CVE-2024-46907: 
WhatsUp Gold vulnerability analysis and mitigation

A SQL Injection vulnerability (CVE-2024-46907) was discovered in WhatsUp Gold versions prior to 2024.0.1. The vulnerability allows an authenticated low-privileged user with at least Report Viewer permissions to achieve privilege escalation to the admin account. This vulnerability was reported by security researcher Sina Kheirkhah and received a CVSS score of 8.8 (HIGH) (CERT-EU, NVD).

The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). It has been assigned a CVSS v3.1 Base Score of 8.8 HIGH with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, low privileges required, no user interaction needed, and high impact on confidentiality, integrity, and availability (NVD).

The vulnerability enables privilege escalation from a low-privileged user account to administrative privileges, potentially allowing complete control over the WhatsUp Gold installation. This could lead to unauthorized access to sensitive network monitoring data and system configurations (SecurityOnline).

Progress Software has released version 24.0.1 of WhatsUp Gold to address this vulnerability. Organizations are strongly advised to upgrade to this version immediately. The fix is available through the standard update channels (Progress Advisory).

This vulnerability was disclosed as part of a larger security update addressing multiple critical vulnerabilities in WhatsUp Gold, highlighting the importance of prompt patching. The security community has emphasized the urgency of applying the updates, particularly given the high severity score and the potential for privilege escalation (SecurityOnline).