow an unauthenticated attacker to execute arbitrary code in a victim's browser, aka XSS. This affects 2018 - 2018.0 prior to 2018.0.3, 2018 SP1 - 2018.2 prior to 2018.2.3, 2018 SP2 - 2018.3 prior to 2018.3.7, 2019 - 2019.0 prior to 2019.0.3, 2019.1 - 2019.1 prior to 2019.1.2, and 2019.2 - 2019.2 prior to 2019.2.2.