CVE-2023-6364 – A stored cross-site scripting (XSS) vulnerabili... (How to Fix)

Q: What is the severity of CVE-2023-6364?

CVE-2023-6364 has a CVSS score of 7.6 (HIGH). A stored cross-site scripting (XSS) vulnerability in WhatsUp Gold allows attackers to inject malicious JavaScript into dashboard components. When users interact with these components, the attacker can execute arbitrary code in the victim's browser. This affects all WhatsUp Gold users running versions before 2023.1.

📋 TL;DR

A stored cross-site scripting (XSS) vulnerability in WhatsUp Gold allows attackers to inject malicious JavaScript into dashboard components. When users interact with these components, the attacker can execute arbitrary code in the victim's browser. This affects all WhatsUp Gold users running versions before 2023.1.

💻 Affected Systems

Products:

WhatsUp Gold

Versions: All versions before 2023.1

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in dashboard components where user input is not properly sanitized.

📦 What is this software?

Whatsup Gold by Progress

View all CVEs affecting Whatsup Gold →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains full control of victim's WhatsUp Gold session, potentially leading to credential theft, data exfiltration, or lateral movement within the network.

🟠

Likely Case

Session hijacking, cookie theft, or unauthorized actions performed within the victim's WhatsUp Gold account.

🟢

If Mitigated

Limited impact due to proper input validation and output encoding preventing payload execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to create/modify dashboard components.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2023.1 or later

Vendor Advisory: https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-December-2023

Restart Required: Yes

Instructions:

1. Download WhatsUp Gold 2023.1 or later from Progress website. 2. Backup current installation. 3. Run installer to upgrade. 4. Restart WhatsUp Gold services.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement additional input validation for dashboard component fields

🧯 If You Can't Patch

Restrict dashboard creation/modification permissions to trusted administrators only
Implement web application firewall (WAF) rules to block XSS payloads

🔍 How to Verify

Check if Vulnerable:

Check WhatsUp Gold version in Administration > About. If version is below 2023.1, system is vulnerable.

Check Version:

Check via WhatsUp Gold web interface: Administration > About

Verify Fix Applied:

Verify version is 2023.1 or later and test dashboard components for XSS payload execution.

📡 Detection & Monitoring

Log Indicators:

Unusual dashboard modifications
JavaScript payloads in user input fields

Network Indicators:

Suspicious JavaScript execution in browser sessions

SIEM Query:

source="whatsup_gold" AND (event="dashboard_modified" OR message="*script*" OR message="*javascript*")

📊 Metadata

CVE ID: CVE-2023-6364

CVSS v3 Score: 7.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-79

Published: December 14, 2023

Last Updated: November 21, 2024

🔗 References

https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-December-2023 Vendor Advisory
https://www.progress.com/network-monitoring Vendor Advisory
https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-December-2023 Vendor Advisory
https://www.progress.com/network-monitoring Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-6364, you might also want to check these: