Progress Openedge
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Progress Openedge.
By the Year
In 2025 there have been 0 vulnerabilities in Progress Openedge. Last year, in 2024 Openedge had 5 security vulnerabilities published. Right now, Openedge is on track to have less security vulnerabilities in 2025 than it did last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2025 | 0 | 0.00 |
2024 | 5 | 7.58 |
2023 | 1 | 8.80 |
2022 | 1 | 7.80 |
2021 | 0 | 0.00 |
2020 | 0 | 0.00 |
2019 | 0 | 0.00 |
2018 | 0 | 0.00 |
It may take a day or so for new Openedge vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Progress Openedge Security Vulnerabilities
An ActiveMQ Discovery service was reachable by default
CVE-2024-7654
6.1 - Medium
- September 03, 2024
An ActiveMQ Discovery service was reachable by default from an OpenEdge Management installation when an OEE/OEM auto-discovery feature was activated. Unauthorized access to the discovery service's UDP port allowed content injection into parts of the OEM web interface making it possible for other types of attack that could spoof or deceive web interface users. Unauthorized use of the OEE/OEM discovery service was remediated by deactivating the discovery service by default.
XSS
Host name validation for TLS certificates is bypassed when the installed OpenEdge default certificates are used to perform the TLS handshake for a networked connection
CVE-2024-7346
4.8 - Medium
- September 03, 2024
Host name validation for TLS certificates is bypassed when the installed OpenEdge default certificates are used to perform the TLS handshake for a networked connection. This has been corrected so that default certificates are no longer capable of overriding host name validation and will need to be replaced where full TLS certificate validation is needed for network security. The existing certificates should be replaced with CA-signed certificates from a recognized certificate authority that contain the necessary information to support host name validation.
authentification
Local ABL Client bypass of the required PASOE security checks may
CVE-2024-7345
9.6 - Critical
- September 03, 2024
Local ABL Client bypass of the required PASOE security checks may allow an attacker to commit unauthorized code injection into Multi-Session Agents on supported OpenEdge LTS platforms up to OpenEdge LTS 11.7.18 and LTS 12.2.13 on all supported release platforms
Code Injection
This issue affects Progress Application Server (PAS) for OpenEdge in versions 11.7 prior to 11.7.18
CVE-2023-40052
7.5 - High
- January 18, 2024
This issue affects Progress Application Server (PAS) for OpenEdge in versions 11.7 prior to 11.7.18, 12.2 prior to 12.2.13, and innovation releases prior to 12.8.0 . An attacker who can produce a malformed web request may cause the crash of a PASOE agent potentially disrupting the thread activities of many web application clients. Multiple of these DoS attacks could lead to the flooding of invalid requests as compared to the servers remaining ability to process valid requests.
Buffer Overflow
This issue affects Progress Application Server (PAS) for OpenEdge in versions 11.7 prior to 11.7.18
CVE-2023-40051
9.9 - Critical
- January 18, 2024
This issue affects Progress Application Server (PAS) for OpenEdge in versions 11.7 prior to 11.7.18, 12.2 prior to 12.2.13, and innovation releases prior to 12.8.0. An attacker can formulate a request for a WEB transport that allows unintended file uploads to a server directory path on the system running PASOE. If the upload contains a payload that can further exploit the server or its network, the launch of a larger scale attack may be possible.
Unrestricted File Upload
In Progress OpenEdge OEM (OpenEdge Management) and OEE (OpenEdge Explorer) before 12.7
CVE-2023-34203
8.8 - High
- June 23, 2023
In Progress OpenEdge OEM (OpenEdge Management) and OEE (OpenEdge Explorer) before 12.7, a remote user (who has any OEM or OEE role) could perform a URL injection attack to change identity or role membership, e.g., escalate to admin. This affects OpenEdge LTS before 11.7.16, 12.x before 12.2.12, and 12.3.x through 12.6.x before 12.7.
Injection
In Progress OpenEdge before 11.7.14 and 12.x before 12.2.9
CVE-2022-29849
7.8 - High
- May 02, 2022
In Progress OpenEdge before 11.7.14 and 12.x before 12.2.9, certain SUID binaries within the OpenEdge application were susceptible to privilege escalation. If exploited, a local attacker could elevate their privileges and compromise the affected system.
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Progress Openedge or by Progress? Click the Watch button to subscribe.