CVE-2024-6670

WhatsUp Gold HasErrors SQL Injection Authentication Bypass Vulnerability

CVSS 9.8 CRITICALEPSS 94.7%● KEVCWE-89

In short

An unauthenticated attacker can exploit a SQL Injection flaw in WhatsUp Gold to steal encrypted user passwords without needing to log in first. This bypasses authentication entirely and compromises account security.

Technical detail

A SQL Injection vulnerability (CWE-89) in WhatsUp Gold versions prior to 2024.0.0 allows unauthenticated remote attackers to inject malicious SQL queries to extract encrypted password hashes. The vulnerability requires no prior authentication, enabling direct database access and credential compromise.

Summary generated and translated by AI from the official description.

In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Progress Software Corporation · WhatsUp Gold

public PoCs found — 1

githubgithub.com/sinsinology/CVE-2024-6670★ 35

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-6670 https://www.progress.com/network-monitoring