Most Exploited Internet-Facing Products

MEIFP

Back to Ranking

Progress Software Corporation

Products: Telerik Report Server · WS_FTP Server · WhatsUp Gold

152.9

Score

10

CVEs

4

Active

6

PoC

4

KEV

#14

Rank

Period:

Product:

CVE ID	Published	CVSS	Exploit	KEV	AC	PR	Auto	Score(hover)	Affected Products	Description
CVE-2024-6670	2024-08-29	9.8v3.1	ACTIVE		Low	None	no	31.2	WhatsUp Gold	In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.
CVE-2024-6671	2024-08-29	9.8v3.1	POC	—	Low	None	no	0.0	WhatsUp Gold	In WhatsUp Gold versions released before 2024.0.0, if the application is configured with only a single user, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.
CVE-2024-4883	2024-06-25	9.8v3.1	POC	—	Low	None	YES	0.0	WhatsUp Gold	In WhatsUp Gold versions released before 2023.1.3, a Remote Code Execution issue exists in Progress WhatsUp Gold. This vulnerability allows an unauthenticated attacker to achieve the RCE as a service account through NmApi.exe.
CVE-2024-4885	2024-06-25	9.8v3.1	ACTIVE		Low	None	YES	40.6	WhatsUp Gold	In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerability in Progress WhatsUpGold. The WhatsUp.ExportUtilities.Export.GetFileWithoutZip allows execution of commands with iisapppool\nmconsole privileges.
CVE-2024-5010	2024-06-25	7.5v3.1	POC	—	Low	None	YES	0.0	WhatsUp Gold	In WhatsUp Gold versions released before 2023.1.3, a vulnerability exists in the TestController functionality. A specially crafted unauthenticated HTTP request can lead to a disclosure of sensitive information.
CVE-2024-5011	2024-06-25	7.5v3.1	POC	—	Low	None	YES	0.0	WhatsUp Gold	In WhatsUp Gold versions released before 2023.1.3, an uncontrolled resource consumption vulnerability exists. A specially crafted unauthenticated HTTP request to the TestController Chart functionality can lead to denial of service.
CVE-2024-5017	2024-06-25	6.5v3.1	POC	—	Low	Low	no	0.0	WhatsUp Gold	In WhatsUp Gold versions released before 2023.1.3, a path traversal vulnerability exists. A specially crafted unauthenticated HTTP request to AppProfileImport can lead can lead to information disclosure.
CVE-2024-4358	2024-05-29	9.8v3.1	ACTIVE		Low	None	YES	40.6	Telerik Report Server	In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.
CVE-2024-1800	2024-03-20	9.9v3.1	POC	—	Low	Low	no	0.0	Telerik Report Server	In Progress® Telerik® Report Server versions prior to 2024 Q1 (10.0.24.130), a remote code execution attack is possible through an insecure deserialization vulnerability.
CVE-2023-40044	2023-09-27	10.0v3.1	ACTIVE		Low	None	YES	40.6	WS_FTP Server	In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system.

Each CVE: 10 pts base (Active only), boosted by:

KEV×2.0AC: Low×1.2PR: None×1.3PR: Low×1.1Auto×1.3