July Web Application Vulnerabilities Released

John Delaroderie

The Qualys WAS team has released a new series of signatures (detections) to report the vulnerabilities in the following 6 frameworks: Apache, Atlassian, Drupal, Oracle WebLogic, PHP, and WordPress. Organizations can immediately audit their networks for the following vulnerabilities.

Apache Software (Multiple)

QID 150539: Apache HTTP Server 2.4.53 Multiple Vulnerabilities

The Apache HTTP Server, colloquially called Apache, is a free and open-source cross-platform web server software.

Affected versions of Apache HTTP Server has multiple vulnerabilities:
CVE-2022-26377 : HTTP Request Smuggling vulnerability in mod_proxy_ajp.
CVE-2022-28330 : On Windows may read beyond bounds when configured to process requests with the mod_isapi module.
CVE-2022-28614 : Read beyond bounds via ap_rwrite()
CVE-2022-28615 : Read beyond bounds in ap_strcmp_match()
CVE-2022-29404 : Denial of service in mod_lua r:parsebody
CVE-2022-30522 : mod_sed denial of service
CVE-2022-30556 : Information Disclosure in mod_lua with websockets
CVE-2022-31813 : mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism

Affected Versions:
Apache HTTP Server version from 2.4.0 to 2.4.53

QID 150540: Apache ShenYu plugin API unauthenticated access (CVE-2022-23944)

Apache ShenYu is a Java native API Gateway for service proxy, protocol conversion and API governance.

Affected versions of Apache ShenYu suffers from an unauthorized access vulnerability where a user can access /plugin api without authentication.

Affected versions:
Apache ShenYu 2.4.0 and 2.4.1

QID 150541: Apache Tomcat Cross-Site Scripting(XSS) Vulnerability (CVE-2022-34305)

Apache Tomcat is an open source web server and servlet container developed by the Apache Software Foundation.

In affected versions of Apache Tomcat, the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability.

Affected Versions:
Apache Tomcat 10.1.0-M1 to 10.1.0-M16
Apache Tomcat 10.0.0-M1 to 10.0.22
Apache Tomcat 9.0.30 to 9.0.64
Apache Tomcat 8.5.50 to 8.5.81

QID 150553: Apache Solr Improper Input Validation Vulnerability (CVE-2021-44548)

Apache Solr is an open-source enterprise search platform which is on Apache Lucene.

In affected versions of Apache Solr an Improper Input Validation vulnerability exists in DataImportHandler which allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB attacks. This issue only affects Windows systems.

Affected Versions:
Apache Solr prior to version 8.11.1

Atlassian

Jira is a proprietary issue tracking product, product developed by Atlassian. It provides bug tracking, issue tracking, and project management functions.

QID 150547: Atlassian Jira Server Multiple Vulnerabilities (OCT-2018)

Multiple Vulnerabilities are identified in Atlassian Jira Server:
CVE-2018-13400: Several administrative resources missing WebSudo (improper access control vulnerability)
CVE-2018-13401: Open redirect in the XsrfErrorAction resource
CVE-2018-13402: Open redirect in many resources
CVE-2018-13404: The VerifyPopServerConnection resource was vulnerable to SSRF

Affected version:
before version 7.6.9
from version 7.7.0 before version 7.7.5
from version 7.8.0 before version 7.8.5
from version 7.9.0 before version 7.9.3
from version 7.10.0 before version 7.10.3
from version 7.11.0 before version 7.11.3
from version 7.12.0 before version 7.12.3
before version 7.13.1

Drupal

Drupal is a free and open source content management framework written in PHP and distributed under the GNU General Public License.

QID 154117: Drupal Core Cross-Site Scripting (XSS) Vulnerability (SA-CORE-2022-002)

jQuery UI is a third-party library used by Drupal. Affected versions of this package are vulnerable to Cross-site Scripting (XSS). When accepting the value of various Text options of the Datepicker widget from untrusted sources it may lead to execution of untrusted code

Affected Versions:
Drupal 7.0 to 7.86
Drupal 9.2.0 to 9.2.11
Drupal 9.3.0 to 9.3.3

QID 154118: Drupal Core Cross-Site Scripting (XSS) Vulnerability (CVE-2021-41182)

jQuery UI is a third-party library used by Drupal. Affected versions of this package are vulnerable to Cross-site Scripting (XSS). When accepting the value of various Text options of the Datepicker widget from untrusted sources it may lead to execution of untrusted code

Affected Versions:
Drupal 7.0 to 7.86


QID 154119: Drupal Core: Guzzle Library Multiple Vulnerabilities (CVE-2022-31043,CVE-2022-31042)

Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has multiple vulnerabilities:

CVE-2022-31042 : Failure to strip the Cookie header on change in host or HTTP downgrade
CVE-2022-31043 : Fix failure to strip Authorization header on HTTP downgrade

Affected Versions:
Drupal 9.2.0 to 9.2.20
Drupal 9.3.0 to 9.3.15

QID 154120: Drupal Core: Guzzle Library Information Disclosure Vulnerability (CVE-2022-29248)

Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains.

Affected Versions:
Drupal 9.2.0 to 9.2.20
Drupal 9.3.0 to 9.3.13

QID 154121: Drupal Core: Guzzle Library Improper Input Validation Vulnerability (CVE-2022-24775)

Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle is vulnerable to improper header parsing. An attacker could sneak in a new line character and pass untrusted values.

Affected Versions:
Drupal 8.0.0 to 9.2.15
Drupal 9.3.0 to 9.3.8

Oracle WebLogic Server

Oracle WebLogic Server is a robust, highly performant, and scalable application server for building and deploying both enterprise Java EE and Jakarta EE applications.


QID 150538: Oracle WebLogic Server Multiple Vulnerabilities (CPUAPR2022)

Oracle WebLogic Server is a robust, highly performant, and scalable application server for building and deploying both enterprise Java EE and Jakarta EE applications.

Multiple Vulnerabilities are identified in affected versions of Oracle WebLogic Servers applications running on target system :
CVE-2022-23305  : Installed version of WebLogic Server allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed.
CVE-2022-21441  : In installed version of WebLogic Server, successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server.
CVE-2022-23437  : Infinite loop within Apache XercesJ xml parser.
CVE-2022-21453  : Improper Authorization vulnerability

Affected versions:
Oracle WebLogic Server, version(s) 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0


PHP

PHP is a programming language originally designed for use in web-based applications with HTML content. PHP supports a wide variety of platforms and is used by numerous web-based software applications.


QID 150542: PHP Multiple Remote Code Execution Vulnerabilities (CVE-2022-31626,CVE-2022-31625)

Affected versions of PHP has multiple vulnerabilities:
CVE-2022-31626 : mysqlnd/pdo password buffer overflow leading to RCE
CVE-2022-31625 : Uninitialized array in pg_query_params() leading to RCE

Affected Versions:
PHP versions 7.4.x prior to 7.4.30
PHP versions 8.0.x prior to 8.0.20
PHP versions 8.1.x prior to 8.1.7

WordPress

WordPress is an open-source content management system (CMS) written in PHP

QID 150543: WordPress Smush Plugin : Reflected Cross-Site Scripting (XSS) Vulnerability (CVE-2022-1009)

Smush is a WordPress plugin that allows users to optimize images without losing quality. It’s ease of usage and image optimization capability on the fly makes the site load faster.

Affected versions of Smush do not sanitize and escape a configuration parameter before outputting it back in an admin page when uploading a malicious preset configuration, leading to a Reflected Cross-Site Scripting attack.

Affected Versions:
WordPress Smush Plugin prior to 3.9.9

QID 150544: WordPress Tabs Responsive Plugin : Stored Cross-Site Scripting (XSS) Vulnerability (CVE-2022-1298)

Tabs Responsive is a WordPress plugin based on bootstrap framework that is user friendly and allows users to display both vertical and horizontal tabs on multiple pages and posts.

Affected versions of Tabs Responsive does not sanitise and escape Tab descriptions, which could allow high privileged users with a role as low as editor to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Affected Versions:
WordPress Tabs Responsive prior to 2.8.8

QID 150548: WordPress Form Maker Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2022-1564)

Form Maker by 10Web is the drag and drop plugin for building forms of any complexity in just a few clicks.

The plugin does not sanitize and escape the Custom Text settings, which could allow high privilege user such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.

Affected Versions:
WordPress Form Maker Plugin before 1.14.12

QID 150549: WordPress Photo Gallery Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2022-1394)

Photo Gallery plugin is a feature-rich, yet easy-to-use WordPress tool, which lets you add mobile-friendly image galleries and gallery groups to your website.

The plugin does not properly validate and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks when unfiltered_html is disallowed.

Affected Versions:
WordPress Photo Gallery Plugin before 1.6.4

QID 150550: WordPress Rating by BestWebSoft Plugin: Denial of Service Vulnerability (CVE-2021-25121)

Rating by BestWebSoft is a simple and powerful plugin, that can add a five-star rating to your website posts, widgets, and pages.

The plugin does not validate the submitted rating, allowing submission of long integer, causing a Denial of Service on the post/page when a user submit such rating.

Affected Versions:
WordPress Rating by BestWebSoft Plugin before 1.6

QID 150551: WordPress Bold Page Builder Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2022-2089)

WordPress Plugin  Bold Page Builder  is an WordPress plugin. With the help of this plugin you can easily manage your content both backend and frontend with newly added functionality.

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.

Affected Versions:
WordPress Bold Page Builder Plugin before 4.3.3

QID 150552: WordPress Download Manager Plugin: Reflected Cross-Site Scripting Vulnerability (CVE-2022-2168)

WordPress Download Manager is a Files / Documents Management Plugin to manage, track and control file downloads from your WordPress Site.

The plugin does not escape a generated URL before outputting it back in an attribute of the history dashboard, leading to Reflected Cross-Site Scripting

Affected Versions:
WordPress Download Manager plugin before 3.2.44

Share your Comments

Comments

Your email address will not be published. Required fields are marked *