CVE-2023-34203

HIGH

Progress OpenEdge < 11.7.16, 12.x < 12.2.12, 12.3.x-12.6.x < 12.7 - Authenticated URL Injection in OEM and OEE

Title source: llm

Description

In Progress OpenEdge OEM (OpenEdge Management) and OEE (OpenEdge Explorer) before 12.7, a remote user (who has any OEM or OEE role) could perform a URL injection attack to change identity or role membership, e.g., escalate to admin. This affects OpenEdge LTS before 11.7.16, 12.x before 12.2.12, and 12.3.x through 12.6.x before 12.7.

References (1)

Core 1

Core References

Product

https://www.progress.com/openedge

Scores

CVSS v3 8.8

EPSS 0.0101

EPSS Percentile 77.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-74

Status published

Products (3)

progress/openedge < 11.7.16

progress/openedge_explorer < 12.7

progress/openedge_management < 12.7

Published Jun 23, 2023

Tracked Since Feb 18, 2026