CVE-2024-46908
Vulnerability from cvelistv5
Published
2024-12-02 14:40
Modified
2024-12-02 15:30
Severity ?
EPSS score ?
Summary
In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required)
to achieve privilege escalation to the admin account.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Progress Software Corporation | WhatsUp Gold |
Version: 2023.1.0 ≤ |
|
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:progress:whatsup_gold:-:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "whatsup_gold", "vendor": "progress", "versions": [ { "lessThan": "2024.0.1", "status": "affected", "version": "2023.1.0", "versionType": "custom" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-46908", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-12-02T15:21:45.398276Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-12-02T15:30:19.516Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "affected", "modules": [ "API Endpoint" ], "platforms": [ "Windows" ], "product": "WhatsUp Gold", "vendor": "Progress Software Corporation", "versions": [ { "lessThan": "2024.0.1", "status": "affected", "version": "2023.1.0", "versionType": "semver" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required)\n\n to achieve privilege escalation to the admin account." } ], "value": "In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required)\n\n to achieve privilege escalation to the admin account." } ], "impacts": [ { "capecId": "CAPEC-233", "descriptions": [ { "lang": "en", "value": "CAPEC-233 Privilege Escalation" } ] } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-12-02T14:40:08.735Z", "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "shortName": "ProgressSoftware" }, "references": [ { "url": "https://www.progress.com/network-monitoring" }, { "tags": [ "vendor-advisory" ], "url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-September-2024" }, { "tags": [ "release-notes" ], "url": "https://docs.progress.com/bundle/whatsupgold-release-notes-24-0/page/WhatsUp-Gold-2024.0-Release-Notes.html" } ], "source": { "discovery": "UNKNOWN" }, "title": "WhatsUp Gold GetFilterCriteria SQL Injection Privilege Escalation Vulnerability", "x_generator": { "engine": "Vulnogram 0.2.0" } } }, "cveMetadata": { "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "assignerShortName": "ProgressSoftware", "cveId": "CVE-2024-46908", "datePublished": "2024-12-02T14:40:08.735Z", "dateReserved": "2024-09-13T14:50:06.819Z", "dateUpdated": "2024-12-02T15:30:19.516Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "vulnerability-lookup:meta": { "fkie_nvd": { "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:progress:whatsup_gold:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"24.0.1\", \"matchCriteriaId\": \"07BDB617-53DC-4C9B-BE7B-79A393F1A9C2\"}]}]}]", "descriptions": "[{\"lang\": \"en\", \"value\": \"In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required)\\n\\n to achieve privilege escalation to the admin account.\"}, {\"lang\": \"es\", \"value\": \"En las versiones de WhatsUp Gold publicadas antes de 2024.0.1, una vulnerabilidad de inyecci\\u00f3n SQL permite que un usuario autenticado con pocos privilegios (al menos los permisos de Visor de informes requeridos) logre una escalada de privilegios a la cuenta de administrador.\"}]", "id": "CVE-2024-46908", "lastModified": "2024-12-10T18:23:09.100", "metrics": "{\"cvssMetricV31\": [{\"source\": \"security@progress.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}]}", "published": "2024-12-02T15:15:11.967", "references": "[{\"url\": \"https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-September-2024\", \"source\": \"security@progress.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://docs.progress.com/bundle/whatsupgold-release-notes-24-0/page/WhatsUp-Gold-2024.0-Release-Notes.html\", \"source\": \"security@progress.com\", \"tags\": [\"Release Notes\"]}, {\"url\": \"https://www.progress.com/network-monitoring\", \"source\": \"security@progress.com\", \"tags\": [\"Product\"]}]", "sourceIdentifier": "security@progress.com", "vulnStatus": "Analyzed", "weaknesses": "[{\"source\": \"security@progress.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-89\"}]}]" }, "nvd": "{\"cve\":{\"id\":\"CVE-2024-46908\",\"sourceIdentifier\":\"security@progress.com\",\"published\":\"2024-12-02T15:15:11.967\",\"lastModified\":\"2024-12-10T18:23:09.100\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required)\\n\\n to achieve privilege escalation to the admin account.\"},{\"lang\":\"es\",\"value\":\"En las versiones de WhatsUp Gold publicadas antes de 2024.0.1, una vulnerabilidad de inyecci\u00f3n SQL permite que un usuario autenticado con pocos privilegios (al menos los permisos de Visor de informes requeridos) logre una escalada de privilegios a la cuenta de administrador.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@progress.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security@progress.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:progress:whatsup_gold:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"24.0.1\",\"matchCriteriaId\":\"07BDB617-53DC-4C9B-BE7B-79A393F1A9C2\"}]}]}],\"references\":[{\"url\":\"https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-September-2024\",\"source\":\"security@progress.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://docs.progress.com/bundle/whatsupgold-release-notes-24-0/page/WhatsUp-Gold-2024.0-Release-Notes.html\",\"source\":\"security@progress.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://www.progress.com/network-monitoring\",\"source\":\"security@progress.com\",\"tags\":[\"Product\"]}]}}" } }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.