CVE-2023-40051 CRITICAL

CVE-2023-40051: Progress Application Server (PAS) for OpenEdge File Upload via Directory Traversal

Vendor Progress Software Corporation
Product OpenEdge
Weakness CWE-434 · Unrestricted file upload
Published January 18, 2024
Last update June 2, 2025

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L

What the vulnerability does

01Description

This issue affects Progress Application Server (PAS) for OpenEdge in versions 11.7 prior to 11.7.18, 12.2 prior to 12.2.13, and innovation releases prior to 12.8.0. An attacker can formulate a request for a WEB transport that allows unintended file uploads to a server directory path on the system running PASOE. If the upload contains a payload that can further exploit the server or its network, the launch of a larger scale attack may be possible.

Key dates

02Disclosure timeline

January 18, 2024 CVE published
June 2, 2025 Record updated