Application Detections Published in September 2025

Hitesh Kadu
Hitesh Kadu, Senior Web Application Security Signatures Engineer
- 6 min read

Table of Contents

In September, Qualys Web Application Scanning released QIDs targeting vulnerabilities in several widely used software products and frameworks, including:

Next.js, Adobe (Magento/ColdFusion), JetBrains (TeamCity/YouTrack), MLflow, NetScaler, FoxCMS, Craft CMS, GitHub (Enterprise Server), Jenkins, Sitecore, SAP (NetWeaver), Tableau, Ivanti (Connect Secure / EPM), WordPress, Oracle (Access Manager / WebLogic), SolarWinds, Fortra (GoAnywhere), GitLab, Grafana, Apache, Ansible, CircleCI, Django, ElasticSearch, Nginx, Google, KubePi and AWS

Details about the following QIDs can be found in our knowledge base. Please review reports of the scanned applications for these detections and, if any are identified, follow the steps provided in the knowledge base to ensure applications are protected against the reported vulnerabilities. Immediate resolution of these vulnerabilities as soon as they are detected should be a priority for all organizations. If not addressed, these vulnerabilities can pose security risks, such as breaches, unauthorized access, and various malicious activities.

QIDTitle
151068Next.js Server-Side Request Forgery (SSRF) Vulnerability (CVE-2025-57822)
530436Adobe Magento Incorrect Authorization Vulnerability (CVE-2020-24401)
530437Adobe Magento Incorrect Permissions Vulnerability (CVE-2020-24404)
530438JetBrains TeamCity Privilege Escalation Vulnerability (CVE-2025-57732)
530439JetBrains TeamCity SMTP Injection Vulnerability (CVE-2025-57733)
530440JetBrains TeamCity AWS Credential Exposure Vulnerability (CVE-2025-57734)
530441Adobe Magento Cross-Site Scripting Vulnerability (CVE-2020-24408)
530442Adobe Magento Incorrect Permissions Vulnerabilities (CVE-2020-24403,CVE-2020-24405)
530443Adobe Magento Information Disclosure Vulnerability (CVE-2020-24406)
530444MLflow Path Traversal Vulnerability (CVE-2023-2356)
530445NetScaler Application Delivery Controller (ADC) and NetScaler Gateway Memory Overflow Vulnerabilities (CVE-2025-7775,CVE-2025-7776)
530446NetScaler Application Delivery Controller (ADC) and NetScaler Gateway Improper Access Control Vulnerability (CVE-2025-8424)
530447FoxCMS Reflected Cross Site Scripting (XSS) Vulnerability (CVE-2025-55422)
530448Adobe Magento Business Logic Error Vulnerability (CVE-2021-36012)
530449Adobe Magento Cross-Site Scripting Vulnerabilities (CVE-2021-36026,CVE-2021-36027)
530450Adobe Magento Improper Access Control Vulnerability (CVE-2021-36036)
530451Adobe Magento Improper Authorization Vulnerability (CVE-2021-36029)
530452Adobe Magento Improper Authorization Vulnerability (CVE-2021-36037)
530453CraftCMS Freeform Server-side template injection (SSTI) Vulnerability (CVE-2025-52122)
530454Adobe Magento Server-Side Request Forgery Vulnerability (CVE-2021-36043)
530455Adobe Magento Path Traversal Vulnerability (CVE-2021-36031)
530456Adobe Magento XML Injection Vulnerabilities (CVE-2021-36022,CVE-2021-36023)
530457Adobe Magento OS Command Injection Vulnerability (CVE-2021-36024)
530458Adobe Magento XML Injection Vulnerabilities (CVE-2021-36020,CVE-2021-36028,CVE-2021-36033)
530460Craft CMS Remote Command Execution Vulnerability (CVE-2025-54417)
530461GitHub Enterprise Server Server-Side Request Forgery Vulnerability (CVE-2024-3684)
530462Jenkins Statistics Gatherer Plugin AWS Secret Key Exposure Vulnerabilities (CVE-2025-53654,CVE-2025-53655)
530463Jenkins ReadyAPI Functional Testing Plugin Information Disclosure Vulnerabilities (CVE-2025-53656,CVE-2025-53657)
530466Adobe Magento XML Injection Vulnerability (CVE-2023-38207)
530467Adobe Magento OS Command Injection Vulnerability (CVE-2023-38208)
530468Adobe Magento Incorrect Authorization Vulnerability (CVE-2023-38209)
530469Adobe Magento OS Command Injection Vulnerabilities (CVE-2021-21015,CVE-2021-21016,CVE-2021-21018)
530470Adobe Magento SQL Injection Vulnerability (CVE-2021-21024)
530471Adobe Magento XML Injection Vulnerabilities (CVE-2021-21019,CVE-2021-21025)
530472JetBrains YouTrack Stored Cross-Site Scripting (XSS) Vulnerability (CVE-2025-57731)
530473Sitecore Experience Platform (XP) Insecure Deserialization Vulnerability (CVE-2025-53690)
530474SAP NetWeaver AS Java Insecure File Operations Vulnerability (CVE-2025-42922)
530475Adobe Magento Cross-Site Scripting Vulnerabilities (CVE-2021-21023,CVE-2021-21029,CVE-2021-21030)
530476Tableau Server Authorization Bypass Vulnerabilities (CVE-2025-52446,CVE-2025-52447,CVE-2025-52448)
530477Tableau Server Unrestricted File Upload Vulnerability (CVE-2025-52449)
530478Tableau Server Path Traversal Vulnerability (CVE-2025-52452)
530479Tableau Server Server-Side Request Forgery (SSRF) Vulnerabilities (CVE-2025-52453,CVE-2025-52454,CVE-2025-52455)
530480Adobe Magento Access Control Bypass Vulnerability (CVE-2021-21020)
530481Ivanti Connect Secure (ICS) Missing Authorization Vulnerabilities
530482Ivanti Connect Secure (ICS) Cross-Site Request Forgery (CSRF) Vulnerabilities (CVE-2025-8711,CVE-2025-55147)
530483Ivanti Connect Secure (ICS) Server-Side Request Forgery (SSRF) Vulnerability (CVE-2025-55139)
530484Adobe Magento File Upload Restriction Bypass Vulnerability (CVE-2021-21014)
530485WordPress Eventin Plugin: Privilege Escalation Vulnerability (CVE-2025-4796)
530486Adobe Magento Insecure Direct Object Reference Vulnerabilities (CVE-2021-21012,CVE-2021-21013,CVE-2021-21022)
530487WordPress Post SMTP Plugin: Account Takeover Vulnerability (CVE-2025-24000)
530488Adobe Magento Improper Authorization Vulnerability (CVE-2021-21026)
530489Adobe Magento Cross-Site Request Forgery Vulnerability (CVE-2021-21027)
530490Adobe Magento Insufficient Validation of User Session Vulnerabilities (CVE-2021-21031,CVE-2021-21032)
530491Flowise Password Reset Token Disclosure Vulnerability (CVE-2025-58434)
530492Ivanti Connect Secure (ICS) Reflected Text Injection Vulnerability (CVE-2025-55143)
530493Ivanti Connect Secure (ICS) Denial of Service (DoS) Vulnerability (CVE-2025-55146)
530495Jenkins QMetry Test Management Plugin API Key Exposure Vulnerabilities (CVE-2025-53659,CVE-2025-53660)
530496WordPress Single Sign-On (SSO) Plugin: Incorrect Authorization Vulnerability (CVE-2025-6003)
530497Adobe Magento Remote Code Execution Vulnerabilities
530499WordPress Gutenberg Template Library and Redux Framework Plugin: Sensitive Information Disclosure Vulnerability (CVE-2021-38314)
530500Oracle Access Manager Remote Code Execution (RCE) Vulnerability (CVE-2021-35587)
530501SolarWinds Web Help Desk AjaxProxy Deserialization Remote Code Execution Vulnerability (CVE-2025-26399)
530502Adobe Magento SQL Injection Vulnerabilities
530503Adobe Magento XPath Injection Vulnerability (CVE-2019-8158)
530504Adobe Magento Insecure Authentication and Session Management Vulnerabilities (CVE-2019-8108,CVE-2019-8116,CVE-2019-8149)
530505Fortra GoAnywhere MFT Deserialization Vulnerability (CVE-2025-10035)
530506Adobe Magento Unrestricted File Upload Vulnerability (CVE-2019-8140)
530507Adobe Magento Insecure Component Vulnerability (CVE-2019-8136)
530508Adobe Magento Insecure Component Vulnerability (CVE-2019-8121)
530509WordPress WPCasa Plugin: Code Injection Vulnerability (CVE-2025-9321)
530510Adobe Magento Server-Side Request Forgery Vulnerability (CVE-2019-8156)
530511Adobe Magento Arbitrary File Deletion Vulnerability (CVE-2019-8090)
530512Adobe Magento Arbitrary File Deletion Vulnerability (CVE-2019-8107)
530515GitLab CE/EE Server-Side Request Forgery (SSRF) Vulnerability (CVE-2025-6454)
530516GitLab CE/EE Denial of Service Vulnerability (CVE-2025-2256)
530517GitLab CE/EE Denial of Service Vulnerability (CVE-2025-1250)
530518GitLab CE/EE Denial of Service Vulnerability (CVE-2025-7337)
530519Ivanti Endpoint Manager (EPM) Remote Code Execution (RCE) Vulnerabilities (CVE-2025-9712,CVE-2025-9872)
580817Improper Validation of Time-based Business Logic
580818Minimum Spend Requirement Bypass
580819Improper Validation of Subscription Cancellation Dates
580820Improper Validation of Coupon Reuse
580822CAPTCHA Bypass via Missing Cookie Validation
580823TRACK Method Detected
580824Authentication Bypass via Host Header Injection
580825AWS Container Metadata Content Exposure
580826Ansible Configuration Exposure
580827Apache Configuration File Disclosure
580828Apache Pulsar Service Exposure
580829SQL Injection in Referer Header
580830SQL Injection in User-Agent Header
580831SQL Injection in X-Forwarded-For Header
580832SQL Injection in Client-IP Header
580834Grafana Unauthenticated Snapshot Creation
580835KubePi LoginLogsSearch Unauthorized Access
580836Error-Based NoSQL Injection (JSON Parameter Replacement)
580837Appspec Yml Disclosure
580838Command Injection in Referer Header
580839Command Injection in User-Agent Header
580840Command Injection in X-Forwarded-For Header
580841Command Injection in Client-IP Header
580842Command Injection Using Backticks
580843CGI Script Environment Variable Disclosure
580844CircleCI Config.yml Exposure
580845Config Ruby File Disclosure
580846Django Default Homepage Enabled
580847Eclipse BIRT Panel Exposure
580848ElasticSearch Default Login Vulnerability
580849Nginx Git Configuration Exposure
580850GitHub Workflow Disclosure
580851Google API Key Disclosure
580852GraphQL Debug Mode Enabled
580853JWT Signing in Client-Side
580854LightHttpd Config Exposed
580855Msmtp Configuration File Exposed
580856Nginx Log File Exposed
580857Open Redirect in Path

What’s Next

Leverage the QID list to guide your remediation efforts and strengthen your risk posture.

Looking for more context or remediation tips? Head to Qualys KnowledgeBase for detailed analysis, actionable guidance, and expert-backed support.

Share your Comments

Comments

Your email address will not be published. Required fields are marked *