CVE-2024-7654
HIGHProgress OpenEdge < 11.7.19 and 12.2-12.2.14 - Unauthenticated Content Injection via ActiveMQ Discovery Service
Title source: llmDescription
An ActiveMQ Discovery service was reachable by default from an OpenEdge Management installation when an OEE/OEM auto-discovery feature was activated. Unauthorized access to the discovery service's UDP port allowed content injection into parts of the OEM web interface making it possible for other types of attack that could spoof or deceive web interface users. Unauthorized use of the OEE/OEM discovery service was remediated by deactivating the discovery service by default.
References (1)
Core 1
Core References
Mitigation, Vendor Advisory vendor-advisory
https://community.progress.com/s/article/Unauthenticated-Content-Injection-in-OpenEdge-Management-web-interface-via-ActiveMQ-discovery-service
Scores
CVSS v3
8.3
EPSS
0.0014
EPSS Percentile
33.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-79
Status
published
Products (2)
progress/openedge
< 11.7.19
progress/openedge
12.2 - 12.2.14
Published
Sep 03, 2024
Tracked Since
Feb 18, 2026