CVE-2024-7654: 
Progress OpenEdge vulnerability analysis and mitigation

An ActiveMQ Discovery service vulnerability (CVE-2024-7654) was identified in OpenEdge Management installations when the OEE/OEM auto-discovery feature was activated. The vulnerability was discovered and disclosed in September 2024, affecting Progress OpenEdge versions up to 11.7.19 and LTS versions 12.2 through 12.2.14, as well as versions 12.8 up to 12.8.3 (NVD).

The vulnerability allows unauthorized access to the discovery service's UDP port, enabling content injection into parts of the OEM web interface. The issue is classified as CWE-79 (Cross-site Scripting) with a CVSS v3.1 base score of 6.1 (MEDIUM) according to NIST's assessment, while Progress Software Corporation rated it higher at 8.3 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H (NVD).

The vulnerability could enable attackers to spoof or deceive web interface users through content injection attacks. This could potentially lead to unauthorized manipulation of the OEM web interface and compromise the security of the system (NVD).

The vulnerability has been remediated by deactivating the discovery service by default. Users are advised to update to the latest version of the software that includes this security fix (Progress Community).