Progress Progress

  1. Vendors
  2. Progress

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Progress product.

RSS Feeds for Progress security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Progress products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Progress Sorted by Most Security Vulnerabilities since 2018

Progress Whatsup Gold56 vulnerabilities

Progress Ws Ftp Server29 vulnerabilities

Progress Moveit Transfer26 vulnerabilities

Progress Sitefinity15 vulnerabilities

Progress Telerik Reporting14 vulnerabilities

Progress Loadmaster14 vulnerabilities

Progress Openedge10 vulnerabilities

Progress Telerik Report Server9 vulnerabilities

Progress Multi Tenant Loadmaster7 vulnerabilities

Progress Telerik Ui For Winforms4 vulnerabilities

Progress Telerik Ui For Asp Net Ajax3 vulnerabilities

Progress Telerik Document Processing Libraries3 vulnerabilities

Progress Whatsupgold2 vulnerabilities

Progress Flowmon Os2 vulnerabilities

Progress Openedge Innovation2 vulnerabilities

Progress Telerik Test Studio1 vulnerability

Progress Flowmon1 vulnerability

Progress Telerik Justdecompile1 vulnerability

Progress Kendoreact1 vulnerability

Progress Moveit Gateway1 vulnerability

Progress Moveit Automation1 vulnerability

Progress Kendo Ui For Vue1 vulnerability

Known Exploited Progress Vulnerabilities

The following Progress vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
Progress WhatsUp Gold Path Traversal Vulnerability Progress WhatsUp Gold contains a path traversal vulnerability that allows an unauthenticated attacker to achieve remote code execution.
CVE-2024-4885 Exploit Probability: 94.3% 		March 3, 2025
Progress Kemp LoadMaster OS Command Injection Vulnerability Progress Kemp LoadMaster contains an OS command injection vulnerability that allows an unauthenticated, remote attacker to access the system through the LoadMaster management interface, enabling arbitrary system command execution.
CVE-2024-1212 Exploit Probability: 94.3% 		November 18, 2024
Progress WhatsUp Gold SQL Injection Vulnerability Progress WhatsUp Gold contains a SQL injection vulnerability that allows an unauthenticated attacker to retrieve the user's encrypted password if the application is configured with only a single user.
CVE-2024-6670 Exploit Probability: 94.5% 		September 16, 2024
Progress Telerik Report Server Authentication Bypass by Spoofing Vulnerability Progress Telerik Report Server contains an authorization bypass by spoofing vulnerability that allows an attacker to obtain unauthorized access.
CVE-2024-4358 Exploit Probability: 94.3% 		June 13, 2024
Progress WS_FTP Server Deserialization of Untrusted Data Vulnerability Progress WS_FTP Server contains a deserialization of untrusted data vulnerability in the Ad Hoc Transfer module that allows an authenticated attacker to execute remote commands on the underlying operating system.
CVE-2023-40044 Exploit Probability: 94.4% 		October 5, 2023
Progress MOVEit Transfer SQL Injection Vulnerability Progress MOVEit Transfer contains a SQL injection vulnerability that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements.
CVE-2023-34362 Exploit Probability: 94.3% 		June 2, 2023

Of the known exploited vulnerabilities above, 6 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings.

By the Year

In 2026 there have been 1 vulnerability in Progress with an average score of 3.7 out of ten. Last year, in 2025 Progress had 24 security vulnerabilities published. Right now, Progress is on track to have less security vulnerabilities in 2026 than it did last year. Last year, the average CVE base score was greater by 3.33




Year Vulnerabilities Average Score
2026 1 3.70
2025 24 7.03
2024 83 7.87
2023 37 7.08
2022 8 6.70
2021 6 8.68
2020 3 5.40
2019 5 6.53
2018 9 8.13

It may take a day or so for new Progress vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Progress Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2025-11235 Jan 06, 2026
Progress MOVEit Transfer Unverified Password Change (REST API) <2023.1.3 Unverified Password Change vulnerability in Progress MOVEit Transfer on Windows (REST API modules).This issue affects MOVEit Transfer: from 2023.1.0 before 2023.1.3, from 2023.0.0 before 2023.0.8, from 2022.1.0 before 2022.1.11, from 2022.0.0 before 2022.0.10.
Moveit Transfer
CVE-2025-13147 Nov 19, 2025
Progress MOVEit Transfer SSRF Vulnerability: before 2024.1.8, 2025.0.04.0.3 Server-Side Request Forgery (SSRF) vulnerability in Progress MOVEit Transfer.This issue affects MOVEit Transfer: before 2024.1.8, from 2025.0.0 before 2025.0.4.
Moveit Transfer
CVE-2025-10703 Nov 19, 2025
Code Injection via SpyAttribute log=(file) in Progress DataDirect Connect JDBC Improper Control of Generation of Code ('Code Injection') vulnerability in Progress DataDirect Connect for JDBC drivers, Progress DataDirect Open Access JDBC driver and Hybrid Data Pipeline allows Remote Code Inclusion. The SpyAttribute connection option implemented by the DataDirect Connect for JDBC drivers, DataDirect Hybrid Data Pipeline JDBC driver and the DataDirect OpenAccess JDBC driver log=(file) construct allows the user to specify an arbitrary file for the JDBC driver to write its log information to.  If an application allows an end user to specify a value for the SpyAttributes connection option then an attacker could cause java script to be written to a log file.  If the log file was in the correct location with the correct extension, an application server could see that log file as a resource to be served.  The attacker could fetch the resource from the server causing the java script to be executed. This issue affects: DataDirect Connect for JDBC for Amazon Redshift: through 6.0.0.001392, fixed in 6.0.0.001541 DataDirect Connect for JDBC for Apache Cassandra: through 6.0.0.000805, fixed in 6.0.0.000833 DataDirect Connect for JDBC for Hive: through 6.0.1.001499, fixed in 6.0.1.001628 DataDirect Connect for JDBC for Apache Impala: through 6.0.0.001155, fixed in 6.0.0.001279 DataDirect Connect for JDBC for Apache SparkSQL: through 6.0.1.001222, fixed in 6.0.1.001344 DataDirect Connect for JDBC Autonomous REST Connector: through 6.0.1.006961, fixed in 6.0.1.007063 DataDirect Connect for JDBC for DB2: through 6.0.0.000717, fixed in 6.0.0.000964 DataDirect Connect for JDBC for Google Analytics 4: through 6.0.0.000454, fixed in 6.0.0.000525 DataDirect Connect for JDBC for Google BigQuery: through 6.0.0.002279, fixed in 6.0.0.002410 DataDirect Connect for JDBC for Greenplum: through 6.0.0.001712, fixed in 6.0.0.001727 DataDirect Connect for JDBC for Informix: through 6.0.0.000690, fixed in 6.0.0.0851 DataDirect Connect for JDBC for Microsoft Dynamics 365: through 6.0.0.003161, fixed in 6.0.0.3198 DataDirect Connect for JDBC for Microsoft SQLServer: through 6.0.0.001936, fixed in 6.0.0.001957 DataDirect Connect for JDBC for Microsoft Sharepoint: through 6.0.0.001559, fixed in 6.0.0.001587 DataDirect Connect for JDBC for MongoDB: through 6.1.0.001654, fixed in 6.1.0.001669 DataDirect Connect for JDBC for MySQL: through 5.1.4.000330, fixed in 5.1.4.000364 DataDirect Connect for JDBC for Oracle Database: through 6.0.0.001747, fixed in 6.0.0.001776 DataDirect Connect for JDBC for Oracle Eloqua: through 6.0.0.001438, fixed in 6.0.0.001458 DataDirect Connect for JDBC for Oracle Sales Cloud: through 6.0.0.001225, fixed in 6.0.0.001316 DataDirect Connect for JDBC for Oracle Service Cloud: through 5.1.4.000298, fixed in 5.1.4.000309 DataDirect Connect for JDBC for PostgreSQL: through 6.0.0.001843, fixed in 6.0.0.001856 DataDirect Connect for JDBC for Progress OpenEdge: through 5.1.4.000187, fixed in 5.1.4.000189 DataDirect Connect for JDBC for Salesforce: through 6.0.0.003020, fixed in 6.0.0.003125 DataDirect Connect for JDBC for SAP HANA: through 6.0.0.000879, product retired DataDirect Connect for JDBC for SAP S/4 HANA: through 6.0.1.001818, fixed in 6.0.1.001858 DataDirect Connect for JDBC for Sybase ASE: through 5.1.4.000161, fixed in 5.1.4.000162 DataDirect Connect for JDBC for Snowflake: through 6.0.1.001821, fixed in 6.0.1.001856 DataDirect Hybrid Data Pipeline Server: through 4.6.2.3309, fixed in 4.6.2.3430 DataDirect Hybrid Data Pipeline JDBC Driver: through 4.6.2.0607, fixed in 4.6.2.1023 DataDirect Hybrid Data Pipeline On Premises Connector: through 4.6.2.1223, fixed in 4.6.2.1339 DataDirect Hybrid Data Pipeline Docker: through 4.6.2.3316, fixed in 4.6.2.3430 DataDirect OpenAccess JDBC Driver: through 8.1.0.0177, fixed in 8.1.0.0183 DataDirect OpenAccess JDBC Driver: through 9.0.0.0019, fixed in 9.0.0.0022
Openedge
CVE-2025-10702 Nov 19, 2025
CVE-2025-10702: SpyAttributes Code Injection in Progress DataDirect JDBC Improper Control of Generation of Code ('Code Injection') vulnerability in Progress DataDirect Connect for JDBC drivers, Progress DataDirect Open Access JDBC driver and Hybrid Data Pipeline allows Remote Code Inclusion. The SpyAttribute connection option implemented by the DataDirect Connect for JDBC drivers, DataDirect Hybrid Data Pipeline JDBC driver and the DataDirect OpenAccess JDBC driver supports an undocumented syntax construct for the option value that if discovered can be used by an attacker. If an application allows an end user to specify a value for the SpyAttributes connection option then an attacker can use the undocumented syntax to cause the driver to load an arbitrary class on the class path and execute a constructor on that class.   This issue affects: DataDirect Connect for JDBC for Amazon Redshift: through 6.0.0.001392, fixed in 6.0.0.001541 DataDirect Connect for JDBC for Apache Cassandra: through 6.0.0.000805, fixed in 6.0.0.000833 DataDirect Connect for JDBC for Hive: through 6.0.1.001499, fixed in 6.0.1.001628 DataDirect Connect for JDBC for Apache Impala: through 6.0.0.001155, fixed in 6.0.0.001279 DataDirect Connect for JDBC for Apache SparkSQL: through 6.0.1.001222, fixed in 6.0.1.001344 DataDirect Connect for JDBC Autonomous REST Connector: through 6.0.1.006961, fixed in 6.0.1.007063 DataDirect Connect for JDBC for DB2: through 6.0.0.000717, fixed in 6.0.0.000964 DataDirect Connect for JDBC for Google Analytics 4: through 6.0.0.000454, fixed in 6.0.0.000525 DataDirect Connect for JDBC for Google BigQuery: through 6.0.0.002279, fixed in 6.0.0.002410 DataDirect Connect for JDBC for Greenplum: through 6.0.0.001712, fixed in 6.0.0.001727 DataDirect Connect for JDBC for Informix: through 6.0.0.000690, fixed in 6.0.0.0851 DataDirect Connect for JDBC for Microsoft Dynamics 365: through 6.0.0.003161, fixed in 6.0.0.3198 DataDirect Connect for JDBC for Microsoft SQLServer: through 6.0.0.001936, fixed in 6.0.0.001957 DataDirect Connect for JDBC for Microsoft Sharepoint: through 6.0.0.001559, fixed in 6.0.0.001587 DataDirect Connect for JDBC for MongoDB: through 6.1.0.001654, fixed in 6.1.0.001669 DataDirect Connect for JDBC for MySQL: through 5.1.4.000330, fixed in 5.1.4.000364 DataDirect Connect for JDBC for Oracle Database: through 6.0.0.001747, fixed in 6.0.0.001776 DataDirect Connect for JDBC for Oracle Eloqua: through 6.0.0.001438, fixed in 6.0.0.001458 DataDirect Connect for JDBC for Oracle Sales Cloud: through 6.0.0.001225, fixed in 6.0.0.001316 DataDirect Connect for JDBC for Oracle Service Cloud: through 5.1.4.000298, fixed in 5.1.4.000309 DataDirect Connect for JDBC for PostgreSQL: through 6.0.0.001843, fixed in 6.0.0.001856 DataDirect Connect for JDBC for Progress OpenEdge: through 5.1.4.000187, fixed in 5.1.4.000189 DataDirect Connect for JDBC for Salesforce: through 6.0.0.003020, fixed in 6.0.0.003125 DataDirect Connect for JDBC for SAP HANA: through 6.0.0.000879, product retired DataDirect Connect for JDBC for SAP S/4 HANA: through 6.0.1.001818, fixed in 6.0.1.001858 DataDirect Connect for JDBC for Sybase ASE: through 5.1.4.000161, fixed in 5.1.4.000162 DataDirect Connect for JDBC for Snowflake: through 6.0.1.001821, fixed in 6.0.1.001856 DataDirect Hybrid Data Pipeline Server: through 4.6.2.3309, fixed in 4.6.2.3430 DataDirect Hybrid Data Pipeline JDBC Driver: through 4.6.2.0607, fixed in 4.6.2.1023 DataDirect Hybrid Data Pipeline On Premises Connector: through 4.6.2.1223, fixed in 4.6.2.1339 DataDirect Hybrid Data Pipeline Docker: through 4.6.2.3316, fixed in 4.6.2.3430 DataDirect OpenAccess JDBC Driver: through 8.1.0.0177, fixed in 8.1.0.0183 DataDirect OpenAccess JDBC Driver: through 9.0.0.0019, fixed in 9.0.0.0022
Openedge
CVE-2025-10932 Oct 29, 2025
Uncontrolled Resource Consumption in MOVEit Transfer AS2 Module (pre2025.0.3) Uncontrolled Resource Consumption vulnerability in Progress MOVEit Transfer (AS2 module).This issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.3, from 2024.1.0 before 2024.1.7, from 2023.1.0 before 2023.1.16.
Moveit Transfer
CVE-2025-3600 May 14, 2025
Unsafe Reflection in Telerik UI for AJAX v2011.2.712–2025.1.218 – DoS Crash In Progress® Telerik® UI for AJAX, versions 2011.2.712 to 2025.1.218, an unsafe reflection vulnerability exists that may lead to an unhandled exception resulting in a crash of the hosting process and denial of service.
Telerik Ui For Asp Net Ajax
CVE-2025-2572 Apr 14, 2025
WhatsUp Gold <=2024.0.2 Unauth DB Manipulation via WrlsMacAddressGroup In WhatsUp Gold versions released before 2024.0.3, a database manipulation vulnerability allows an unauthenticated attacker to modify the contents of WhatsUp.dbo.WrlsMacAddressGroup.
Whatsup Gold
CVE-2025-1968 Apr 09, 2025
Insufficient Session Expiration in Progress Sitefinity 14–15.2 (before 15.2.8429) Insufficient Session Expiration vulnerability in Progress Software Corporation Sitefinity under some specific and uncommon circumstances allows reusing Session IDs (Session Replay Attacks).This issue affects Sitefinity: from 14.0 through 14.3, from 14.4 before 14.4.8145, from 15.0 before 15.0.8231, from 15.1 before 15.1.8332, from 15.2 before 15.2.8429.
Sitefinity
CVE-2025-2324 Mar 19, 2025
Privilege Escalation in Progress MOVEit Transfer SFTP (Shared Accounts) – before 2024.1.2 Improper Privilege Management vulnerability for users configured as Shared Accounts in Progress MOVEit Transfer (SFTP module) allows Privilege Escalation.This issue affects MOVEit Transfer: from 2023.1.0 before 2023.1.12, from 2024.0.0 before 2024.0.8, from 2024.1.0 before 2024.1.2.
Moveit Transfer
CVE-2025-1758 Mar 19, 2025
Progress LoadMaster 7.2.40+ Buffer Overflow via Improper Input Validation Improper Input Validation vulnerability in Progress LoadMaster allows : Buffer OverflowThis issue affects: * LoadMaster: 7.2.40.0 and above * ECS: All versions * Multi-Tenancy: 7.1.35.4 and above
Loadmaster
Multi Tenant Loadmaster
CVE-2024-6097 Feb 12, 2025
Telerik Reporting 19.0.25.211 Info Disclosure Absolute Path Vulnerability In Progress® Telerik® Reporting versions prior to 2025 Q1 (19.0.25.211), information disclosure is possible by a local threat actor through an absolute path vulnerability.
Telerik Reporting
CVE-2024-11628 Feb 12, 2025
Prototype Pollution in Telerik Kendo UI Vue v2.4v6.0.1 Enables Injection In Progress® Telerik® Kendo UI for Vue versions v2.4.0 through v6.0.1, an attacker can introduce or modify properties within the global prototype chain which can result in denial of service or command injection.
Kendo Ui For Vue
CVE-2024-11629 Feb 12, 2025
Telerik Document Processing Lib before 2025.1.205: Arbitrary File Export to RTF In Progress® Telerik® Document Processing Libraries, versions prior to 2025 Q1 (2025.1.205), using .NET Standard 2.0, the contents of a file at an arbitrary path can be exported to RTF.
Telerik Document Processing Libraries
CVE-2025-0332 Feb 12, 2025
Telerik UI for WinForms <2025.1.211 Path Traversal in Archive Extraction In Progress® Telerik® UI for WinForms, versions prior to 2025 Q1 (2025.1.211), using the improper limitation of a target path can lead to decompressing an archive's content into a restricted directory.
Telerik Ui For Winforms
CVE-2024-12629 Feb 12, 2025
KendoReact Prototype Pollution v3.5.0-v9.4.0 Progress Telerik In Progress® Telerik® KendoReact versions v3.5.0 through v9.4.0, an attacker can introduce or modify properties within the global prototype chain which can result in denial of service or command injection.
Kendoreact
CVE-2024-11343 Feb 12, 2025
Telerik DP Libs <2025 Q1: Unzip Causes Arbitrary FS Access In Progress® Telerik® Document Processing Libraries, versions prior to 2025 Q1 (2025.1.205), unzipping an archive can lead to arbitrary file system access.
Telerik Document Processing Libraries
CVE-2025-0556 Feb 12, 2025
Telerik Report Server <11.0.25.211: Unencrypted Tunnel Allows Network Sniffing In Progress® Telerik® Report Server, versions prior to 2025 Q1 (11.0.25.211) when using the older .NET Framework implementation, communication of non-sensitive information between the service agent process and app host process occurs over an unencrypted tunnel, which can be subjected to local network traffic sniffing.
Telerik Report Server
CVE-2024-56135 Feb 05, 2025
Progress LoadMaster 7.2.48.12-7.2.60.1 OS Command Injection via Auth Input Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. This issue affects: ?Product Affected Versions LoadMaster From 7.2.55.0 to 7.2.60.1 (inclusive) ?  From 7.2.49.0 to 7.2.54.12 (inclusive) ?  7.2.48.12 and all prior versions ECS All prior versions to 7.2.60.1 (inclusive)
Multi Tenant Loadmaster
Loadmaster
CVE-2024-56134 Feb 05, 2025
Progress LoadMaster <7.2.60.1 OS Cmd Injection Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. This issue affects: ?Product Affected Versions LoadMaster From 7.2.55.0 to 7.2.60.1 (inclusive) ?  From 7.2.49.0 to 7.2.54.12 (inclusive) ?  7.2.48.12 and all prior versions Multi-Tenant Hypervisor 7.1.35.12 and all prior versions ECS All prior versions to 7.2.60.1 (inclusive)
Multi Tenant Loadmaster
Loadmaster
CVE-2024-56133 Feb 05, 2025
Progress LoadMaster <=7.2.60.1: OS Command Injection (Auth) Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. This issue affects: ?Product Affected Versions LoadMaster From 7.2.55.0 to 7.2.60.1 (inclusive) ?  From 7.2.49.0 to 7.2.54.12 (inclusive) ?  7.2.48.12 and all prior versions ECS All prior versions to 7.2.60.1 (inclusive)
Multi Tenant Loadmaster
Loadmaster
CVE-2024-56132 Feb 05, 2025
Progress LoadMaster OS Command Injection 7.2.48.12+ upto 7.2.60.1 Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. This issue affects: ?Product Affected Versions LoadMaster From 7.2.55.0 to 7.2.60.1 (inclusive) ?  From 7.2.49.0 to 7.2.54.12 (inclusive) ?  7.2.48.12 and all prior versions ECS All prior versions to 7.2.60.1 (inclusive)
Multi Tenant Loadmaster
Loadmaster
CVE-2024-56131 Feb 05, 2025
Progress LoadMaster 7.2.55.0-7.2.60.1 OS CI (Auth) Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. This issue affects: ?Product Affected Versions LoadMaster From 7.2.55.0 to 7.2.60.1 (inclusive) ?  From 7.2.49.0 to 7.2.54.12 (inclusive) ?  7.2.48.12 and all prior versions Multi-Tenant Hypervisor 7.1.35.12 and all prior versions ECS All prior versions to 7.2.60.1 (inclusive)
Multi Tenant Loadmaster
Loadmaster
CVE-2024-11627 Jan 07, 2025
Insufficient Expiration in Progress Sitefinity 4.015.2 Session Fixation : Insufficient Session Expiration vulnerability in Progress Sitefinity allows : Session Fixation.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400 through 15.2.8421.
Sitefinity
CVE-2024-11626 Jan 07, 2025
Sitefinity XSS in CMS Admin (v4.0-15.2.8421) Improper Neutralization of Input During CMS Backend (adminstrative section) Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Progress Sitefinity.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400 through 15.2.8421.
Sitefinity
CVE-2024-11625 Jan 07, 2025
Sitefinity Info Disclosure via Error Msg (4.0-15.2.8421) Information Exposure Through an Error Message vulnerability in Progress Software Corporation Sitefinity.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400 through 15.2.8421.
Sitefinity
CVE-2024-12105 Dec 31, 2024
Auth Info Disclosure via HTTP in WhatsUp Gold <2024.0.2 In WhatsUp Gold versions released before 2024.0.2, an authenticated user can use a specially crafted HTTP request that can lead to information disclosure.
Whatsup Gold
CVE-2024-12106 Dec 31, 2024
Unauth LDAP Config in WhatsUp Gold pre-2024.0.2 In WhatsUp Gold versions released before 2024.0.2, an unauthenticated attacker can configure LDAP settings.
Whatsup Gold
CVE-2024-12108 Dec 31, 2024
WhatsUp Gold <2024.0.2 Public API Access Exploit In WhatsUp Gold versions released before 2024.0.2, an attacker can gain access to the WhatsUp Gold server via the public API.
Whatsup Gold
CVE-2024-11220 Dec 06, 2024
Telerik Reporting Privilege Escalation via Malicious RDLX File A local low-level user on the server machine with credentials to the running OAS services can create and execute a report with an rdlx file on the server system itself. Any code within the rdlx file of the report executes with SYSTEM privileges, resulting in privilege escalation.
Telerik Reporting
CVE-2024-8785 Dec 02, 2024
WhatsUp Gold NmAPI.exe Remote Unauthenticated Registry Manipulation Vulnerability In WhatsUp Gold versions released before 2024.0.1, a remote unauthenticated attacker could leverage NmAPI.exe to create or change an existing registry value in registry path HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Ipswitch\.
Whatsup Gold
CVE-2024-46905 Dec 02, 2024
SQL Injection Vulnerability in WhatsUp Gold Leading to Privilege Escalation In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated lower-privileged user (at least Network Manager permissions required) to achieve privilege escalation to the admin account.
Whatsup Gold
CVE-2024-46906 Dec 02, 2024
SQL Injection Vulnerability in WhatsUp Gold Report Viewer In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account.
Whatsup Gold
CVE-2024-46907 Dec 02, 2024
SQL Injection Vulnerability in WhatsUp Gold Leading to Privilege Escalation In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account.
Whatsup Gold
CVE-2024-46908 Dec 02, 2024
SQL Injection Vulnerability in WhatsUp Gold Leading to Privilege Escalation In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account.
Whatsup Gold
CVE-2024-46909 Dec 02, 2024
WhatsUp Gold Remote Code Execution Vulnerability In WhatsUp Gold versions released before 2024.0.1, a remote unauthenticated attacker could leverage this vulnerability to execute code in the context of the service account.
Whatsup Gold
CVE-2024-10013 Nov 13, 2024
Telerik UI for WinForms Insecure Deserialization Code Execution Vulnerability In Progress Telerik UI for WinForms versions prior to 2024 Q4 (2024.4.1113), a code execution attack is possible through an insecure deserialization vulnerability.
Telerik Ui For Winforms
CVE-2024-7295 Nov 13, 2024
In Progress® Telerik® Report Server: Weak Encryption Vulnerability in Local Asset Data In Progress® Telerik® Report Server versions prior to 2024 Q4 (10.3.24.1112), the encryption of local asset data used an older algorithm which may allow a sophisticated actor to decrypt this information.
Telerik Report Server
CVE-2024-8049 Nov 13, 2024
Telerik Document Processing Libraries: Denial of Service via Resource Exhaustion In Progress Telerik Document Processing Libraries, versions prior to 2024 Q4 (2024.4.1106), importing a document with unsupported features can lead to excessive processing, leading to excessive use of computing resources leaving the application process unavailable.
Telerik Document Processing Libraries
CVE-2024-7763 Oct 24, 2024
WhatsUp Gold <2024.0.0: Auth Bypass Exposes Encrypted Credentials In WhatsUp Gold versions released before 2024.0.0,  an Authentication Bypass issue exists which allows an attacker to obtain encrypted user credentials.
Whatsup Gold
CVE-2024-8755 Oct 11, 2024
Progress LoadMaster 7.2.60.1 OS Command Injection via Improper Input Validation Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection.This issue affects: ?Product Affected Versions LoadMaster From 7.2.55.0 to 7.2.60.1 (inclusive) ?  From 7.2.49.0 to 7.2.54.12 (inclusive) ?  7.2.48.12 and all prior versions Multi-Tenant Hypervisor 7.1.35.12 and all prior versions ECS All prior versions to 7.2.60.1 (inclusive)
Loadmaster
CVE-2024-7840 Oct 09, 2024
Progress Telerik Reporting: cmd inj before v18.2.24.924 via hyperlink In Progress Telerik Reporting versions prior to 2024 Q3 (18.2.24.924), a command injection attack is possible through improper neutralization of hyperlink elements.
Telerik Reporting
CVE-2024-7293 Oct 09, 2024
Password Brute-Force on Telerik Report Server <=10.2.24.806 (Weak PW) In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), a password brute forcing attack is possible through weak password requirements.
Telerik Reporting
CVE-2024-7292 Oct 09, 2024
Progress Telerik Report Server <10.2.24.806: Excessive Logins -> Cred Stuffing In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), a credential stuffing attack is possible through improper restriction of excessive login attempts.
Telerik Report Server
CVE-2024-8048 Oct 09, 2024
Telerik Reporting <18.2.24.924: Code Exec via ObjInje. (CVE-2024-8048) In Progress Telerik Reporting versions prior to 2024 Q3 (18.2.24.924), a code execution attack is possible using object injection via insecure expression evaluation.
Telerik Reporting
CVE-2024-8015 Oct 09, 2024
RCE via Object Injection in Telerik Report Server <=10.2.24.924 In Progress Telerik Report Server versions prior to 2024 Q3 (10.2.24.924), a remote code execution attack is possible through object injection via an insecure type resolution vulnerability.
Telerik Report Server
CVE-2024-8014 Oct 09, 2024
Telerik Reporting <18.2.24.924: Code Exec via Object Injection In Progress Telerik Reporting versions prior to 2024 Q3 (18.2.24.924), a code execution attack is possible through object injection via an insecure type resolution vulnerability.
Telerik Reporting
CVE-2024-7294 Oct 09, 2024
DoS via UnrateLimEndpoints in Telerik Report Server <10.2.24.806 In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), an HTTP DoS attack is possible on anonymous endpoints without rate limiting.
Telerik Reporting
Telerik Report Server
CVE-2024-7679 Sep 25, 2024
Command Injection in Telerik UI for WinForms < 2024 Q3 via Hyperlink Elements In Progress Telerik UI for WinForms versions prior to 2024 Q3 (2024.3.924), a command injection attack is possible through improper neutralization of hyperlink elements.
Telerik Ui For Winforms
CVE-2024-6658 Sep 12, 2024
LoadMaster & ECS 7.x OS Command Injection via Authenticated Input (before 7.2.60) Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows OS Command Injection.This issue affects: ?Product Affected Versions LoadMaster From 7.2.55.0 to 7.2.60.0 (inclusive) ?  From 7.2.49.0 to 7.2.54.11 (inclusive) ?  7.2.48.12 and all prior versions Multi-Tenant Hypervisor 7.1.35.11 and all prior versions ECS All prior versions to 7.2.60.0 (inclusive)
Loadmaster
Multi Tenant Loadmaster
CVE-2024-7591 Sep 05, 2024
Command Injection in Progress LoadMaster 7.2.40+ via Improper Input Validation Improper Input Validation vulnerability in Progress LoadMaster allows OS Command Injection.This issue affects: * LoadMaster: 7.2.40.0 and above * ECS: All versions * Multi-Tenancy: 7.1.35.4 and above
Loadmaster
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.