CVE-2024-7654— Unauthenticated Content Injection in OpenEdge Management web interface via ActiveMQ discovery service
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-7654
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Unauthenticated Content Injection in OpenEdge Management web interface via ActiveMQ discovery service
Source: NVD (National Vulnerability Database)
Vulnerability Description
An ActiveMQ Discovery service was reachable by default from an OpenEdge Management installation when an OEE/OEM auto-discovery feature was activated. Unauthorized access to the discovery service's UDP port allowed content injection into parts of the OEM web interface making it possible for other types of attack that could spoof or deceive web interface users. Unauthorized use of the OEE/OEM discovery service was remediated by deactivating the discovery service by default.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Progress Software OpenEdge 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Progress Software OpenEdge是美国Progress Software公司的一套集成开发环境(IDE)。 Progress Software OpenEdge存在安全漏洞,该漏洞源于默认情况下允许从OpenEdge Management安装访问ActiveMQ Discovery服务。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2024-7654
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-7654
请登录查看更多情报信息。
Same Patch Batch · Progress · 2024-09-03 · 3 CVEs total
| CVE-2024-7345 | 8.3 HIGH | Direct local client connections to MS Agents can bypass authentication |
| CVE-2024-7346 | 7.2 HIGH | Client connections using default TLS certificates from OpenEdge may bypass TLS host name v |
IV. Related Vulnerabilities
Same product: OpenEdge
- CVE-2025-8095
Recoverable obfuscation using the OECH1 prefix encoding in O - CVE-2025-7389
Unauthorized Arbitrary File Read via RMI in AdminServer Inte - CVE-2025-7388
Authenticated Command Injection via configuration parameter - CVE-2024-7346
Client connections using default TLS certificates from OpenE - CVE-2024-7345
Direct local client connections to MS Agents can bypass auth
Same vendor: Progress
- CVE-2026-2701
RCE vulnerability in Progress ShareFile Storage Zones Contro - CVE-2026-2699
EAR vulnerability in Progress ShareFile Storage Zones Contro - CVE-2025-11235
MOVEit Transfer REST API does not require current password i - CVE-2025-13147
External Service Interaction (DNS) - CVE-2025-10703
Progress多款产品 代码注入漏洞
Same weakness: CWE-79
- CVE-2026-8262
Devs Palace ERP Online chart-save cross site scripting - CVE-2026-8256
Devs Palace ERP Online mr-save cross site scripting - CVE-2026-8255
Devs Palace ERP Online add_new_customer cross site scripting - CVE-2026-8254
Devs Palace ERP Online sales_save cross site scripting - CVE-2026-8253
Devs Palace ERP Online purchase_save cross site scripting
V. Comments for CVE-2024-7654
No comments yet