WhatsUp Gold SQL Injection Vulnerability Could Lead to Privilege Escalation
CVE-2024-46908

8.8HIGH

Key Information:

Vendor: Progress Software
Status: Whatsup Gold
Vendor: CVE Published:; 2 December 2024

Summary

A SQL Injection vulnerability in WhatsUp Gold versions released before 2024.0.1 can be exploited by authenticated low-privileged users, specifically those with Report Viewer permissions, to escalate their privileges to that of an admin account. This vulnerability poses a significant security risk, as it allows unauthorized users to potentially control sensitive functionalities and data within the WhatsUp Gold platform.

Affected Version(s)

WhatsUp Gold Windows 2023.1.0

References

https://www.progress.com/network-monitoring

https://community.progress.com/s/article/WhatsUp-Gold-Sec...

vendor-advisory

https://docs.progress.com/bundle/whatsupgold-release-note...

release-notes

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 2, 2024
Vulnerability Reserved
Sep 13, 2024

Collectors

NVD DatabaseMitre Database

Credit

Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative