CVE-2024-46907

In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-September-2024	Vendor Advisory
https://docs.progress.com/bundle/whatsupgold-release-notes-24-0/page/WhatsUp-Gold-2024.0-Release-Notes.html	Release Notes
https://www.progress.com/network-monitoring	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:progress:whatsup_gold:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-12-02 15:15

Updated : 2024-12-10 18:23

NVD link : CVE-2024-46907

Mitre link : CVE-2024-46907

CVE.ORG link : CVE-2024-46907

JSON object : View

Products Affected

progress

whatsup_gold

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2024-46907", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2024-12-02T15:15:11.793", "references": [{"url": "https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-September-2024", "tags": ["Vendor Advisory"], "source": "[email protected]"}, {"url": "https://docs.progress.com/bundle/whatsupgold-release-notes-24-0/page/WhatsUp-Gold-2024.0-Release-Notes.html", "tags": ["Release Notes"], "source": "[email protected]"}, {"url": "https://www.progress.com/network-monitoring", "tags": ["Product"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account."}, {"lang": "es", "value": "En las versiones de WhatsUp Gold publicadas antes de 2024.0.1, una vulnerabilidad de inyecci\u00f3n SQL permite que un usuario autenticado con pocos privilegios (al menos los permisos de Visor de informes requeridos) logre una escalada de privilegios a la cuenta de administrador."}], "lastModified": "2024-12-10T18:23:41.573", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:progress:whatsup_gold:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "07BDB617-53DC-4C9B-BE7B-79A393F1A9C2", "versionEndExcluding": "24.0.1"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}