Progress Software 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
公開された問題は vendor risk ssrf、vendor risk csrf, and バッファオーバーフロー に関連することが多く、vendor surface software deployment and vendor surface production workloads の文脈で アプリケーションクラッシュ and vendor impact memory corruption などの暴露リスクを伴う場合があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2024-7295 | In Progress® Telerik® Report Server versions prior to 2024 Q4 (10.3.24.1112), the encryption of local asset data used an older algorithm which may allow a sophisticated actor to decrypt this information. | [email protected] | 7.1 | 0.11% | 2024-11-13 | 2026-06-17 |
| CVE-2024-10013 | In Progress Telerik UI for WinForms versions prior to 2024 Q4 (2024.4.1113), a code execution attack is possible through an insecure deserialization vulnerability. | [email protected] | 7.8 | 0.22% | 2024-11-13 | 2026-06-17 |
| CVE-2024-7763 | In WhatsUp Gold versions released before 2024.0.0, an Authentication Bypass issue exists which allows an attacker to obtain encrypted user credentials. | [email protected] | 9.8 | 0.62% | 2024-10-24 | 2026-06-17 |
| CVE-2024-8755 | Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection.This issue affects: Product Affected Versions LoadMaster From 7.2.55.0 to 7.2.60.1 (inclusive) From 7.2.49.0 to 7.2.54.12 (inclusive) 7.2.48.12 and all prior versions Multi-Tenant Hypervisor 7.1.35.12 and all prior versions ECS All prior versions to 7.2.60.1 (inclusive) | [email protected] | 8.4 | 1.14% | 2024-10-11 | 2026-06-17 |
| CVE-2024-8048 | In Progress Telerik Reporting versions prior to 2024 Q3 (18.2.24.924), a code execution attack is possible using object injection via insecure expression evaluation. | [email protected] | 7.8 | 0.22% | 2024-10-09 | 2026-06-17 |
| CVE-2024-8015 | In Progress Telerik Report Server versions prior to 2024 Q3 (10.2.24.924), a remote code execution attack is possible through object injection via an insecure type resolution vulnerability. | [email protected] | 9.1 | 0.82% | 2024-10-09 | 2026-06-17 |
| CVE-2024-8014 | In Progress Telerik Reporting versions prior to 2024 Q3 (18.2.24.924), a code execution attack is possible through object injection via an insecure type resolution vulnerability. | [email protected] | 8.8 | 0.60% | 2024-10-09 | 2026-06-17 |
| CVE-2024-7840 | In Progress Telerik Reporting versions prior to 2024 Q3 (18.2.24.924), a command injection attack is possible through improper neutralization of hyperlink elements. | [email protected] | 7.8 | 0.66% | 2024-10-09 | 2026-06-17 |
| CVE-2024-7294 | In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), an HTTP DoS attack is possible on anonymous endpoints without rate limiting. | [email protected] | 7.5 | 0.30% | 2024-10-09 | 2026-06-17 |
| CVE-2024-7293 | In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), a password brute forcing attack is possible through weak password requirements. | [email protected] | 7.5 | 0.31% | 2024-10-09 | 2026-06-17 |
| CVE-2024-7292 | In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), a credential stuffing attack is possible through improper restriction of excessive login attempts. | [email protected] | 7.5 | 0.32% | 2024-10-09 | 2026-06-17 |
| CVE-2024-6658 | Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows OS Command Injection.This issue affects: Product Affected Versions LoadMaster From 7.2.55.0 to 7.2.60.0 (inclusive) From 7.2.49.0 to 7.2.54.11 (inclusive) 7.2.48.12 and all prior versions Multi-Tenant Hypervisor 7.1.35.11 and all prior versions ECS All prior versions to 7.2.60.0 (inclusive) | [email protected] | 8.4 | 0.55% | 2024-09-12 | 2026-06-17 |
| CVE-2024-7654 | An ActiveMQ Discovery service was reachable by default from an OpenEdge Management installation when an OEE/OEM auto-discovery feature was activated. Unauthorized access to the discovery service's UDP port allowed content injection into parts of the OEM web interface making it possible for other types of attack that could spoof or deceive web interface users. Unauthorized use of the OEE/OEM discovery service was remediated by deactivating the discovery service by default. | [email protected] | 8.3 | 0.28% | 2024-09-03 | 2026-06-17 |
| CVE-2024-7346 | Host name validation for TLS certificates is bypassed when the installed OpenEdge default certificates are used to perform the TLS handshake for a networked connection. This has been corrected so that default certificates are no longer capable of overriding host name validation and will need to be replaced where full TLS certificate validation is needed for network security. The existing certificates should be replaced with CA-signed certificates from a recognized certificate authority that co | [email protected] | 7.2 | 0.16% | 2024-09-03 | 2026-06-17 |
| CVE-2024-7345 | Local ABL Client bypass of the required PASOE security checks may allow an attacker to commit unauthorized code injection into Multi-Session Agents on supported OpenEdge LTS platforms up to OpenEdge LTS 11.7.18 and LTS 12.2.13 on all supported release platforms | [email protected] | 8.3 | 0.59% | 2024-09-03 | 2026-06-17 |
| CVE-2024-6672 | In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an authenticated low-privileged attacker to achieve privilege escalation by modifying a privileged user's password. | [email protected] | 8.8 | 0.71% | 2024-08-29 | 2026-06-17 |
| CVE-2024-6671 | In WhatsUp Gold versions released before 2024.0.0, if the application is configured with only a single user, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password. | [email protected] | 9.8 | 14.89% | 2024-08-29 | 2026-06-17 |
| CVE-2024-6670 KEV | In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password. | [email protected] | 9.8 | 94.66% | 2024-08-29 | 2026-06-17 |
| CVE-2024-7745 | In WS_FTP Server versions before 8.8.8 (2022.0.8), a Missing Critical Step in Multi-Factor Authentication of the Web Transfer Module allows users to skip the second-factor verification and log in with username and password only. | [email protected] | 6.5 | 0.36% | 2024-08-28 | 2026-06-17 |
| CVE-2024-7744 | In WS_FTP Server versions before 8.8.8 (2022.0.8), an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in the Web Transfer Module allows File Discovery, Probe System Files, User-Controlled Filename, Path Traversal. An authenticated file download flaw has been identified where a user can craft an API call that allows them to download a file from an arbitrary folder on the drive where that user host's root folder is located (by default this is C:) | [email protected] | 6.5 | 0.69% | 2024-08-28 | 2026-06-17 |