Skip to main content

Loadmaster CVE-2024-2449

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2024-03-22 security@progress.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Mar 22, 2024 - 14:15 nvd
HIGH 7.5

DescriptionNVD

A cross-site request forgery vulnerability has been identified in LoadMaster.  It is possible for a malicious actor, who has prior knowledge of the IP or hostname of a specific LoadMaster, to direct an authenticated LoadMaster administrator to a third-party site. In such a scenario, the CSRF payload hosted on the malicious site would execute HTTP transactions on behalf of the LoadMaster administrator.

AnalysisAI

A cross-site request forgery vulnerability has been identified in LoadMaster. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. A cross-site request forgery vulnerability has been identified in LoadMaster. It is possible for a malicious actor, who has prior knowledge of the IP or hostname of a specific LoadMaster, to direct an authenticated LoadMaster administrator to a third-party site. In such a scenario, the CSRF payload hosted on the malicious site would execute HTTP transactions on behalf of the LoadMaster administrator. Affected products include: Progress Loadmaster.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.

CVE-2024-1212 CRITICAL POC
9.8 Feb 21

Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary s

CVE-2026-8037 CRITICAL POC
9.8 Jun 04

Unauthenticated OS command injection in the API of Progress ADC products - LoadMaster, ECS Connections Manager, Object S

CVE-2024-7591 HIGH POC
7.2 Sep 05

Improper Input Validation vulnerability in Progress LoadMaster allows OS Command Injection.This issue affects: * LoadMas

CVE-2024-8755 CRITICAL
9.8 Oct 11

Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection.This

CVE-2024-2448 HIGH
8.8 Mar 22

An OS command injection vulnerability has been identified in LoadMaster. Rated high severity (CVSS 8.8), this vulnerabil

CVE-2026-4048 HIGH
8.4 Apr 20

OS command injection in Progress LoadMaster and related ADC products allows authenticated administrators with 'All' perm

CVE-2026-3519 HIGH
8.4 Apr 20

Command injection in Progress LoadMaster, ECS Connections Manager, Object Scale Connection Manager, and MOVEit WAF allow

CVE-2026-3518 HIGH
8.4 Apr 20

OS command injection in Progress LoadMaster, MOVEit WAF, ECS Connections Manager, and Object Scale Connection Manager AP

CVE-2026-3517 HIGH
8.4 Apr 20

Command injection in Progress LoadMaster and related ADC products allows authenticated attackers with Geo Administration

CVE-2024-56135 HIGH
8.4 Feb 05

Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. Rate

CVE-2024-56131 HIGH
8.4 Feb 05

Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. Rate

CVE-2025-13447 HIGH
8.4 Jan 13

OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker

Share

CVE-2024-2449 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy