December 2022 Web Application Vulnerabilities Released
The Qualys WAS team has identified and released a new set of security signatures to detect a range of vulnerabilities in popular web applications and software such as WordPress, Citrix, JavaScript Libraries and ForgeRock. These vulnerabilities, if left unpatched, can potentially lead to serious security breaches such as unauthorized access, data leakage, and other malicious activities. We urge all organizations to conduct an immediate security audit of their networks and systems for the identified vulnerabilities and take immediate steps to mitigate any potential risks
| QID | Title |
|---|---|
| 154127 | WordPress Multiple Vulnerabilities : Security Update 6.0.3 (CVE-2022-43497,CVE-2022-43500,CVE-2022-43504) |
| 150623 | ForgeRock Access Management Remote Code Execution Vulnerability (CVE-2021-35464) |
| 150624 | WordPress Easy WP SMTP Plugin: Multiple Vulnerabilities (CVE-2022-42699,CVE-2022-45833,CVE-2022-45829) |
| 150625 | WordPress Booster for Woocommerce Plugin: Custom Role Creation/Deletion via CSRF Vulnerability (CVE-2022-4016) |
| 150626 | Citrix Application Delivery Controller (ADC) and Citrix Gateway Remote Code Execution (RCE) Vulnerability (CVE-2022-27518) |
QID 154127 : WordPress Multiple Vulnerabilities : Security Update 6.0.3 (CVE-2022-43497,CVE-2022-43500,CVE-2022-43504)
| CVE-ID | CVE-2022-43497,CVE-2022-43500,CVE-2022-43504 |
| Severity | Level 4 |
| CVSS 3.1 | 6.1 |
| CWE-ID | 79 |
| Affected Versions | WordPress versions prior to 6.0.3 |
Description:
On October 17, 2022, the WordPress core team released version 6.0.3, which includes security updates for multiple vulnerabilities. Qualys WAS has issued a QID to detect the latest CVEs (CVE-2022-43497, CVE-2022-21662, CVE-2022-43500, CVE-2022-43504) that affect the WordPress Core.
These vulnerabilities include:
- Improper authentication vulnerability (CVE-2022-43504) that allows an attacker to gain unauthorized access to sensitive information.
- Two cross-site scripting vulnerabilities (CVE-2022-43497, CVE-2022-43500) that allow an attacker to inject malicious code into a web page, which can then be executed by the user’s browser.
It is important for users of the WordPress content management system to upgrade to version 6.0.3 or above in order to protect against these vulnerabilities.
QID 150623 : ForgeRock Access Management Remote Code Execution Vulnerability (CVE-2021-35464)
| CVE-ID | CVE-2021-35464 |
| Severity | Level 5 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 502 |
| Affected Versions | ForegeRock Access Management version 5.x ForgeRock Access Management versions 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x and 6.5.3 OpenAM versions 9.x, 10.x, 11.x, 12.x and 13.x |
Description:
The ForgeRock AM server is a service that manages access to resources, such as web pages, applications, and web services, over the network. However, a vulnerability was recently discovered in the server that could potentially allow for unauthorized access to these resources.
The vulnerability is a Java deserialization vulnerability in the jato.pageSession parameter that is present on multiple pages of the ForgeRock AM server. This vulnerability can be exploited without the need for authentication and can potentially lead to remote code execution by simply sending a specially crafted /ccversion/* request to the server. The vulnerability is caused by the use of the Sun ONE Application Framework (JATO) in versions of Java 8 or earlier.
To address this vulnerability, ForgeRock AM version 7.0 removed the “/ccvesion” endpoint, along with other legacy endpoints that rely on JATO. However, it’s worth noting that Jato framework has not been updated for many years, so it is possible that other products that use the Jato framework may still be affected by this vulnerability.
To fix the vulnerability, update to ForgeRock AM version 7.0 or later, which removes the vulnerable endpoint.
QID 150624 : WordPress Easy WP SMTP Plugin: Multiple Vulnerabilities (CVE-2022-42699,CVE-2022-45833,CVE-2022-45829)
| CVE-ID | CVE-2022-42699,CVE-2022-45833,CVE-2022-45829 |
| Severity | Level 4 |
| CVSS 3.1 | 8.8 |
| CWE-ID | 22,94 |
| Affected Versions | Easy WP SMTP prior to version 1.5.2 |
Description:
Qualys WAS released a QID to detect remote code execution vulnerability and path traversal vulnerability in Easy WP SMTP WordPress plugin. According to the Plugin descriptions from wordpress.org, easy-wp-smtp is installed on over 6,00,000 sites that allows users to configure and send all outgoing emails via a SMTP server.
These vulnerabilities include:
- A critical authenticated remote code execution vulnerability (CVE-2022-42699) that allows an attacker who has access to the system to execute arbitrary code and gain complete control over the targeted system. This could lead to unauthorized access to sensitive information and data breaches.
- Two authenticated path traversal vulnerabilities (CVE-2022-45833 and CVE-2022-45829) that allow an attacker to read sensitive files from the targeted system. This could potentially lead to data breaches, unauthorized access to sensitive information, and other malicious activities.
To protect against these vulnerabilities, it is recommended that users update the Easy WP SMTP plugin to the latest version (1.5.2) as soon as possible. Additionally, if the plugin is not in use, it should be disabled to prevent any potential exploitation of these vulnerabilities. It is also crucial for website administrators to keep their plugins updated to avoid potential security breaches and unauthorized access to sensitive information.
QID 150625 : WordPress Booster for Woocommerce Plugin: Custom Role Creation/Deletion via CSRF Vulnerability (CVE-2022-4016)
| CVE-ID | CVE-2022-4016 |
| Severity | Level 3 |
| CVSS 3.1 | 6.5 |
| CWE-ID | 352 |
| Affected Versions | The Booster for WooCommerce WordPress plugin before 5.6.7 |
Description:
Booster for WooCommerce is a popular addon plugin for WooCommerce with over 70,000 installations. It enhances the functionality of WooCommerce through various modules that can be enabled and disabled at any time.
The Booster for WooCommerce plugin version 5.6.6 and earlier is vulnerable to cross-site request forgery (CSRF) attacks due to the missing nonce validation on functions such as ‘process_actions’ and ‘get_delete_all_custom_statuses_button’. As a result, an attacker could trick an administrator into performing actions that they are authorized to perform, such as creating or deleting custom roles.
It is not possible to effectively safeguard against these vulnerabilities without blocking valid requests, which could disrupt the normal functioning of the website. Therefore, Qualys WAS highly recommends updating to version 5.6.7 or later of Booster for WooCommerce to ensure that your website is protected against any potential exploits targeting this vulnerability. Failure to do so could lead to a potential data breaches, unauthorized access to sensitive information, and other malicious activities.
QID 150626 : Citrix Application Delivery Controller (ADC) and Citrix Gateway Remote Code Execution (RCE) Vulnerability (CVE-2022-27518)
| CVE-ID | CVE-2022-27518 |
| Severity | Level 4 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 664 |
| Affected Versions | Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32 Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25 |
Description:
Citrix ADC is the most comprehensive application delivery and load balancing solution for monolithic and microservices-based applications.
On Tuesday, December 13, 2022, Citrix released a security bulletin for a critical unauthenticated remote code execution (RCE) vulnerability, in certain configurations of its Gateway and ADC products. The bulletin announced the availability of fixes for the vulnerability, which had reportedly been exploited in the wild by state-sponsored threat actors.
According to Citrix, there are no alternative solutions for this vulnerability, and customers who use the affected version should apply the update as soon as possible. Qualys WAS highly recommend to refer Citrix Security Bulletin – CTX474995 for information pertaining to remediating this vulnerability.
Improvement:
Starting from December 2022, the detection of vulnerabilities in JavaScript libraries during web application scans will now be reported under dedicated QIDs, rather than a general QID 150162. This modification aims to improve the reporting and management of vulnerabilities, making it simpler for users to pinpoint and address vulnerabilities.
Please note that while QID 150162 is still active, some users may receive duplicate results. We recommend that customers refer to the results reported in the new, dedicated QIDs for accurate and up-to-date information.
The following is a list of the new QIDs for vulnerable libraries that have been supported thus far:
| QID | Title |
|---|---|
| 151000 | Vulnerable JavaScript Library Detected – AngularJS |
| 151001 | Vulnerable JavaScript Library Detected – Backbone |
| 151002 | Vulnerable JavaScript Library Detected – Bootstrap |
| 151003 | Vulnerable JavaScript Library Detected – CKEditor |
| 151005 | Vulnerable JavaScript Library Detected – Coveo JS |
| 151006 | Vulnerable JavaScript Library Detected – Dojo |
| 151007 | Vulnerable JavaScript Library Detected – DOMPurify |
| 151008 | Vulnerable JavaScript Library Detected – DWR |
| 151009 | Vulnerable JavaScript Library Detected – easyXDM |
| 151010 | Vulnerable JavaScript Library Detected – Ember.js |
| 151011 | Vulnerable JavaScript Library Detected – Ext JS |
| 151012 | Vulnerable JavaScript Library Detected – flowplayer |
| 151013 | Vulnerable JavaScript Library Detected – Handlebars |
| 151014 | Vulnerable JavaScript Library Detected – jPlayer |
| 151015 | Vulnerable JavaScript Library Detected – jQuery |
| 151016 | Vulnerable JavaScript Library Detected – jQuery Migrate |
| 151017 | Vulnerable JavaScript Library Detected – jQuery Mobile |
| 151018 | Vulnerable JavaScript Library Detected – jQuery PrettyPhoto |
| 151019 | Vulnerable JavaScript Library Detected – jQuery UI |
| 151022 | Vulnerable JavaScript Library Detected – Knockout |
| 151024 | Vulnerable JavaScript Library Detected – Lodash |
| 151025 | Vulnerable JavaScript Library Detected – Moment.js |
| 151026 | Vulnerable JavaScript Library Detected – Mustache |
| 151028 | Vulnerable JavaScript Library Detected – Next.js |
| 151029 | Vulnerable JavaScript Library Detected – Plupload |
| 151030 | Vulnerable JavaScript Library Detected – Plupload |
| 151031 | Vulnerable JavaScript Library Detected – React |
| 151034 | Vulnerable JavaScript Library Detected – TinyMCE |
| 151035 | Vulnerable JavaScript Library Detected – URI.js |
| 151037 | Vulnerable JavaScript Library Detected – Vue.js |
| 151038 | Vulnerable JavaScript Library Detected – YUI |
We strongly advise all our customers to review and upgrade to the most recent version of these libraries in order to maintain the security of their web applications.
For further information on this topic, please refer to our article on Detection of Vulnerabilities in JavaScript Libraries.