November 2022 Web Application Vulnerabilities Released

Apache
Atlassian
Django
Drupal
Oracle
PHP
Spring
WordPress
Zabbix

The Qualys WAS team has released a new series of signatures (detections) to report the vulnerabilities in the following frameworks: Apache, Atlassian, Django, Drupal, Oracle, PHP, Spring, WordPress, and Zabbix. Organizations can immediately audit their networks for the following vulnerabilities.

Apache

QID 150586 Apache Commons Text Remote Code Execution (RCE) Vulnerability (Text4Shell) (CVE-2022-42889)

Apache Commons Text is a commonly used library which focuses on algorithms working on string functionality. The library performs a process called variable interpolation, which evaluates the properties of strings that contain placeholders, in order to replace the placeholders with their corresponding values.

Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is “${prefix:name}”, where “prefix” is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation.

Affected version:
Apache Commons Text from version 1.5 to 1.9

QID 150590 Apache Tomcat HTTP Request Smuggling Vulnerability (CVE-2022-42252)

Apache Tomcat is an open source web server and servlet container developed by the Apache Software Foundation.

If Tomcat was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (not the default), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.

Affected Versions:
Apache Tomcat 10.1.0-M1 to 10.1.0
Apache Tomcat 10.0.0-M1 to 10.0.26
Apache Tomcat 9.0.0-M1 to 9.0.67
Apache Tomcat 8.5.0 to 8.5.52

Atlassian

QID 150596 Atlassian Bitbucket Server and Data Center: Command Injection Vulnerability (CVE-2022-43781)

Bitbucket is a Git-based source code repository hosting service owned by Atlassian.

In affected versions of Atlassian Bitbucket Server and Data Center a command injection vulnerability exists in environment variables where an attacker with permission to control their username can exploit this issue to execute arbitrary code on the system. This vulnerability can be unauthenticated if the Bitbucket Server and Data Center instance has enabled “Allow public signup”.

Affected versions :
Atlassian Bitbucket Server and Data Center version from 7.0.0 before version 7.6.19
Atlassian Bitbucket Server and Data Center version from 7.7.0 before version 7.17.12
Atlassian Bitbucket Server and Data Center version from 7.18.0 before version 7.21.6
Atlassian Bitbucket Server and Data Center version from 7.22.0 before version 8.0.5
Atlassian Bitbucket Server and Data Center version from 8.1.0 before version 8.1.5
Atlassian Bitbucket Server and Data Center version from 8.2.0 before version 8.2.4
Atlassian Bitbucket Server and Data Center version from 8.3.0 before version 8.3.3
Atlassian Bitbucket Server and Data Center version from 8.4.0 before version 8.4.2

Django

QID 150587 Django Debug Mode Enabled

Django is a free and open-source, Python-based web framework that follows the model template views architectural pattern.

The web application uses Django framework. This Django web application is running with debug mode turned on (DEBUG = True ). Debug mode should be turned off in production environment, as it leads to disclosure of sensitive information about the web application.

Drupal

QID 154126 Drupal Core: CKEditor Library Multiple Vulnerabilities (CVE-2022-24728,CVE-2022-24729)

Drupal is a free and open source content management framework written in PHP and distributed under the GNU General Public License.

The Drupal project uses the CKEditor library for WYSIWYG editing.
CKEditor has released a security update that impacts Drupal.

CVE-2022-24728: HTML processing vulnerability allowing to execute JavaScript code
CVE-2022-24729: Regular expression Denial of Service in dialog plugin.

Affected Versions:
Drupal 8.0.0 to 9.2.15
Drupal 9.3.0 to 9.3.8

Oracle

QID 150588 Oracle WebLogic Server Multiple Vulnerabilities (CPUOCT2022)

Oracle WebLogic Server (formerly known as BEA WebLogic Server) is an application server for building and deploying enterprise applications and services.
The Oracle WebLogic Server component in Oracle Fusion Middleware for versions 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0 has fixes for multiple vulnerabilities.

Affected Versions:
Oracle WebLogic Server, version(s) 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0

PHP

QID 150595 PHP Insufficient Input Validation Vulnerability (CVE-2022-31630)

PHP is a programming language originally designed for use in web-based applications with HTML content. PHP supports a wide variety of platforms and is used by numerous web-based software applications.

In installed version of PHP, when using imageloadfont() function in gd extension, it is possible to supply a specially crafted font file, such as if the loaded font is used with imagechar() function, the read outside allocated buffer will be used. This can lead to crashes or disclosure of confidential information.

Affected Versions:
PHP versions before 7.4.33
PHP versions 8.0.0 prior to 8.0.25
PHP versions 8.1.0 prior to 8.1.12

Spring

QID 150594 Spring Boot Misconfiguration: Actuator Endpoint Security Disabled

Spring Boot Actuator is a sub-project of Spring Boot. Actuator is mainly used to expose operational information about the running application.

There are different built-in Actuators which may expose sensitive data and are labeled as “sensitive”. This web application is configured with (management.endpoints.web.expose=* or management.endpoints.web.exposure.include=*) that is exposing all Spring Boot Actuator endpoints without authentication, causing significant problems with security.

WordPress

QID 150589 WordPress Form Maker Plugin: Authenticated SQL Injection Vulnerability (CVE-2022-3300)

Form Maker by 10Web is the drag and drop plugin for building forms of any complexity in just a few clicks.

The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin

Affected Versions:
WordPress Form Maker Plugin before 1.15.6.

QID 150597 WordPress Booster for Woocommerce Plugin: Multiple Vulnerabilities (CVE-2022-41805,CVE-2022-3763,CVE-2022-3762)

Booster for WooCommerce is an add-on plugin for WooCommerce designed to enhance its functionality through the use of various modules that site owners can enable and disable at any point.

Booster for WooCommerce contains multiple vulnerabilities:

CVE-2022-41805:The plugin does not have CSRF checks, allowing attackers to perform CSRF attack.

CVE-2022-3762: The plugins do not validate files to download in some of its modules, which could allow ShopManager and Admin to download arbitrary files from the server even when they are not supposed to be able to (for example in multisite)

CVE-2022-3763: The plugins do not have CSRF check in place when deleting files uploaded at the checkout, allowing attackers to make a logged in shop manager or admin delete them via a CSRF attack

Affected Versions:
The Booster for WooCommerce WordPress plugin before 5.6.7

QID 150598 WordPress LoginPress Plugin: Broken Access Control Vulnerability (CVE-2022-41839)

LoginPress Plugin by LoginPress holds a lot of customization fields to change the layout of the login page of WordPress.

Broken Access Control vulnerability in WordPress LoginPress plugin on WordPress leading to unauth changing of Opt-In or Opt-Out tracking settings.

Affected Versions:
WordPress LoginPress Plugin before 1.6.2

QID 150599 WordPress Easy WP SMTP Plugin: PHP Object Injection Vulnerability (CVE-2022-3334)

Easy WP SMTP is a WordPress plugin which allows users to configure and send all outgoing emails via a SMTP server.

Affected versions of Easy WP SMTP plugin unserialises the content of an imported file, which could lead to PHP object injection issue when an admin imports a malicious file and a suitable gadget chain is present on the blog.

Affected versions:
Easy WP SMTP prior to version 1.5.0

QID 150600 WordPress WP-Polls Plugin: Race Condition Vulnerability (CVE-2022-40130)

WP-Polls is a WordPress plugin which adds an AJAX poll system to WordPress blog and is extremely customizable via templates and css styles.

A Race Condition vulnerability exists in WP-Polls plugins which requires subscriber or higher role user authentication for exploitation.

Affected versions:
WP-Polls prior to version 2.77.0

Zabbix

QID 150592 Zabbix Reflected Cross Site Scripting Vulnerability (CVE-2022-35230)

Zabbix is an open-source software tool to monitor IT infrastructure such as networks, servers, virtual machines, and cloud services.

An authenticated user can create a link with reflected Javascript code inside it for the graphs page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict.

Affected version:
Zabbix before version 5.0.25

QID 150593 Zabbix Reflected Cross Site Scripting (XSS) Vulnerability (CVE-2022-35229)