January 2023 Web Application Vulnerabilities Released
The Qualys Web Application Scanning (WAS) team has just released a crucial update to its security signatures, capable of detecting vulnerabilities in widely-used software such as WordPress, Apache Tomcat, Apache HTTP Server, Oracle WebLogic, and Cacti. These flaws, if left unaddressed, could result in significant security threats such as unauthorized access, data breach, and other malicious actions. It is imperative for all organizations to conduct a prompt security review of their networks and systems, and take immediate action to eliminate any potential vulnerabilities.
| QID | Title |
|---|---|
| 150627 | Tomcat Manager Path Normalization Vulnerability |
| 150628 | Apache Tomcat JsonErrorReportValve Injection Vulnerability (CVE-2022-45143) |
| 150629 | WordPress Ninja Forms Plugin: Unauthenticated PHP Object Injection Vulnerability |
| 150633 | WordPress Jetpack CRM Plugin: Stored Cross Site Scripting Vulnerability (CVE-2022-4497) |
| 150634 | WordPress Royal Elementor Addons Plugin Prior to 1.3.60 Multiple Security Vulnerabilities |
| 150637 | Oracle WebLogic Server Multiple Vulnerabilities (CPUJAN2023) |
| 150638 | WordPress Ninja Forms Plugin: Deserialization Vulnerability (CVE-2022-2903) |
| 150639 | WordPress Booster for Woocommerce Plugin: Reflected Cross-Site Scripting Vulnerability (CVE-2022-4227) |
| 150640 | Apache HTTP Server Prior to 2.4.55 Multiple Security Vulnerabilities |
| 150641 | Cacti Unauthenticated Command Injection Vulnerability (CVE-2022-46169) |
| 154128 | WordPress Unauthenticated Blind SSRF Via DNS Rebinding Vulnerability (CVE-2022-3590) |
| 154129 | WordPress wp-cron Denial of Service (DoS) Vulnerability (CVE-2023-22622) |
QID 150627: Tomcat Manager Path Normalization Vulnerability
| CVE-ID | No CVE |
| Severity | Level 3 |
| CVSS 3.1 | 5.3 |
| CWE-ID | 22 |
| Affected Versions | Apache Tomcat Server |
Description:
When using Apache Tomcat in conjunction with a reverse proxy such as nginx, an inconsistency in path normalization may occur. Specifically, while web servers and reverse proxies typically normalize the request path, converting the path /docs/../docs/ to /docs/, Tomcat will interpret the sequence /..;/ as /../ and normalize the path. However, reverse proxies may not normalize this sequence and instead send it directly to Apache Tomcat.
This can leave Apache Tomcat resources vulnerable to unauthorized access via the reverse proxy mapping. To mitigate this vulnerability, it is recommended to configure the reverse proxy to reject any paths that contain the Tomcat path parameter character ;. This will prevent the exploitation of this vulnerability and ensure the security of Apache Tomcat resources.
QID 150628: Apache Tomcat JsonErrorReportValve Injection Vulnerability (CVE-2022-45143)
| CVE-ID | CVE-2022-45143 |
| Severity | Level 3 |
| CVSS 3.1 | 7.5 |
| CWE-ID | 74 |
| Affected Versions | Apache Tomcat 10.1.0-M1 to 10.1.1 Apache Tomcat 9.0.40 to 9.0.68 Apache Tomcat 8.5.83 |
Description:
There is a vulnerability in the JsonErrorReportValve component of Apache Tomcat, where certain user-provided data is not properly escaped. This can potentially lead to invalid or manipulated JSON output, which could enable an attacker to access sensitive information or perform other malicious activities.
To address this vulnerability, we recommend that users of affected versions of Apache Tomcat upgrade to the latest version 10.1.2, 9.0.69, or 8.5.84, as these versions include fixes for this vulnerability. Upgrading to the latest version will ensure that your system is protected against any potential exploits targeting this vulnerability.
QID 150629: WordPress Ninja Forms Plugin: Unauthenticated PHP Object Injection Vulnerability
| CVE-ID | No CVE |
| Severity | Level 4 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 502 |
| Affected Versions | Ninja Forms prior to version 3.6.11 |
Description:
Ninja Forms is a widely used WordPress plugin that allows for the creation of customizable forms on WordPress sites. A vulnerability has been identified in the plugin that allows unauthenticated attackers to call any static method present in the plugin by providing untrusted data as merge tags in the request. This vulnerability could lead to PHP Object Injection when a suitable gadget is also present on the blog.
Affected versions of Ninja Forms include those prior to version 3.6.11. Exploitation of this vulnerability could lead to arbitrary code execution on the target system. To address this vulnerability, it is strongly recommended to upgrade to Ninja Forms version 3.6.11 or later. For more detailed information regarding this vulnerability, please refer to the Ninja Forms Security advisory.
QID 150633: WordPress Jetpack CRM Plugin: Stored Cross Site Scripting Vulnerability (CVE-2022-4497)
| CVE-ID | CVE-2022-4497 |
| Severity | Level 3 |
| CVSS 3.1 | 5.4 |
| CWE-ID | 79 |
| Affected Versions | The Jetpack CRM WordPress plugin before 5.5 |
Description:
The Jetpack CRM plugin for WordPress enhances contact management capabilities of your website. However, a security flaw in the plugin poses a risk for users. Versions up to 5.4.4 are vulnerable to a stored cross-site scripting attack due to inadequate input sanitization and output escaping. This means that attackers with at least contributor-level access to a vulnerable site can inject malicious web scripts into pages, which will execute each time the affected page is accessed. To address this vulnerability, it’s recommended to upgrade to a newer version of Jetpack CRM that does not have this issue.
QID 150634: WordPress Royal Elementor Addons Plugin Prior to 1.3.60 Multiple Security Vulnerabilities
| CVE-ID | CVE-2022-4700, CVE-2022-4701, CVE-2022-4702, CVE-2022-4703, CVE-2022-4704, CVE-2022-4705, CVE-2022-4707, CVE-2022-4708, CVE-2022-4709, CVE-2022-4710, CVE-2022-4711 |
| Severity | Level 3 |
| CVSS 3.1 | 8.8 |
| CWE-ID | 284,79 |
| Affected Versions | Royal Elementor addons prior to version 1.3.60 |
Description:
The Royal Elementor addons, a popular page builder extension, is known for its versatility, ease of use, and intuitive design. However, recent security audits have uncovered multiple vulnerabilities in the plugin.
Multiple CVEs have been assigned to the vulnerabilities found in Royal Elementor addons, including:
- CVE-2022-4700: A flaw in the activation process of the recommended Royal Elementor Kit theme, which allowed any logged-in user to change a vulnerable site’s theme without proper capability or nonce checks.
- CVE-2022-4701: The option to activate plugins such as ‘contact-form-7’, ‘media-library-assistant’, or ‘woocommerce’ was accessible to any logged-in user, though the impact of this vulnerability is quite minimal.
- CVE-2022-4702: The ability to revert the site to a “compatible” state was available to any authenticated user, leading to potential deactivation of critical site functionality and security plugins.
- CVE-2022-4703: The AJAX action used to delete imported content was accessible to any authenticated user, potentially leading to site availability issues.
- CVE-2022-4704: The importation of preset templates was not protected by capability or nonce checks, allowing any authenticated user to import and overwrite existing templates.
- CVE-2022-4705: The finalization of activation of preset site configurations was accessible to any authenticated user, though the impact of this vulnerability was lower.
- CVE-2022-4707: The creation of new menu templates lacked a nonce check, allowing an attacker to trick a logged-in administrator into performing an action that would result in a menu template being created.
- CVE-2022-4708: The saving of template conditions was accessible to any authenticated user.
- CVE-2022-4709: The importation of templates from the plugin developers’ template library was accessible to any authenticated user without proper capability or nonce checks.
- CVE-2022-4710: Reflected Cross-Site Scripting, due to insufficient input sanitization and output escaping of the ‘wpr_ajax_search_link_target’ parameter in the ‘data_fetch’ function.
- CVE-2022-4711: The update of mega menu settings was accessible to any authenticated user without proper capability or nonce checks.
It is crucial for users of Royal Elementor addons to take action and update their installations to version 1.3.60 or later to protect their sites from these vulnerabilities. The developers of Royal Elementor Addons have released a patch that addresses these security issues and users are strongly encouraged to update as soon as possible.
Reference: https://www.wordfence.com/blog/2023/01/eleven-vulnerabilities-patched-in-royal-elementor-addons/
QID 150637: Oracle WebLogic Server Multiple Vulnerabilities (CPUJAN2023)
| CVE-ID | CVE-2023-21842, CVE-2023-21841, CVE-2023-21839, CVE-2023-21838, CVE-2023-21837 |
| Severity | Level 3 |
| CVSS 3.1 | 7.5 |
| CWE-ID | No CWEs |
| Affected Versions | Oracle WebLogic Server, version(s) 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0 |
Description:
Oracle WebLogic Server, previously known as BEA WebLogic Server, is a popular platform for enterprises to build and deploy their applications and services. However, recent reports indicate that the Oracle WebLogic Server component in Oracle Fusion Middleware for versions 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0 has been found to have multiple vulnerabilities.
The consequences of exploiting these vulnerabilities are dire. An attacker who successfully exploits these weaknesses can potentially compromise and take control of the entire Oracle WebLogic Server. This can lead to the attacker having access to sensitive information, and disrupting the normal functioning of the enterprise applications and services hosted on the server.
To mitigate these risks, Oracle has released patches for these vulnerabilities. Customers are advised to immediately update their Oracle WebLogic Server installations to the latest patched version. The detailed information about the patches and their installation process can be found in Oracle’s Critical Patch Update (CPUJAN2023).
QID 150638: WordPress Ninja Forms Plugin: Deserialization Vulnerability (CVE-2022-2903)
| CVE-ID | CVE-2022-2903 |
| Severity | Level 4 |
| CVSS 3.1 | 7.2 |
| CWE-ID | 502 |
| Affected Versions | Ninja Forms prior to version 3.6.13 |
Description:
The Ninja Forms plugin is a widely-used WordPress tool that enables website owners to create custom forms with ease. However, certain versions of the plugin are susceptible to PHP object injection vulnerabilities caused by unserializing the content of imported files. If a malicious file is imported by an administrator and a suitable gadget chain is present on the site, an attacker could potentially execute arbitrary code on the target system.
To address this security issue, it is recommended that users upgrade to the latest version of Ninja Forms, version 3.6.13 or later. For more details on this vulnerability and how to remediate it, please refer to the WPScan Advisory.
QID 150639: WordPress Booster for Woocommerce Plugin: Reflected Cross-Site Scripting Vulnerability(CVE-2022-4227)
| CVE-ID | CVE-2022-4227 |
| Severity | Level 3 |
| CVSS 3.1 | 7.2 |
| CWE-ID | 79 |
| Affected Versions | The Booster for WooCommerce WordPress plugin before 6.0.0 |
Description:
Booster for WooCommerce is a WordPress plugin designed to enhance the functionality of the popular e-commerce platform, WooCommerce. By providing a suite of customizable modules, site owners have the ability to tailor the plugin to their specific needs.
Unfortunately, the Booster for WooCommerce plugin was found to have a vulnerability in its earlier versions. The vulnerability, known as Reflected Cross-Site Scripting, arises due to the insufficient sanitization of certain URLs and parameters before being outputted back in attributes. The consequences of this vulnerability are severe, as attackers could exploit it to inject malicious HTML or JavaScript code, potentially leading to the theft of sensitive information or further attacks.
To mitigate this issue, we strongly advise that all customers upgrade their Booster for WooCommerce plugin to version 6.0.0 or later. For more information on this vulnerability, please refer to the WPScan Security Advisory.
QID 150640: Apache HTTP Server Prior to 2.4.55 Multiple Security Vulnerabilities
| CVE-ID | CVE-2022-36760, CVE-2022-37436, CVE-2006-20001 |
| Severity | Level 3 |
| CVSS 3.1 | 9 |
| CWE-ID | 444,113 |
| Affected Versions | Apache HTTP Server version from 2.4.0 to 2.4.54 |
Description:
Apache HTTP Server, a widely used web server, has been found to have multiple vulnerabilities, including CVE-2022-36760, CVE-2022-37436, and CVE-2006-20001. These vulnerabilities pose a risk to the server’s stability and security.
- The first vulnerability, CVE-2006-20001, is located in the mod_dav module and is rated moderate in severity. A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. An attacker can crash the server by sending a malicious header.
- The second vulnerability, CVE-2022-36760, Inconsistent Interpretation of HTTP Requests (‘HTTP Request Smuggling’) vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to.
- The third vulnerability, CVE-2022-37436, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.
The Apache HTTP Server security team has released a patch in version 2.4.55 to mitigate these vulnerabilities. Qualys WAS recommends upgrading to the latest version to maintain server stability and security.
QID 150641: Cacti Unauthenticated Command Injection Vulnerability (CVE-2022-46169)
| CVE-ID | CVE-2022-46169 |
| Severity | Level 5 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 74,77 |
| Affected Versions | Cacti prior to version 1.2.23 |
Description:
Cacti, an open-source web-based network monitoring and graphing tool, is vulnerable to a command injection vulnerability. In affected versions, an unauthenticated attacker could execute arbitrary code on a server if a specific data source was selected for any monitored device. The vulnerability poses a significant risk to users, as successful exploitation could allow an attacker to gain unauthorized access to the target system.
To protect against this vulnerability, it is recommended that users upgrade to Cacti version 1.2.23 or later. The Cacti Security Advisory contains more detailed information regarding this vulnerability. Qualys WAS recommends upgrading to the latest version to maintain server stability and security.
QID 154128: WordPress Unauthenticated Blind SSRF Via DNS Rebinding Vulnerability (CVE-2022-3590)
| CVE-ID | CVE-2022-3590 |
| Severity | Level 3 |
| CVSS 3.1 | 5.9 |
| CWE-ID | 367,918 |
| Affected Versions | WordPress versions 6.1.1 and prior |
Description:
WordPress, the popular free and open-source content management system, is facing a critical vulnerability related to its pingback feature. Due to a time-of-check-to-time-of-use (TOCTOU) race condition between validation checks and HTTP requests, an unauthenticated attacker can exploit this vulnerability to carry out blind Server Side Request Forgery (SSRF) attacks via DNS Rebinding, gaining access to sensitive information on the server’s internal network.
It is recommended that all WordPress users immediately upgrade to a secure version to mitigate this vulnerability. For more information, please refer to the blog.sonarsource.com or WPScan security advisory.
QID 154129: WordPress wp-cron Denial of Service (DoS) Vulnerability (CVE-2023-22622)
| CVE-ID | CVE-2023-22622 |
| Severity | Level 3 |
| CVSS 3.1 | 7.5 |
| CWE-ID | 400 |
| Affected Versions | WordPress versions 6.1.1 and prior |
Description:
WordPress, a widely used open-source content management system built using PHP and paired with a MySQL or MariaDB database, is affected by a Denial of Service (DoS) vulnerability in its WP-Cron functionality. The issue stems from the improper restriction on the number of requests the system can handle, making it susceptible to a DoS attack if an attacker sends a large number of requests to the website. To remediate the vulnerability, it is recommended to add the DISABLE_WP_CRON variable to true in the wp-config.php file. For more information on the vulnerability, please refer to the medium blog post.
EOL/Obsolete Software Vulnerabilities:
A software component that is outdated and unsecured is a significant threat to the security of an application. It may contain known security vulnerabilities that remain unpatched due to a lack of maintenance, making the system vulnerable to attacks from hackers who could access sensitive data or take control of the system. Regular updates of software components are essential to maintain a strong security posture and protect against potential threats.
To help identify these outdated software, Qualys WAS has created the Microsoft IIS End of Life QID’s, which detects the following vulnerable versions:
| 520002 | EOL/Obsolete Software: Microsoft Internet Information Services (IIS) 1.0 Detected |
| 520003 | EOL/Obsolete Software: Microsoft Internet Information Services (IIS) 2.0 Detected |
| 520004 | EOL/Obsolete Software: Microsoft Internet Information Services (IIS) 3.0 Detected |
| 520005 | EOL/Obsolete Software: Microsoft Internet Information Services (IIS) 4.0 Detected |
| 520006 | EOL/Obsolete Software: Microsoft Internet Information Services (IIS) 5.0 Detected |
| 520007 | EOL/Obsolete Software: Microsoft Internet Information Services (IIS) 5.1 Detected |
| 520008 | EOL/Obsolete Software: Microsoft Internet Information Services (IIS) 6.0 Detected |
| 520009 | EOL/Obsolete Software: Microsoft Internet Information Services (IIS) 7.0 Detected |
| 520010 | EOL/Obsolete Software: Microsoft Internet Information Services (IIS) 7.5 Detected |
It is imperative to upgrade to the latest version of Microsoft IIS to reduce the risk of being exposed to security vulnerabilities, as the vendor no longer provides updates for outdated software, making it more susceptible to viruses and other attacks.