Vulnerabilities > Progress

DATE CVE VULNERABILITY TITLE RISK
2024-10-09 CVE-2024-7293 Weak Password Requirements vulnerability in Progress Telerik Reporting
In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), a password brute forcing attack is possible through weak password requirements.
network
low complexity
progress CWE-521
8.8
2024-10-09 CVE-2024-7294 Unspecified vulnerability in Progress Telerik Reporting
In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), an HTTP DoS attack is possible on anonymous endpoints without rate limiting.
network
low complexity
progress
6.5
2024-10-09 CVE-2024-7840 Command Injection vulnerability in Progress Telerik Reporting 12.0.18.125
In Progress Telerik Reporting versions prior to 2024 Q3 (18.2.24.924), a command injection attack is possible through improper neutralization of hyperlink elements.
local
low complexity
progress CWE-77
7.8
2024-10-09 CVE-2024-8014 Unsafe Reflection vulnerability in Progress Telerik Reporting 12.0.18.125
In Progress Telerik Reporting versions prior to 2024 Q3 (18.2.24.924), a code execution attack is possible through object injection via an insecure type resolution vulnerability.
network
low complexity
progress CWE-470
8.8
2024-10-09 CVE-2024-8015 Unsafe Reflection vulnerability in Progress Telerik Report Server
In Progress Telerik Report Server versions prior to 2024 Q3 (10.2.24.924), a remote code execution attack is possible through object injection via an insecure type resolution vulnerability.
network
low complexity
progress CWE-470
7.2
2024-10-09 CVE-2024-8048 Unsafe Reflection vulnerability in Progress Telerik Reporting 12.0.18.125
In Progress Telerik Reporting versions prior to 2024 Q3 (18.2.24.924), a code execution attack is possible using object injection via insecure expression evaluation.
local
low complexity
progress CWE-470
7.8
2024-09-03 CVE-2024-7345 Code Injection vulnerability in Progress Openedge
Local ABL Client bypass of the required PASOE security checks may allow an attacker to commit unauthorized code injection into Multi-Session Agents on supported OpenEdge LTS platforms up to OpenEdge LTS 11.7.18 and LTS 12.2.13 on all supported release platforms
low complexity
progress CWE-94
critical
9.6
2024-09-03 CVE-2024-7346 Improper Authentication vulnerability in Progress Openedge
Host name validation for TLS certificates is bypassed when the installed OpenEdge default certificates are used to perform the TLS handshake for a networked connection.  This has been corrected so that default certificates are no longer capable of overriding host name validation and will need to be replaced where full TLS certificate validation is needed for network security.  The existing certificates should be replaced with CA-signed certificates from a recognized certificate authority that contain the necessary information to support host name validation.
network
high complexity
progress CWE-287
4.8
2024-09-03 CVE-2024-7654 Cross-site Scripting vulnerability in Progress Openedge
An ActiveMQ Discovery service was reachable by default from an OpenEdge Management installation when an OEE/OEM auto-discovery feature was activated.  Unauthorized access to the discovery service's UDP port allowed content injection into parts of the OEM web interface making it possible for other types of attack that could spoof or deceive web interface users.   Unauthorized use of the OEE/OEM discovery service was remediated by deactivating the discovery service by default.
network
low complexity
progress CWE-79
6.1
2024-08-29 CVE-2024-6670 SQL Injection vulnerability in Progress Whatsup Gold
In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.
network
low complexity
progress CWE-89
critical
9.8