February 2023 Web Application Vulnerabilities Released
The Qualys Web Application Scanning (WAS) team recently issued an important update to its security signatures, designed to detect vulnerabilities in several popular software applications including WordPress, Control Web Panel 7 (CWP7), Grafana, Underscore.js, Atlassian Jira Server, dotCMS, and Joomla. These vulnerabilities, if left unpatched, can pose significant security threats such as data breaches, unauthorized access, and other malicious activities. To safeguard their networks and systems, organizations must conduct a thorough security review and promptly address any potential vulnerabilities.
| QID | Title |
|---|---|
| 150642 | Control Web Panel 7 (CWP7) Unauthenticated Remote Code Execution (RCE) Vulnerability (CVE-2022-44877) |
| 150643 | Atlassian Jira Server and Data Center Server-Side Request Forgery (SSRF) Vulnerability (CVE-2022-26135) |
| 150644 | Grafana Stored Cross-Site Scripting (XSS) Vulnerability (CVE-2022-23552) |
| 150645 | Grafana Spoofing originalUrl of snapshots Vulnerability (CVE-2022-39324) |
| 150646 | WordPress Booster for Woocommerce Plugin: Cross-Site Resource Forgery (CSRF) Vulnerability(CVE-2022-4017) |
| 150647 | dotCMS Authenticated Directory Traversal Vulnerability (CVE-2022-45783) |
| 150648 | dotCMS Denial of Service (DoS) Vulnerability (CVE-2022-37034) |
| 150649 | dotCMS Server-Side Request Forgery Vulnerability (CVE-2022-37033) |
| 150650 | Grafana Sensitive Information Disclosure Vulnerability (CVE-2022-23498) |
| 150651 | Joomla! Core Webservice Endpoints Improper access control Vulnerability (CVE-2023-23752) |
| 150652 | WordPress Clean Login Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2022-4838) |
| 151020 | Vulnerable JavaScript Library Detected – Underscore.js |
| 154130 | Joomla! Core Cross-Site Resource Forgery (CSRF) Vulnerability (CVE-2023-23750) |
| 154131 | Joomla! Core Incorrect Access Control Vulnerability (CVE-2023-23751) |
QID 150642: Control Web Panel 7 (CWP7) Unauthenticated Remote Code Execution (RCE) Vulnerability (CVE-2022-44877)
| CVE-ID | CVE-2022-44877 |
| Severity | Level 5 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 78 |
| Affected Versions | Control Web Panel versions prior to 0.9.8.1147 |
Description:
Control Web Panel (CWP or CentOS Web Panel) is a free and user-friendly control panel for Linux servers and VPS software.
However, on January 3, 2023, a security researcher disclosed CVE-2022-44877, an unauthenticated remote code execution vulnerability in CWP, which could potentially be exploited by cyber attackers to execute malicious commands on targeted systems. The vulnerability, fixed in an October 2022 release of CWP, results from an operating system command injection via shell metacharacters in the “login” parameter of the “/login/index.php” endpoint.
It is highly recommended that customers update to Control Web Panel version 0.9.8.1147 or later to remediate this vulnerability. For more information on this issue, please refer to CWP Changelog.
QID 150643: Atlassian Jira Server and Data Center Server-Side Request Forgery (SSRF) Vulnerability (CVE-2022-26135)
| CVE-ID | CVE-2022-26135 |
| Severity | Level 4 |
| CVSS 3.1 | 6.5 |
| CWE-ID | 918 |
| Affected Versions | Versions after 8.0 and before 8.13.22 8.14.x 8.15.x 8.16.x 8.17.x 8.18.x 8.19.x 8.20.x before 8.20.10 8.21.x 8.22.x before 8.22.4 |
Description:
Atlassian’s Jira is a proprietary issue-tracking product that offers essential functions such as bug and project management. However, a full-read server-side request forgery vulnerability exists in Jira’s Mobile Plugin, which is bundled with Jira and Jira Service Management. Any authenticated user, including those who have signed up, can exploit this vulnerability, which specifically affects the batch HTTP endpoint.
If exploited, remote attackers can gain access to sensitive data within the local network or send malicious requests to other servers from the compromised system. To mitigate this risk, customers are advised to upgrade to the latest version of Atlassian Jira Server and Data Center. For more information, refer to Atlassian Jira Security Advisory.
QID 150644: Grafana Stored Cross-Site Scripting (XSS) Vulnerability (CVE-2022-23552)
| CVE-ID | CVE-2022-23552 |
| Severity | Level 3 |
| CVSS 3.1 | 5.4 |
| CWE-ID | 79 |
| Affected Versions | Grafana versions from 8.1.0 to 8.5.16 Grafana versions from 9.0.0 to 9.2.10 Grafana versions from 9.3.0 to 9.3.4 |
Description:
Grafana is a popular multi-platform open-source analytics and visualization web application, that provides charts, graphs, and alerts for various data sources. However, the GeoMap core plugin in some versions of Grafana contains a stored cross-site scripting (XSS) vulnerability that allows arbitrary JavaScript execution. This vulnerability can be exploited by an attacker with the Editor role, who can change a panel to include an external URL to a malicious SVG file or load an inline SVG file. If an Admin user views a dashboard containing this malicious JavaScript, an attacker with the Editor role can obtain the Admin user’s known password, allowing for vertical privilege escalation. Successful exploitation could allow an attacker to execute arbitrary JavaScript code or access sensitive browser-based information.
To remediate this vulnerability, customers are advised to upgrade their Grafana installations to a later version. For more information on this vulnerability, please refer to the GitHub Advisory.
QID 150645: Grafana Spoofing original Url of snapshots Vulnerability (CVE-2022-39324)
| CVE-ID | CVE-2022-39324 |
| Severity | Level 3 |
| CVSS 3.1 | 3.5 |
| CWE-ID | 79 |
| Affected Versions | Grafana prior to versions 8.5.16 and 9.2.8 |
Description:
Grafana is a popular open-source analytics and visualization web application that allows users to create charts, graphs, and alerts based on various data sources. A vulnerability has been discovered in installed versions of Grafana that could allow a malicious user to inject an attacker-controlled URL in the “Open original dashboard” button of a snapshot, enabling the execution of arbitrary JavaScript code in the context of the interface. This could potentially allow the attacker to gain access to sensitive information.
To remediate this vulnerability, customers are advised to upgrade to a later version of Grafana. For more information, refer to the Github Advisory.
QID 150646: WordPress Booster for Woocommerce Plugin: Cross-Site Resource Forgery (CSRF) Vulnerability(CVE-2022-4017)
| CVE-ID | CVE-2022-4017 |
| Severity | Level 4 |
| CVSS 3.1 | 8.8 |
| CWE-ID | 352 |
| Affected Versions | The Booster for WooCommerce WordPress plugin before 6.0.1 |
Description:
Booster for WooCommerce is a plugin designed to enhance the functionality of the WooCommerce platform. However, the plugin contains flawed or absent Cross-Site Request Forgery (CSRF) checks in multiple locations, which creates a security vulnerability. Attackers can use CSRF attacks to manipulate logged-in users into performing unwanted actions, leading to cross-site scripting (XSS) attacks that could inject HTML or JavaScript. This can lead to further attacks and the potential disclosure of sensitive information.
It is recommended that customers upgrade to Booster for WooCommerce 6.0.1 or later to address this vulnerability. For more information, please refer to the WPScan Security Advisory.
QID 150647: dotCMS Authenticated Directory Traversal Vulnerability (CVE-2022-45783)
| CVE-ID | CVE-2022-45783 |
| Severity | Level 4 |
| CVSS 3.1 | 6.5 |
| CWE-ID | 22 |
| Affected Versions | dotCMS versions 22.10.1 and below |
Description:
dotCMS is a Java-based open source content management system designed to manage content and content-driven sites and applications. An authenticated directory traversal vulnerability in the dotCMS API can lead to remote code execution (RCE). The flaw is due to the acceptance and extraction of a zip file at the “/api/integrity/_fixconflictsfromremote” endpoint without adequate path traversal checks. An attacker can exploit this by sending a specially crafted zip file containing directory traversal characters in the file names, enabling them to extract the contents at an arbitrary path within the system. Admin-level privileges are required to exploit this vulnerability. Successful exploitation may allow a remote attacker to execute arbitrary code on the target system, potentially leading to a full compromise.
Customers are strongly advised to upgrade to the latest version of dotCMS to address this vulnerability. For additional information on this issue, please consult the SI-67 advisory.
QID 150648: dotCMS Denial of Service (DoS) Vulnerability (CVE-2022-37034)
| CVE-ID | CVE-2022-37034 |
| Severity | Level 3 |
| CVSS 3.1 | 5.3 |
| CWE-ID | 674 |
| Affected Versions | dotCMS versions from 5.2.0 to 22.10 |
Description:
dotCMS is a popular open-source content management system that is widely used for managing content and content-driven websites and applications. However, a vulnerability has been discovered that could result in a denial of service attack. The vulnerability is caused by the repeated invocation of the TempFileResource, which can cause the dotCMS server to download a large file each time. This can lead to the exhaustion of the Tomcat Request Thread pool, resulting in a denial of service for all other requests.
To mitigate this risk, dotCMS users are strongly recommended to upgrade to the latest version of the software. Doing so will eliminate the vulnerability and ensure that the dotCMS platform is protected against this type of attack.
For more information on this issue and how to protect your dotCMS instance, please refer to SI-65.
QID 150649: dotCMS Server-Side Request Forgery Vulnerability (CVE-2022-37033)
| CVE-ID | CVE-2022-37033 |
| Severity | Level 3 |
| CVSS 3.1 | 6.5 |
| CWE-ID | 918 |
| Affected Versions | dotCMS versions from 5.2.0 to 22.06 |
Description:
dotCMS is a popular open source content management system that allows users to manage content and content-driven applications. Recently, a vulnerability was discovered in the dotCMS TempFileAPI that could potentially allow remote attackers to send malicious HTTP requests and cause the web server to initiate requests to arbitrary systems.
The issue occurs due to the TempFileAPI’s ability to create temporary files based on a specified URL. Although dotCMS tries to prevent access to URLs containing local IP addresses or private subnets, the TempFileAPI will follow any 302 redirects returned by the remote URL. Attackers can exploit this by creating a URL that returns a 302 redirect to a local resource, such as https://elasticsearch:9200, which dotCMS will attempt to retrieve without re-validating the redirect URL. This can result in the TempFileAPI returning data from local/private IPs that should not be accessible remotely.
If exploited successfully, the vulnerability could allow remote attackers to send malicious HTTP requests, causing the web server to initiate requests to arbitrary systems. As a result, customers are recommended to upgrade to the latest version of dotCMS to remediate this vulnerability.
For further information regarding this issue, please refer to SI-64. It is crucial for organizations to stay up to date with the latest security patches and upgrades to ensure that their systems remain secure and protected against potential threats.
QID 150650: Grafana Sensitive Information Disclosure Vulnerability (CVE-2022-23498)
| CVE-ID | CVE-2022-23498 |
| Severity | Level 4 |
| CVSS 3.1 | 8.8 |
| CWE-ID | 200 |
| Affected Versions | Grafana versions from 8.3.1 to 9.2.7 Grafana versions from 9.3.0 to 9.3.2 |
Description:
Grafana is an open-source platform that provides real-time analytics, monitoring, and interactive visualizations for various data sources. Its datasource query caching feature, which caches all headers including session cookie rotation headers, creates a security vulnerability. A malicious actor could potentially receive the cached session cookie of another user, if the first response to a datasource query contained a session cookie rotation header. This vulnerability could allow an unauthorized attacker to gain access to sensitive information. It is recommended that users upgrade to the latest version of Grafana to mitigate this vulnerability.
QID 150651: Joomla! Core Webservice Endpoints Improper access control Vulnerability (CVE-2023-23752)
| CVE-ID | CVE-2023-23752 |
| Severity | Level 4 |
| CVSS 3.1 | 5.3 |
| CWE-ID | 284 |
| Affected Versions | Joomla! versions 4.0.0 to 4.2.7 |
Description:
Joomla, a popular content management system (CMS), has recently been found to have a serious security vulnerability that could compromise the web application. The vulnerability exists due to improper access restrictions to web service endpoints, which an unauthenticated attacker can exploit to obtain sensitive information about Joomla’s configuration. Successful exploitation could allow the attacker to access valuable information about the target application. Joomla’s access control to web service endpoints is flawed, and unauthenticated attackers can access the RestAPI interface by sending specially crafted requests.
It is recommended that all users of Joomla upgrade to the latest version 4.2.8. to mitigate the risks associated with this vulnerability. This is particularly important for those who use Joomla for their website, as the vulnerability can have serious consequences for their business operations. The security community has warned that the PoC and details of the vulnerability have been made public, and attackers are likely to exploit this vulnerability on unpatched systems. Therefore, it is imperative that Joomla users take protective measures as soon as possible to avoid falling victim to attacks.
QID 150652: WordPress Clean Login Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2022-4838)
| CVE-ID | CVE-2022-4838 |
| Severity | Level 3 |
| CVSS 3.1 | 5.4 |
| CWE-ID | 79 |
| Affected Versions | The Clean Login WordPress plugin before 1.13.7 |
Description:
Clean Login is a popular WordPress plugin that provides a customizable and secure login page for WordPress sites. Unfortunately, the plugin has been found to contain a serious security vulnerability that could be exploited by attackers with a low-level user role, such as a contributor. The vulnerability lies in the plugin’s failure to properly validate and escape certain shortcode attributes before displaying them on the page, making it vulnerable to Stored Cross-Site Scripting (XSS) attacks. This vulnerability can be used to target high-privilege users such as admins and can result in the execution of arbitrary JavaScript code or unauthorized access to sensitive information.
To protect against this vulnerability, users are advised to upgrade to Clean Login version 1.13.7 or later. For more information on this vulnerability and how to remediate it, please refer to WPScan Security Advisory.
QID 151020: Vulnerable JavaScript Library Detected – Underscore.js
| CVE-ID | CVE-2021-23358 |
| Severity | Level 3 |
| CVSS 3.1 | 7.2 |
| CWE-ID | 937 |
| Affected Versions | underscore from 1.13.0-0 and before 1.13.0-2 underscore from 1.3.2 and before 1.12.1 |
Description:
Underscore, a popular JavaScript library used for functional programming has a security vulnerability. This vulnerability allows attackers to inject arbitrary code through the template function, especially when a variable property is passed as an argument, as it is not sanitized. Successful exploitation of this vulnerability could result in arbitrary code execution on the target system. It is recommended that users upgrade to a patched version of the library as soon as possible to mitigate the risk of exploitation.
QID 154130: Joomla! Core Cross-Site Resource Forgery (CSRF) Vulnerability (CVE-2023-23750)
| CVE-ID | CVE-2023-23750 |
| Severity | Level 3 |
| CVSS 3.1 | 6.3 |
| CWE-ID | 352 |
| Affected Versions | Joomla CMS versions 4.0.0 to 4.2.6 |
Description:
Joomla! is a popular and widely used content management system for building and publishing websites. Unfortunately, an absence of proper token verification in the installed version of Joomla has led to a serious security vulnerability. This Cross-Site Request Forgery (CSRF) vulnerability occurs during the handling of post-installation messages, and if exploited, could allow attackers to execute arbitrary JavaScript code within the interface or access sensitive, browser-based information.
To protect your website, it is crucial that you install the latest version of Joomla, which contains the necessary security updates to address this vulnerability. For more information on this issue and how to update your Joomla installation, please refer to the official Joomla security advisory [20230101].
QID 154131: Joomla! Core Incorrect Access Control Vulnerability (CVE-2023-23751)
| CVE-ID | CVE-2023-23751 |
| Severity | Level 3 |
| CVSS 3.1 | 4.3 |
| CWE-ID | 352 |
| Affected Versions | Joomla! CMS versions 4.0.0 to 4.2.6 |
Description:
Joomla! is a widely-used open-source content management system for building websites. Unfortunately, a vulnerability has been discovered in the versions of Joomla that could allow unauthorized users to access sensitive information. The issue stems from a missing ACL check, which allows non-super-admin users to access com_actionlogs. If successfully exploited, attackers can use this access to carry out further attacks and obtain sensitive information.
To remediate this vulnerability, customers are advised to install the latest version of Joomla. For more information, please refer to the Joomla security advisory [20230102].
As with any software, it is important to keep Joomla up to date with the latest security patches to ensure the safety of your website and its visitors. Stay vigilant and keep your website protected from potential threats.