CVE-2024-6672: 
WhatsUp Gold vulnerability analysis and mitigation

A SQL Injection vulnerability (CVE-2024-6672) was discovered in Progress Software's WhatsUp Gold versions prior to 2024.0.0. The vulnerability allows authenticated low-privileged attackers to achieve privilege escalation by modifying privileged users' passwords. The issue was disclosed on August 29, 2024, and received a CVSS v3.1 base score of 8.8 (High) (NVD, ZDI).

The vulnerability exists within the implementation of the getMonitorJoin method. The specific flaw stems from inadequate validation of user-supplied strings before their use in SQL query construction. The vulnerability has been assigned CWE-89 (SQL Injection) and received a CVSS v3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and high impact across confidentiality, integrity, and availability (ZDI).

The vulnerability enables remote attackers to escalate privileges on affected installations of WhatsUp Gold. Although authentication is required, the existing authentication mechanism can be bypassed, allowing attackers to elevate their privileges to access resources typically protected from the user (ZDI).

Progress Software has released version 2024.0.0 of WhatsUp Gold to address this vulnerability. Users are advised to upgrade to this version or later to mitigate the risk (Progress Advisory).