Whatsup Gold Progress Whatsup Gold

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Progress Whatsup Gold.

By the Year

In 2025 there have been 0 vulnerabilities in Progress Whatsup Gold. Last year, in 2024 Whatsup Gold had 30 security vulnerabilities published. Right now, Whatsup Gold is on track to have less security vulnerabilities in 2025 than it did last year.




Year Vulnerabilities Average Score
2025 0 0.00
2024 30 8.07
2023 7 5.47
2022 5 7.08
2021 0 0.00
2020 0 0.00
2019 0 0.00
2018 4 9.80

It may take a day or so for new Whatsup Gold vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Progress Whatsup Gold Security Vulnerabilities

In WhatsUp Gold versions released before 2024.0.2, an authenticated user can use a specially crafted HTTP request

CVE-2024-12105 6.5 - Medium - December 31, 2024

In WhatsUp Gold versions released before 2024.0.2, an authenticated user can use a specially crafted HTTP request that can lead to information disclosure.

Directory traversal

In WhatsUp Gold versions released before 2024.0.2, an attacker can gain access to the WhatsUp Gold server

CVE-2024-12108 9.6 - Critical - December 31, 2024

In WhatsUp Gold versions released before 2024.0.2, an attacker can gain access to the WhatsUp Gold server via the public API.

Authentication Bypass by Spoofing

In WhatsUp Gold versions released before 2024.0.2, an unauthenticated attacker

CVE-2024-12106 7.5 - High - December 31, 2024

In WhatsUp Gold versions released before 2024.0.2, an unauthenticated attacker can configure LDAP settings.

Missing Authentication for Critical Function

WhatsUp Gold NmAPI.exe Remote Unauthenticated Registry Manipulation Vulnerability

CVE-2024-8785 5.3 - Medium - December 02, 2024

In WhatsUp Gold versions released before 2024.0.1, a remote unauthenticated attacker could leverage NmAPI.exe to create or change an existing registry value in registry path HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Ipswitch\.

WhatsUp Gold Remote Code Execution Vulnerability

CVE-2024-46909 9.8 - Critical - December 02, 2024

In WhatsUp Gold versions released before 2024.0.1, a remote unauthenticated attacker could leverage this vulnerability to execute code in the context of the service account.

SQL Injection Vulnerability in WhatsUp Gold Leading to Privilege Escalation

CVE-2024-46908 8.8 - High - December 02, 2024

In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account.

SQL Injection Vulnerability in WhatsUp Gold Leading to Privilege Escalation

CVE-2024-46907 8.8 - High - December 02, 2024

In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account.

SQL Injection Vulnerability in WhatsUp Gold Report Viewer

CVE-2024-46906 8.8 - High - December 02, 2024

In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account.

SQL Injection Vulnerability in WhatsUp Gold Leading to Privilege Escalation

CVE-2024-46905 8.8 - High - December 02, 2024

In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated lower-privileged user (at least Network Manager permissions required) to achieve privilege escalation to the admin account.

In WhatsUp Gold versions released before 2024.0.0,  an Authentication Bypass issue exists which

CVE-2024-7763 7.5 - High - October 24, 2024

In WhatsUp Gold versions released before 2024.0.0,  an Authentication Bypass issue exists which allows an attacker to obtain encrypted user credentials.

authentification

In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability

CVE-2024-6670 9.8 - Critical - August 29, 2024

In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.

SQL Injection

In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability

CVE-2024-6672 8.8 - High - August 29, 2024

In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an authenticated low-privileged attacker to achieve privilege escalation by modifying a privileged user's password.

SQL Injection

In WhatsUp Gold versions released before 2024.0.0, if the application is configured with only a single user, a SQL Injection vulnerability

CVE-2024-6671 9.8 - Critical - August 29, 2024

In WhatsUp Gold versions released before 2024.0.0, if the application is configured with only a single user, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.

SQL Injection

In WhatsUp Gold versions released before 2023.1.3, a Server Side Request Forgery vulnerability exists in the GetASPReport feature

CVE-2024-5014 6.5 - Medium - June 25, 2024

In WhatsUp Gold versions released before 2023.1.3, a Server Side Request Forgery vulnerability exists in the GetASPReport feature. This allows any authenticated user to retrieve ASP reports from an HTML form.

SSRF

In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Denial of Service vulnerability was identified

CVE-2024-5013 7.5 - High - June 25, 2024

In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Denial of Service vulnerability was identified. An unauthenticated attacker can put the application into the SetAdminPassword installation step, which renders the application non-accessible.

In WhatsUp Gold versions released before 2023.1.3, there is a missing authentication vulnerability in WUGDataAccess.Credentials

CVE-2024-5012 8.6 - High - June 25, 2024

In WhatsUp Gold versions released before 2023.1.3, there is a missing authentication vulnerability in WUGDataAccess.Credentials. This vulnerability allows unauthenticated attackers to disclose Windows Credentials stored in the product Credential Library.

authentification

In WhatsUp Gold versions released before 2023.1.3

CVE-2024-5019 7.5 - High - June 25, 2024

In WhatsUp Gold versions released before 2023.1.3,  an unauthenticated Arbitrary File Read issue exists in Wug.UI.Areas.Wug.Controllers.SessionController.CachedCSS. This vulnerability allows reading of any file with iisapppool\NmConsole privileges.

Directory traversal

In WhatsUp Gold versions released before 2023.1.3

CVE-2024-5018 7.5 - High - June 25, 2024

In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Path Traversal vulnerability exists Wug.UI.Areas.Wug.Controllers.SessionController.LoadNMScript. This allows allows reading of any file from the applications web-root directory .

Directory traversal

In WhatsUp Gold versions released before 2023.1.3, an authenticated SSRF vulnerability in Wug.UI.Areas.Wug.Controllers.SessionControler.Update

CVE-2024-5015 8.8 - High - June 25, 2024

In WhatsUp Gold versions released before 2023.1.3, an authenticated SSRF vulnerability in Wug.UI.Areas.Wug.Controllers.SessionControler.Update allows a low privileged user to chain this SSRF with an Improper Access Control vulnerability. This can be used to escalate privileges to Admin.

SSRF

In WhatsUp Gold versions released before 2023.1.3, Distributed Edition installations

CVE-2024-5016 7.2 - High - June 25, 2024

In WhatsUp Gold versions released before 2023.1.3, Distributed Edition installations can be exploited by using a deserialization tool to achieve a Remote Code Execution as SYSTEM.  The vulnerability exists in the main message processing routines NmDistributed.DistributedServiceBehavior.OnMessage for server and NmDistributed.DistributedClient.OnMessage for clients.

Marshaling, Unmarshaling

In WhatsUp Gold versions released before 2023.1.3, a path traversal vulnerability exists

CVE-2024-5017 6.5 - Medium - June 25, 2024

In WhatsUp Gold versions released before 2023.1.3, a path traversal vulnerability exists. A specially crafted unauthenticated HTTP request to AppProfileImport can lead can lead to information disclosure.

Directory traversal

In WhatsUp Gold versions released before 2023.1.3, an uncontrolled resource consumption vulnerability exists

CVE-2024-5011 7.5 - High - June 25, 2024

In WhatsUp Gold versions released before 2023.1.3, an uncontrolled resource consumption vulnerability exists. A specially crafted unauthenticated HTTP request to the TestController Chart functionality can lead to denial of service.

Resource Exhaustion

In WhatsUp Gold versions released before 2023.1.3, a vulnerability exists in the TestController functionality

CVE-2024-5010 7.5 - High - June 25, 2024

In WhatsUp Gold versions released before 2023.1.3, a vulnerability exists in the TestController functionality.  A specially crafted unauthenticated HTTP request can lead to a disclosure of sensitive information.

In WhatsUp Gold versions released before 2023.1.3, an Improper Access Control vulnerability in Wug.UI.Controllers.InstallController.SetAdminPassword

CVE-2024-5009 8.4 - High - June 25, 2024

In WhatsUp Gold versions released before 2023.1.3, an Improper Access Control vulnerability in Wug.UI.Controllers.InstallController.SetAdminPassword allows local attackers to modify admin's password.

In WhatsUp Gold versions released before 2023.1.3, an authenticated user with certain permissions

CVE-2024-5008 8.8 - High - June 25, 2024

In WhatsUp Gold versions released before 2023.1.3, an authenticated user with certain permissions can upload an arbitrary file and obtain RCE using Apm.UI.Areas.APM.Controllers.Api.Applications.AppProfileImportController.

Unrestricted File Upload

In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerability in Progress WhatsUpGold

CVE-2024-4885 9.8 - Critical - June 25, 2024

In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerability in Progress WhatsUpGold.  The WhatsUp.ExportUtilities.Export.GetFileWithoutZip allows execution of commands with iisapppool\nmconsole privileges.

In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerability in Progress WhatsUpGold

CVE-2024-4884 9.8 - Critical - June 25, 2024

In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerability in Progress WhatsUpGold.  The Apm.UI.Areas.APM.Controllers.CommunityController allows execution of commands with iisapppool\nmconsole privileges.

Command Injection

In WhatsUp Gold versions released before 2023.1.3, a Remote Code Execution issue exists in Progress WhatsUp Gold

CVE-2024-4883 9.8 - Critical - June 25, 2024

In WhatsUp Gold versions released before 2023.1.3, a Remote Code Execution issue exists in Progress WhatsUp Gold. This vulnerability allows an unauthenticated attacker to achieve the RCE as a service account through NmApi.exe.

In WhatsUp Gold versions released before 2023.1.2

CVE-2024-4562 5.4 - Medium - May 14, 2024

In WhatsUp Gold versions released before 2023.1.2 , an SSRF vulnerability exists in Whatsup Gold's Issue exists in the HTTP Monitoring functionality.  Due to the lack of proper authorization, any authenticated user can access the HTTP monitoring functionality, what leads to the Server Side Request Forgery.

SSRF

In WhatsUp Gold versions released before 2023.1.2 , a blind SSRF vulnerability exists in Whatsup Gold's FaviconController

CVE-2024-4561 5.3 - Medium - May 14, 2024

In WhatsUp Gold versions released before 2023.1.2 , a blind SSRF vulnerability exists in Whatsup Gold's FaviconController that allows an attacker to send arbitrary HTTP requests on behalf of the vulnerable server.

SSRF

In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified

CVE-2023-6365 5.4 - Medium - December 14, 2023

In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified. It is possible for an attacker to craft a XSS payload and store that value within a device group.   If a WhatsUp Gold user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victims browser.

XSS

In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified

CVE-2023-6364 5.4 - Medium - December 14, 2023

In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified.  It is possible for an attacker to craft a XSS payload and store that value within a dashboard component.   If a WhatsUp Gold user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victims browser.

XSS

In WhatsUp Gold versions released before 2023.1, an API endpoint was found to be missing an authentication mechanism

CVE-2023-6595 5.3 - Medium - December 14, 2023

In WhatsUp Gold versions released before 2023.1, an API endpoint was found to be missing an authentication mechanism. It is possible for an unauthenticated attacker to enumerate ancillary credential information stored within WhatsUp Gold.

Missing Authentication for Critical Function

In WhatsUp Gold versions released before 2023.1, an API endpoint was found to be missing an authentication mechanism

CVE-2023-6368 5.3 - Medium - December 14, 2023

In WhatsUp Gold versions released before 2023.1, an API endpoint was found to be missing an authentication mechanism. It is possible for an unauthenticated attacker to enumerate information related to a registered device being monitored by WhatsUp Gold.

Missing Authentication for Critical Function

In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified

CVE-2023-6367 5.4 - Medium - December 14, 2023

In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified. It is possible for an attacker to craft a XSS payload and store that value within Roles.   If a WhatsUp Gold user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victims browser.

XSS

In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified

CVE-2023-6366 5.4 - Medium - December 14, 2023

In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified. It is possible for an attacker to craft a XSS payload and store that value within Alert Center.   If a WhatsUp Gold user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victims browser.

XSS

In Progress WhatsUp Gold before 23.0.0, an SNMP-related application endpoint failed to adequately sanitize malicious input

CVE-2023-35759 6.1 - Medium - June 23, 2023

In Progress WhatsUp Gold before 23.0.0, an SNMP-related application endpoint failed to adequately sanitize malicious input. This could allow an unauthenticated attacker to execute arbitrary code in a victim's browser, aka XSS.

XSS

In Progress WhatsUp Gold before 22.1.0, an SNMP MIB Walker application endpoint failed to adequately sanitize malicious input

CVE-2022-42711 9.6 - Critical - October 12, 2022

In Progress WhatsUp Gold before 22.1.0, an SNMP MIB Walker application endpoint failed to adequately sanitize malicious input. This could allow an unauthenticated attacker to execute arbitrary code in a victim's browser.

XSS

In Progress Ipswitch WhatsUp Gold 17.0.0 through 21.1.1, and 22.0.0, it is possible for an authenticated user to invoke an API transaction

CVE-2022-29848 6.5 - Medium - May 11, 2022

In Progress Ipswitch WhatsUp Gold 17.0.0 through 21.1.1, and 22.0.0, it is possible for an authenticated user to invoke an API transaction that would allow them to read sensitive operating-system attributes from a host that is accessible by the WhatsUp Gold system.

SSRF

In Progress Ipswitch WhatsUp Gold 21.0.0 through 21.1.1, and 22.0.0, it is possible for an unauthenticated attacker to invoke an API transaction

CVE-2022-29847 7.5 - High - May 11, 2022

In Progress Ipswitch WhatsUp Gold 21.0.0 through 21.1.1, and 22.0.0, it is possible for an unauthenticated attacker to invoke an API transaction that would allow them to relay encrypted WhatsUp Gold user credentials to an arbitrary host.

SSRF

In Progress Ipswitch WhatsUp Gold 16.1 through 21.1.1

CVE-2022-29846 5.3 - Medium - May 11, 2022

In Progress Ipswitch WhatsUp Gold 16.1 through 21.1.1, and 22.0.0, it is possible for an unauthenticated attacker to obtain the WhatsUp Gold installation serial number.

In Progress Ipswitch WhatsUp Gold 21.1.0 through 21.1.1, and 22.0.0, it is possible for an authenticated user to invoke an API transaction

CVE-2022-29845 6.5 - Medium - May 11, 2022

In Progress Ipswitch WhatsUp Gold 21.1.0 through 21.1.1, and 22.0.0, it is possible for an authenticated user to invoke an API transaction that would allow them to read the contents of a local file.

Inclusion of Functionality from Untrusted Control Sphere

An SSRF issue was discovered in NmAPI.exe in Ipswitch WhatsUp Gold before 2018 (18.0)

CVE-2018-8939 9.8 - Critical - May 01, 2018

An SSRF issue was discovered in NmAPI.exe in Ipswitch WhatsUp Gold before 2018 (18.0). Malicious actors can submit specially crafted requests via the NmAPI executable to (1) gain unauthorized access to the WhatsUp Gold system, (2) obtain information about the WhatsUp Gold system, or (3) execute remote commands.

SSRF

A Code Injection issue was discovered in DlgSelectMibFile.asp in Ipswitch WhatsUp Gold before 2018 (18.0)

CVE-2018-8938 9.8 - Critical - May 01, 2018

A Code Injection issue was discovered in DlgSelectMibFile.asp in Ipswitch WhatsUp Gold before 2018 (18.0). Malicious actors can inject a specially crafted SNMP MIB file that could allow them to execute arbitrary commands and code on the WhatsUp Gold server.

Code Injection

An issue was discovered in Ipswitch WhatsUp Gold before 2017 Plus SP1 (17.1.1)

CVE-2018-5777 9.8 - Critical - January 24, 2018

An issue was discovered in Ipswitch WhatsUp Gold before 2017 Plus SP1 (17.1.1). Remote clients can take advantage of a misconfiguration in the TFTP server that could allow attackers to execute arbitrary commands on the TFTP server via unspecified vectors.

An issue was discovered in Ipswitch WhatsUp Gold before 2017 Plus SP1 (17.1.1)

CVE-2018-5778 9.8 - Critical - January 24, 2018

An issue was discovered in Ipswitch WhatsUp Gold before 2017 Plus SP1 (17.1.1). Multiple SQL injection vulnerabilities are present in the legacy .ASP pages, which could allow attackers to execute arbitrary SQL commands via unspecified vectors.

SQL Injection

Ipswitch WhatsUp Gold 16.4.1 WrFreeFormText.asp sUniqueID Parameter Blind SQL Injection

CVE-2016-1000000 8.8 - High - October 06, 2016

Ipswitch WhatsUp Gold 16.4.1 WrFreeFormText.asp sUniqueID Parameter Blind SQL Injection

SQL Injection

The DroneDeleteOldMeasurements implementation in Ipswitch WhatsUp Gold before 16.4 does not properly validate serialized XML objects, which

CVE-2015-8261 9.8 - Critical - January 08, 2016

The DroneDeleteOldMeasurements implementation in Ipswitch WhatsUp Gold before 16.4 does not properly validate serialized XML objects, which allows remote attackers to conduct SQL injection attacks via a crafted SOAP request.

SQL Injection

Multiple cross-site scripting (XSS) vulnerabilities in IPSwitch WhatsUp Gold before 16.4

CVE-2015-6005 6.9 - Medium - December 27, 2015

Multiple cross-site scripting (XSS) vulnerabilities in IPSwitch WhatsUp Gold before 16.4 allow remote attackers to inject arbitrary web script or HTML via (1) an SNMP OID object, (2) an SNMP trap message, (3) the View Names field, (4) the Group Names field, (5) the Flow Monitor Credentials field, (6) the Flow Monitor Threshold Name field, (7) the Task Library Name field, (8) the Task Library Description field, (9) the Policy Library Name field, (10) the Policy Library Description field, (11) the Template Library Name field, (12) the Template Library Description field, (13) the System Script Library Name field, (14) the System Script Library Description field, or (15) the CLI Settings Library Description field.

XSS

Multiple SQL injection vulnerabilities in IPSwitch WhatsUp Gold before 16.4

CVE-2015-6004 6.5 - Medium - December 27, 2015

Multiple SQL injection vulnerabilities in IPSwitch WhatsUp Gold before 16.4 allow remote attackers to execute arbitrary SQL commands via (1) the UniqueID (aka sUniqueID) parameter to WrFreeFormText.asp in the Reports component or (2) the Find Device parameter.

SQL Injection

Cross-site scripting (XSS) vulnerability in Ipswitch WhatsUp Gold 15.02

CVE-2012-4344 - August 15, 2012

Cross-site scripting (XSS) vulnerability in Ipswitch WhatsUp Gold 15.02 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving the SNMP system name of the attacking host.

XSS

SQL injection vulnerability in WrVMwareHostList.asp in Ipswitch WhatsUp Gold 15.02

CVE-2012-2601 - August 15, 2012

SQL injection vulnerability in WrVMwareHostList.asp in Ipswitch WhatsUp Gold 15.02 allows remote attackers to execute arbitrary SQL commands via the sGroupList parameter.

SQL Injection

Buffer overflow in MIBEXTRA.EXE in Ipswitch WhatsUp Gold 11

CVE-2007-2602 - May 11, 2007

Buffer overflow in MIBEXTRA.EXE in Ipswitch WhatsUp Gold 11 allows attackers to cause a denial of service (application crash) or execute arbitrary code via a long MIB filename argument. NOTE: If there is not a common scenario under which MIBEXTRA.EXE is called with attacker-controlled command line arguments, then perhaps this issue should not be included in CVE.

The HTTP daemon in Ipswitch WhatsUp Gold 8.03 and 8.03 Hotfix 1

CVE-2004-0799 - October 20, 2004

The HTTP daemon in Ipswitch WhatsUp Gold 8.03 and 8.03 Hotfix 1 allows remote attackers to cause a denial of service (server crash) via a GET request containing an MS-DOS device name, as demonstrated using "prn.htm".

Buffer overflow in the _maincfgret.cgi script for Ipswitch WhatsUp Gold before 8.03 Hotfix 1

CVE-2004-0798 - October 20, 2004

Buffer overflow in the _maincfgret.cgi script for Ipswitch WhatsUp Gold before 8.03 Hotfix 1 allows remote attackers to execute arbitrary code via a long instancename parameter.

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Progress Whatsup Gold or by Progress? Click the Watch button to subscribe.

Progress
Vendor

subscribe