Talos Vulnerability Report TALOS-2024-1932 Progress Software Corporation WhatsUp Gold AppProfileImport path traversal vulnerability June 26, 2024 CVE Number CVE-2024-5017 SUMMARY A path traversal vulnerability exists in the AppProfileImport functionality of Progress Software Corporation WhatsUp Gold 23.1.0 Build 1697. A specially crafted HTTP request can lead to information disclosure. An attacker can make an authenticated HTTP request to trigger this vulnerability. CONFIRMED VULNERABLE VERSIONS The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor. Progress Software Corporation WhatsUp Gold 23.1.0 Build 1697 PRODUCT URLS WhatsUp Gold – https://www.whatsupgold.com/ CVSSv3 SCORE 6.5 – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CWE CWE-22 – Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) DETAILS WhatsUp Gold is a network monitoring and management software developed by Progress. WhatsUp Gold is designed to provide visibility into IT infrastructure, allowing organizations to monitor the performance and health of networks, devices, servers, applications, and other critical components. It offers features such as network mapping, performance monitoring, alerting, and reporting to help IT professionals ensure the optimal functioning of their network infrastructure. An authenticated user can upload a new Application profile definition file (xml) for monitoring triggering the following…Read More