Web Application Detections Published in December 2024

Hitesh Kadu

In December, Qualys released QIDs targeting vulnerabilities in several widely used software products, including Adobe ColdFusion, Adobe Connect, Apache Airflow, Apache Heartbeat, Apache HugeGraph, Apache Kylin, Apache Nifi, Apache Ozone, Apache Struts, Apache Superset, Apache Tomcat, Atlassian Confluence, BoidCMS, Cambium Networks cnMaestro, ChurchCRM, Cleo, ClipBucket V5, Drupal, GitLab, Ivanti CSA, Ivanti ICS, Ivanti IPS, JetBrains YouTrack, Liferay, Metabase, Mitel MiCollab, Moodle, OpenSSL, OpenWebUI, Pandora FMS, PHP, ProjectSend, SolarWinds Web Help Desk, Splunk Secure Gateway, SuiteCRM, Traefik, Trellix Enterprise Security Manager, Veeam Service Provider Console, Webmin, Winter CMS, WordPress, XWiki, ZenML. The QIDs released to detect the vulnerabilities in the frameworks above are listed below. Details about the following QIDs can be found in our knowledge base. Please review reports of the scanned applications for these detections and, if any are identified, follow the steps provided in the knowledge base to ensure applications are protected against the reported vulnerabilities.

QIDTitle
152462ProjectSend Improper Authorization Vulnerability (CVE-2024-11680)
152463WordPress Total Upkeep Plugin: Remote Code Execution Vulnerability (CVE-2024-9461)
152464WordPress Widget and Block Control Plugin: Remote Code Execution Vulnerability (CVE-2024-8672)
152465Traefik Open Redirect Vulnerability (CVE-2024-52003)
152466Apache Kylin Session Fixation Vulnerability (CVE-2024-23590)
152467Atlassian Confluence Data Center and Server Security Misconfiguration Vulnerability (CVE-2024-21703)
152468Apache Nifi Cross-site Scripting Vulnerability (CVE-2024-45477)
152469WordPress My Geo Posts Free Plugin: PHP Object Injection Vulnerability (CVE-2024-52433)
152470WordPress AJAX Random Posts Plugin: PHP Object Injection Vulnerability (CVE-2024-52409)
152471Metabase Remote Code Execution (RCE) Vulnerability (CVE-2023-38646)
152472WordPress B-Banner Slider Plugin: Arbitrary File Upload Vulnerability (CVE-2024-52405)
152473GitLab CE/EE Privilege Escalation Vulnerability (CVE-2024-8114)
152474GitLab CE/EE Denial of Service Vulnerability (CVE-2024-11828)
152475WordPress Popup by Supsystic Plugin: Code Injection Vulnerability (CVE-2024-52434)
152476Trellix Enterprise Security Manager Path Traversal Vulnerability (CVE-2024-11481)
152477Trellix Enterprise Security Manager Command Injection Vulnerability (CVE-2024-11482)
152478WordPress BasePress Migration Tools Plugin: Arbitrary File Upload Vulnerability (CVE-2024-52407)
152479SuiteCRM SQL Injection Vulnerability (CVE-2024-36412)
152480Apache Kylin Console – Default Login
152481Pandora FMS Remote Code Execution (RCE) Vulnerability (CVE-2024-11320)
152482Veeam Service Provider Console Remote Code Execution (RCE) Vulnerability (CVE-2024-42448)
152483Veeam Service Provider Console Information Disclosure Vulnerability (CVE-2024-42449)
152484BoidCMS Cross-site Scripting (XSS) Vulnerability (CVE-2024-53255)
152485Apache Ozone Improper Authentication Vulnerability (CVE-2024-45106)
152486Apache Airflow Sensitive Information Disclosure Vulnerability (CVE-2024-45784)
152487ZenML Account Takeover Vulnerability (CVE-2024-4311)
152488Open WebUI Insecure Direct Object Reference Vulnerability (CVE-2024-7048)
152490WordPress Chartify Plugin: Local File Inclusion Vulnerability (CVE-2024-10571)
152491WordPress UserPro Plugin: Unauthorized Access of Data Vulnerability (CVE-2023-2448)
152492JetBrains YouTrack Path Traversal Vulnerability (CVE-2024-54154)
152493JetBrains YouTrack Prototype Pollution Vulnerability (CVE-2024-54156)
152494JetBrains YouTrack Regular Expression Denial of Service (ReDoS) Vulnerability (CVE-2024-54157)
152495JetBrains YouTrack Unauthorized Data Access Vulnerabilities (CVE-2024-54153, CVE-2024-54155)
152496JetBrains YouTrack Punycode Encoding Spoofing Vulnerability (CVE-2024-54158)
152497WordPress Beaver Builder – Page Builder Plugin: DOM-Based Reflected Cross-Site Scripting Vulnerability (CVE-2024-1038)
152498ChurchCRM SQL Injection Vulnerability (CVE-2024-53438)
152499Moodle Lesson Activity Password Bypass Vulnerability (CVE-2024-45691)
152500Moodle Dynamic Tables Information Disclosure Vulnerability (CVE-2024-45689)
152501Moodle Insecure Direct Object Reference (IDOR) Vulnerability (CVE-2024-48899)
152502Mitel MiCollab Authentication Bypass Vulnerability (CVE-2024-41713)
152503WordPress Post Grid Gutenberg Blocks and WordPress Blog Plugin: Missing Authorization Vulnerability (CVE-2024-10728)
152504Apache Superset SQL Injection Vulnerability (CVE-2024-53947)
152505Apache Superset Sensitive Information Disclosure Vulnerability (CVE-2024-53948)
152506Apache Superset Improper Authorization Vulnerability (CVE-2024-53949)
152507WordPress Kaswara Modern VC Addons Plugin: Arbitrary File Upload Vulnerability (CVE-2024-24284)
152508SolarWinds Web Help Desk Local File Read Vulnerability (CVE-2024-45709)
152509Splunk Secure Gateway Deserialization of Untrusted Data Vulnerability (CVE-2024-53247)
152510Cambium Networks cnMaestro SQL Injection Vulnerability (CVE-2022-1361)
152511WordPress GamiPress Plugin: Arbitrary Shortcode Execution Vulnerability (CVE-2024-11036)
152512WordPress WP Umbrella Plugin: Local File Inclusion Vulnerability (CVE-2024-12209)
152513Ivanti Cloud Services Application (CSA) Authentication Bypass Vulnerability (CVE-2024-11639)
152514Ivanti Cloud Services Application (CSA) Command Injection Vulnerability (CVE-2024-11772)
152515Ivanti Cloud Services Application (CSA) SQL Injection Vulnerability (CVE-2024-11773)
152516Adobe Connect Multiple Cross-site Scripting Vulnerabilities (APSB24-99)
152517WordPress SV100 Companion Plugin: Unauthorized Modification of Data Vulnerability (CVE-2024-12155)
152518WordPress WPForms Plugin: Unauthorized Modification of Data Vulnerability (CVE-2024-11205)
152519WordPress AI Quiz Plugin: Unauthorized Modification of Data Vulnerability (CVE-2024-11323)
152520WordPress Sign In With Google Plugin: Authentication Bypass Vulnerability (CVE-2024-11015)
152521XWiki Incorrect Authorization Vulnerability (CVE-2024-55662)
152522XWiki Code Injection Vulnerability (CVE-2024-55877)
152523Apache Superset Improper Authorization Vulnerability (CVE-2024-55633)
152524WordPress Gallery Plugin: PHP Object Injection Vulnerability (CVE-2024-11501)
152525WordPress Import Export for WooCommerce Plugin: Arbitrary File Upload Vulnerability (CVE-2024-54262)
152526WordPress Vayu Blocks Plugin: Missing Authorization Vulnerability (CVE-2024-10124)
152527WordPress Funnelforms Plugin: PHP Object Injection Vulnerability (CVE-2024-10587)
152528Apache Struts2 Remote Code Execution (RCE) Vulnerability (CVE-2024-53677) (Intrusive Check) 
152529Cleo Products Remote Code Execution (RCE) Vulnerability (CVE-2024-50623)
152530Cleo Products Remote Code Execution (RCE) Vulnerability (CVE-2024-55956)
152531ClipBucket V5 PHP Deserialization Vulnerability (CVE-2024-54135)
152532ClipBucket V5 PHP Deserialization Vulnerability (CVE-2024-54136)
152533WordPress Video and Photo Gallery for Ultimate Member Plugin: Arbitrary File Upload Vulnerability (CVE-2024-54370)
152534WordPress de:branding Plugin: Unauthorized Modification of Data Vulnerability (CVE-2024-11443)
152535WordPress Print Science Designer Plugin: PHP Object Injection Vulnerability (CVE-2024-12312)
152536Apache Tomcat Remote Code Execution (RCE) Vulnerability (CVE-2024-50379)
152537Apache Tomcat Denial of Service (DoS) Vulnerability (CVE-2024-54677)
152539Apache Tomcat Remote Code Execution (RCE) Vulnerability (CVE-2024-56337)
152540Apache HertzBeat SQL Injection Vulnerability (CVE-2024-42361)
152541WordPress Beaver Builder – Page Builder Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-0896)
152542WordPress Beaver Builder – Page Builder Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-0897)
152543WordPress Collapsing Categories Plugin: SQL Injection Vulnerability (CVE-2024-12025)
152544WordPress RepairBuddy Plugin: Missing Authorization Vulnerability (CVE-2024-12259)
152545WordPress WPC Shop as a Customer Plugin: Authentication Bypass Vulnerability (CVE-2024-12432)
152546Ivanti Connect Secure (ICS) Argument Injection Vulnerability (CVE-2024-11633)
152547Ivanti Connect Secure (ICS) Command Injection Vulnerability (CVE-2024-11634)
152548Ivanti Policy Secure (IPS) Command Injection Vulnerability (CVE-2024-11634)
152549WordPress Affiliate-Toolkit Plugin: Unauthorized Access Vulnerability (CVE-2024-1851)
152550WinterCMS Modules Twig Sandbox Bypass Vulnerability (CVE-2024-54149)
152551WordPress eCommerce Product Catalog Plugin: Cross-Site Request Forgery Vulnerability (CVE-2024-12771)
152552WordPress SMSA Shipping Plugin: Arbitrary File Deletion Vulnerability (CVE-2024-12066)
152553WordPress AutomatorWP Plugin: Reflected Cross-Site Scripting Vulnerability (CVE-2024-12626)
152554WordPress Beaver Builder – Page Builder Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-3923)
152555WordPress Flexible Woocommerce Checkout Field Editor Plugin: Missing Authorization Vulnerability (CVE-2023-49817)
152556WordPress Store Locator Plugin: Reflected Cross-Site Scripting Vulnerability (CVE-2024-12571)
152557WordPress Duplicator – Backups and Migration Plugin: Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2023-51681)
152558Adobe ColdFusion Path Traversal Vulnerability (CVE-2024-53961)
152559WordPress WP Job Portal Plugin: SQL Injection Vulnerability (CVE-2024-11711)
152560WordPress Fluent Forms Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-10646)
152561Apache HugeGraph-Server Authentication Bypass Vulnerability (CVE-2024-43441)
154167Drupal PHP Object Injection vulnerability (CVE-2024-55637)
154168Drupal PHP Object Injection vulnerability (CVE-2024-55638)
154169Drupal Denial of Service vulnerability (CVE-2024-11941)
520036PHP Out-of-bounds Write Vulnerability (CVE-2024-11236)
520037PHP CRLF Injection Vulnerability (CVE-2024-11234)
520038Open Secure Sockets Layer (OpenSSL) Use After Free Vulnerability (CVE-2024-4741)
520039Liferay Portal Incorrect Authorization Vulnerability (CVE-2024-38002)
520040Liferay Portal Cross-site request forgery (CSRF) Vulnerability (CVE-2024-26273)
520041Liferay Portal Cross-site request forgery (CSRF) Vulnerability (CVE-2024-26272)
520042Open Secure Sockets Layer (OpenSSL) Buffer Overread Vulnerability (CVE-2024-5535)
520043Webmin Privilege Escalation Vulnerability (CVE-2024-12828)
Share your Comments

Comments

Your email address will not be published. Required fields are marked *