Progress WhatsUp Gold < 23.0.0 XSS

medium Nessus Plugin ID 177756

Synopsis

An application installed on the remote host is affected by a cross-site scripting vulnerability.

Description

According to its self-reported version number, the Progress WhatsUp Gold application installed on the remote host is prior to 23.0.0. It is, therefore, affected by a cross-site scripting vulnerability due to an SNMP-related application endpoint failing to adequately sanitize malicious input. This could allow an unauthenticated, remote attacker to execute arbitrary code in a victim's browser, aka XSS.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Ipswitch WhatsUp Gold version 16.5.0 or later.

See Also

http://www.nessus.org/u?ec131a94

Plugin Details

Severity: Medium

ID: 177756

File Name: progress_whatsup_gold_CVE-2023-35759.nasl

Version: 1.4

Type: local

Agent: windows

Family: Windows

Published: 6/29/2023

Updated: 5/31/2024

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.8

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2023-35759

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:progress:whatsup_gold, cpe:/a:ipswitch:whatsup_gold

Required KB Items: installed_sw/Ipswitch WhatsUp Gold

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/23/2023

Vulnerability Publication Date: 6/14/2023

Reference Information

CVE: CVE-2023-35759

IAVA: 2023-A-0322-S