Vulnerabilities > Progress > Openedge

DATE CVE VULNERABILITY TITLE RISK
2024-09-03 CVE-2024-7345 Code Injection vulnerability in Progress Openedge
Local ABL Client bypass of the required PASOE security checks may allow an attacker to commit unauthorized code injection into Multi-Session Agents on supported OpenEdge LTS platforms up to OpenEdge LTS 11.7.18 and LTS 12.2.13 on all supported release platforms
low complexity
progress CWE-94
critical
9.6
2024-09-03 CVE-2024-7346 Improper Authentication vulnerability in Progress Openedge
Host name validation for TLS certificates is bypassed when the installed OpenEdge default certificates are used to perform the TLS handshake for a networked connection.  This has been corrected so that default certificates are no longer capable of overriding host name validation and will need to be replaced where full TLS certificate validation is needed for network security.  The existing certificates should be replaced with CA-signed certificates from a recognized certificate authority that contain the necessary information to support host name validation.
network
high complexity
progress CWE-287
4.8
2024-09-03 CVE-2024-7654 Cross-site Scripting vulnerability in Progress Openedge
An ActiveMQ Discovery service was reachable by default from an OpenEdge Management installation when an OEE/OEM auto-discovery feature was activated.  Unauthorized access to the discovery service's UDP port allowed content injection into parts of the OEM web interface making it possible for other types of attack that could spoof or deceive web interface users.   Unauthorized use of the OEE/OEM discovery service was remediated by deactivating the discovery service by default.
network
low complexity
progress CWE-79
6.1
2024-01-18 CVE-2023-40051 Unrestricted Upload of File with Dangerous Type vulnerability in Progress Openedge and Openedge Innovation
This issue affects Progress Application Server (PAS) for OpenEdge in versions 11.7 prior to 11.7.18, 12.2 prior to 12.2.13, and innovation releases prior to 12.8.0. An attacker can formulate a request for a WEB transport that allows unintended file uploads to a server directory path on the system running PASOE.
network
low complexity
progress CWE-434
critical
9.9
2024-01-18 CVE-2023-40052 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Progress Openedge and Openedge Innovation
This issue affects Progress Application Server (PAS) for OpenEdge in versions 11.7 prior to 11.7.18, 12.2 prior to 12.2.13, and innovation releases prior to 12.8.0 .  An attacker who can produce a malformed web request may cause the crash of a PASOE agent potentially disrupting the thread activities of many web application clients.
network
low complexity
progress CWE-119
7.5
2023-06-23 CVE-2023-34203 Injection vulnerability in Progress Openedge, Openedge Explorer and Openedge Management
In Progress OpenEdge OEM (OpenEdge Management) and OEE (OpenEdge Explorer) before 12.7, a remote user (who has any OEM or OEE role) could perform a URL injection attack to change identity or role membership, e.g., escalate to admin.
network
low complexity
progress CWE-74
8.8
2022-05-02 CVE-2022-29849 Unspecified vulnerability in Progress Openedge
In Progress OpenEdge before 11.7.14 and 12.x before 12.2.9, certain SUID binaries within the OpenEdge application were susceptible to privilege escalation.
local
low complexity
progress
7.8
2017-10-31 CVE-2015-9245 Improper Access Control vulnerability in Progress Openedge
Insecure default configuration in Progress Software OpenEdge 10.2x and 11.x allows unauthenticated remote attackers to specify arbitrary URLs from which to load and execute malicious Java classes via port 20931.
network
low complexity
progress CWE-284
critical
9.8