Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Progress Subscribe
Total 60 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2018-17054 1 Progress 1 Sitefinity Cms 2018-11-15 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in Identity Server in Progress Sitefinity CMS versions 10.0 through 11.0 allows remote attackers to inject arbitrary web script or HTML via vectors related to login request parameters, a different vulnerability than CVE-2018-17053.
CVE-2018-17056 1 Progress 1 Sitefinity Cms 2018-11-15 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in ServiceStack in Progress Sitefinity CMS versions 10.2 through 11.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2007-3491 1 Progress 1 Openedge 2018-10-16 7.5 HIGH N/A
Buffer overflow in _mprosrv in Progress Software OpenEdge before 9.1E0422, and 10.x before 10.1B01, allows remote attackers to have an unknown impact via a malformed TCP/IP message.
CVE-2007-2506 1 Progress 2 Progress, Webspeed 2018-10-16 7.8 HIGH N/A
WebSpeed 3.x in OpenEdge 10.x in Progress Software Progress 9.1e, and certain other 9.x versions, allows remote attackers to cause a denial of service (infinite loop and daemon hang) via a messenger URL that invokes _edit.r with no additional parameters, as demonstrated by requests for cgiip.exe or wsisa.dll with WService=wsbroker1/_edit.r in the PATH_INFO.
CVE-2007-2354 1 Progress 1 Webspeed Messenger 2018-10-16 7.8 HIGH N/A
Progress Webspeed Messenger allows remote attackers to obtain sensitive information via a WService parameter containing "wsbroker1/webutil/about.r", which reveals the operating system and product information.
CVE-2007-2266 1 Progress 1 Webspeed Messenger 2018-10-16 10.0 HIGH N/A
Progress Webspeed Messenger allows remote attackers to read, create, modify, and execute arbitrary files by invoking webutil/_cpyfile.p in the WService parameter to (1) cgiip.exe or (2) wsisa.dll in scripts/, as demonstrated by using the save,editor options to create a new file using the fileName parameter.
CVE-2017-18179 1 Progress 1 Sitefinity 2018-03-05 6.5 MEDIUM 8.8 HIGH
Progress Sitefinity 9.1 uses wrap_access_token as a non-expiring authentication token that remains valid after a password change or a session termination. Also, it is transmitted as a GET parameter. This is fixed in 10.1.
CVE-2017-18178 1 Progress 1 Sitefinity 2018-03-05 5.8 MEDIUM 6.1 MEDIUM
Authenticate/SWT in Progress Sitefinity 9.1 has an open redirect issue in which an authentication token is sent to the redirection target, if the target is specified using a certain %40 syntax. This is fixed in 10.1.
CVE-2017-18175 1 Progress 1 Sitefinity 2018-03-05 3.5 LOW 5.4 MEDIUM
Progress Sitefinity 9.1 has XSS via the Content Management Template Configuration (aka Templateconfiguration), as demonstrated by the src attribute of an IMG element. This is fixed in 10.1.
CVE-2017-18177 1 Progress 1 Sitefinity 2018-03-05 3.5 LOW 5.4 MEDIUM
Progress Sitefinity 9.1 has XSS via the Last name, First name, and About fields on the New User Creation Page. This is fixed in 10.1.
CVE-2017-18176 1 Progress 1 Sitefinity 2018-03-05 3.5 LOW 5.4 MEDIUM
Progress Sitefinity 9.1 has XSS via file upload, because JavaScript code in an HTML file has the same origin as the application's own code. This is fixed in 10.1.
CVE-2017-15883 1 Progress 1 Sitefinity 2018-02-01 7.5 HIGH 9.8 CRITICAL
Sitefinity 5.1, 5.2, 5.3, 5.4, 6.x, 7.x, 8.x, 9.x, and 10.x allow remote attackers to bypass authentication and consequently cause a denial of service on load balanced sites or gain privileges via vectors related to weak cryptography.
CVE-2001-1127 1 Progress 1 Progress 2017-12-18 7.2 HIGH N/A
Buffer overflow in Progress database 8.3D and 9.1C could allow a local user to execute arbitrary code via (1) _proapsv, (2) _mprosrv, (3) _mprshut, (4) orarx, (5) sqlcpp, (6) _probrkr, (7) _sqlschema and (8) _sqldump.
CVE-2001-1129 1 Progress 1 Progress 2017-12-18 7.2 HIGH N/A
Format string vulnerabilities in (1) _probuild, (2) _dbutil, (3) _mprosrv, (4) _mprshut, (5) _proapsv, (6) _progres, (7) _proutil, (8) _rfutil and (9) prolib in Progress database 9.1C allows a local user to execute arbitrary code via format string specifiers in the file used by the PROMSGS environment variable.
CVE-2001-1128 1 Progress 1 Progress 2017-12-18 7.2 HIGH N/A
Buffer overflow in Progress database 8.3D and 9.1C allows local users to execute arbitrary code via long entries in files that are specified by the (1) PROMSGS or (2) PROTERMCAP environment variables.
CVE-2015-9245 1 Progress 1 Openedge 2017-11-22 7.5 HIGH 9.8 CRITICAL
Insecure default configuration in Progress Software OpenEdge 10.2x and 11.x allows unauthenticated remote attackers to specify arbitrary URLs from which to load and execute malicious Java classes via port 20931.
CVE-2003-0485 1 Progress 1 4gl Compiler 2016-10-17 4.6 MEDIUM N/A
Buffer overflow in Progress 4GL Compiler 9.1D06 and earlier allows attackers to execute arbitrary code via source code containing a long, invalid data type.
CVE-2003-0449 1 Progress 1 Database 2016-10-17 4.6 MEDIUM N/A
Progress Database 9.1 to 9.1D06 trusts user input to find and load libraries using dlopen, which allows local users to gain privileges via (1) a PATH environment variable that points to malicious libraries, as demonstrated using libjutil.so in_proapsv, or (2) the -installdir command line parameter, as demonstrated using librocket_r.so in _dbagent.
CVE-2014-8555 1 Progress 1 Openedge 2015-10-05 5.0 MEDIUM N/A
Directory traversal vulnerability in report/reportViewAction.jsp in Progress Software OpenEdge 11.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the selection parameter.
CVE-2000-0127 1 Progress 1 Webspeed 2008-09-10 7.5 HIGH N/A
The Webspeed configuration program does not properly disable access to the WSMadmin utility, which allows remote attackers to gain privileges via wsisa.dll.