Skip to main content

The advisory addresses two critical and four high severity vulnerabilities

Threat ID:CC-4556
Threat Severity:Medium
Published:30 September 2024 3:37 PM

Summary

The advisory addresses two critical and four high severity vulnerabilities

Affected platforms

The following platforms are known to be affected:

Versions: All prior to 2024.0.1
Progress Software WhatsUp Gold

Threat details

Proof-of-concept code released for CVE-2024-8785

Proof-of-concept code for CVE-2024-8785 has been released. Exploitation is considered more likely.


Introduction

Progress Software has released an advisory that addresses 6 vulnerabilities in the WhatsUp Gold system, including 2 with a CVSSv3 score of 9.8. WhatsUp Gold is a network availability and performance monitoring package.

Vulnerability details have been added below. 

Threat updates

  
4 Dec 2024CVE information and proof-of-concept status added.

Remediation advice

Affected organisations are encouraged to review Progress Software's advisory WhatsUp Gold Security Bulletin– September 2024 and apply the relevant updates.

Definitive source of threat updates

CVE Vulnerabilities

StatusPublished
CVE-2024-46908In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account.
StatusPublished
CVE-2024-46907In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account.
StatusPublished
CVE-2024-46906In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated low-privileged user (at least Report Viewer permissions required) to achieve privilege escalation to the admin account.
StatusPublished
CVE-2024-46905In WhatsUp Gold versions released before 2024.0.1, a SQL Injection vulnerability allows an authenticated lower-privileged user (at least Network Manager permissions required) to achieve privilege escalation to the admin account.
StatusPublished
CVE-2024-46909In WhatsUp Gold versions released before 2024.0.1, a remote unauthenticated attacker could leverage this vulnerability to execute code in the context of the service account.
StatusPublished
CVE-2024-8785In WhatsUp Gold versions released before 2024.0.1, a remote unauthenticated attacker could leverage NmAPI.exe to create or change an existing registry value in registry path HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Ipswitch\.

Last edited: 4 December 2024 3:49 pm

Back to top