Category Archives: Advisories

ZDI-24-887: Progress Software WhatsUp Gold GetASPReport Server-Side Request Forgery Information Disclosure Vulnerability

July 3, 2024

Read Time:13 Second

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Progress Software WhatsUp Gold. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.1. The following CVEs are assigned: CVE-2024-5014.

Advisories

ZDI-24-886: Progress Software WhatsUp Gold SetAdminPassword Improper Access Control Privilege Escalation Vulnerability

July 3, 2024

Read Time:20 Second

This vulnerability allows local attackers to escalate privileges on affected installations of Progress Software WhatsUp Gold. An attacker must first obtain the ability to execute low-privileged code on the target system or send an HTTP request from a local machine in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.4. The following CVEs are assigned: CVE-2024-5009.

Advisories

ZDI-24-885: Progress Software WhatsUp Gold LoadUsingBasePath Directory Traversal Information Disclosure Vulnerability

July 3, 2024

Read Time:13 Second

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Progress Software WhatsUp Gold. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 5.3. The following CVEs are assigned: CVE-2024-5018.

Advisories

ZDI-24-884: Progress Software WhatsUp Gold LoadCSSUsingBasePath Directory Traversal Information Disclosure Vulnerability

July 3, 2024

Read Time:13 Second

Advisories

ZDI-24-896: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability

July 3, 2024

Read Time:12 Second

This vulnerability allows remote attackers to bypass authentication on affected installations of Parse Server. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 9.8. The following CVEs are assigned: CVE-2024-39309.

Advisories

DSA-5725-1 znc – security update

July 3, 2024

Read Time:12 Second

Johannes Kuhn discovered that messages and channel names are not
properly escaped in the modtcl module in ZNC, a IRC bouncer, which could
result in remote code execution via specially crafted messages.

https://security-tracker.debian.org/tracker/DSA-5725-1

Advisories

USN-6860-1: OpenVPN vulnerabilities

July 2, 2024

Read Time:26 Second

Reynir Björnsson discovered that OpenVPN incorrectly handled terminating
client connections. A remote authenticated client could possibly use this
issue to keep the connection active, bypassing certain security policies.
This issue only affected Ubuntu 23.10, and Ubuntu 24.04 LTS.
(CVE-2024-28882)

Reynir Björnsson discovered that OpenVPN incorrectly handled certain
control channel messages with nonprintable characters. A remote attacker
could possibly use this issue to cause OpenVPN to consume resources, or
fill up log files with garbage, leading to a denial of service.
(CVE-2024-5594)

Advisories