Filtered by vendor Progress
Subscribe
Total
158 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-7215 | 1 Progress | 1 Sitefinity | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
Progress Sitefinity 10.1.6536 does not invalidate session cookies upon logouts. It instead tries to overwrite the cookie in the browser, but it remains valid on the server side. This means the cookie can be reused to maintain access to the account, even if the account credentials and permissions are changed. | |||||
CVE-2019-17392 | 1 Progress | 1 Sitefinity | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
Progress Sitefinity 12.1 has a Weak Password Recovery Mechanism for a Forgotten Password because the HTTP Host header is mishandled. | |||||
CVE-2019-12143 | 1 Progress | 1 Ws Ftp Server | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
A Directory Traversal issue was discovered in SSHServerAPI.dll in Progress ipswitch WS_FTP Server 2018 before 8.6.1. An attacker can supply a string using special patterns via the SCP protocol to disclose WS_FTP usernames as well as filenames. | |||||
CVE-2019-12097 | 1 Progress | 1 Fiddler | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
Telerik Fiddler v5.0.20182.28034 doesn't verify the hash of EnableLoopback.exe before running it, which could lead to code execution or local privilege escalation by replacing the original EnableLoopback.exe. | |||||
CVE-2018-8939 | 1 Progress | 1 Whatsup Gold | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
An SSRF issue was discovered in NmAPI.exe in Ipswitch WhatsUp Gold before 2018 (18.0). Malicious actors can submit specially crafted requests via the NmAPI executable to (1) gain unauthorized access to the WhatsUp Gold system, (2) obtain information about the WhatsUp Gold system, or (3) execute remote commands. | |||||
CVE-2018-8938 | 1 Progress | 1 Whatsup Gold | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
A Code Injection issue was discovered in DlgSelectMibFile.asp in Ipswitch WhatsUp Gold before 2018 (18.0). Malicious actors can inject a specially crafted SNMP MIB file that could allow them to execute arbitrary commands and code on the WhatsUp Gold server. | |||||
CVE-2018-5778 | 1 Progress | 1 Whatsup Gold | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
An issue was discovered in Ipswitch WhatsUp Gold before 2017 Plus SP1 (17.1.1). Multiple SQL injection vulnerabilities are present in the legacy .ASP pages, which could allow attackers to execute arbitrary SQL commands via unspecified vectors. | |||||
CVE-2018-5777 | 1 Progress | 1 Whatsup Gold | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
An issue was discovered in Ipswitch WhatsUp Gold before 2017 Plus SP1 (17.1.1). Remote clients can take advantage of a misconfiguration in the TFTP server that could allow attackers to execute arbitrary commands on the TFTP server via unspecified vectors. | |||||
CVE-2018-17060 | 1 Progress | 1 Telerik Extensions For Asp.net Mvc | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
Telerik Extensions for ASP.NET MVC (all versions) does not whitelist requests, which can allow a remote attacker to access files inside the server's web directory. NOTE: this product has been obsolete since June 2013. | |||||
CVE-2018-17056 | 1 Progress | 1 Sitefinity Cms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting (XSS) vulnerability in ServiceStack in Progress Sitefinity CMS versions 10.2 through 11.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
CVE-2018-17055 | 1 Progress | 1 Sitefinity | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
An arbitrary file upload vulnerability in Progress Sitefinity CMS versions 4.0 through 11.0 related to image uploads. | |||||
CVE-2018-17054 | 1 Progress | 1 Sitefinity Cms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting (XSS) vulnerability in Identity Server in Progress Sitefinity CMS versions 10.0 through 11.0 allows remote attackers to inject arbitrary web script or HTML via vectors related to login request parameters, a different vulnerability than CVE-2018-17053. | |||||
CVE-2018-17053 | 1 Progress | 1 Sitefinity Cms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting (XSS) vulnerability in Identity Server in Progress Sitefinity CMS versions 10.0 through 11.0 allows remote attackers to inject arbitrary web script or HTML via vectors related to login request parameters, a different vulnerability than CVE-2018-17054. | |||||
CVE-2018-14037 | 1 Progress | 1 Kendo Ui | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting (XSS) vulnerability in Progress Kendo UI Editor v2018.1.221 allows remote attackers to inject arbitrary JavaScript into the DOM of the WYSIWYG editor because of the editorNS.Serializer toEditableHtml function in kendo.all.min.js. If the victim accesses the editor, the payload gets executed. Furthermore, if the payload is reflected at any other resource that does rely on the sanitisation of the editor itself, the JavaScript payload will be executed in the context of the application. This allows attackers (in the worst case) to take over user sessions. | |||||
CVE-2017-9248 | 2 Progress, Telerik | 2 Sitefinity, Ui For Asp.net Ajax | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote attackers to defeat cryptographic protection mechanisms, leading to a MachineKey leak, arbitrary file uploads or downloads, XSS, or ASP.NET ViewState compromise. | |||||
CVE-2017-9140 | 1 Progress | 2 Sitefinity Cms, Telerik Reporting | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting (XSS) vulnerability in Telerik.ReportViewer.WebForms.dll in Telerik Reporting for ASP.NET WebForms Report Viewer control before R1 2017 SP2 (11.0.17.406) allows remote attackers to inject arbitrary web script or HTML via the bgColor parameter to Telerik.ReportViewer.axd. | |||||
CVE-2017-18639 | 1 Progress | 1 Sitefinity Cms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
Progress Sitefinity CMS before 10.1 allows XSS via /Pages Parameter : Page Title, /Content/News Parameter : News Title, /Content/List Parameter : List Title, /Content/Documents/LibraryDocuments/incident-request-attachments Parameter : Document Title, /Content/Images/LibraryImages/newsimages Parameter : Image Title, /Content/links Parameter : Link Title, /Content/links Parameter : Link Title, or /Content/Videos/LibraryVideos/default-video-library Parameter : Video Title. | |||||
CVE-2017-18179 | 1 Progress | 1 Sitefinity | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
Progress Sitefinity 9.1 uses wrap_access_token as a non-expiring authentication token that remains valid after a password change or a session termination. Also, it is transmitted as a GET parameter. This is fixed in 10.1. | |||||
CVE-2017-18178 | 1 Progress | 1 Sitefinity | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
Authenticate/SWT in Progress Sitefinity 9.1 has an open redirect issue in which an authentication token is sent to the redirection target, if the target is specified using a certain %40 syntax. This is fixed in 10.1. | |||||
CVE-2017-18177 | 1 Progress | 1 Sitefinity | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
Progress Sitefinity 9.1 has XSS via the Last name, First name, and About fields on the New User Creation Page. This is fixed in 10.1. |