March 2023 Web Application Vulnerabilities Released
The Qualys Web Application Scanning (WAS) team has released a crucial update to its security signatures, which now includes detection for vulnerabilities in several widely used software applications like PHP, phpMyAdmin, WordPress, ZK Framework, Grafana, Apache HTTP Server, Apache Tomcat Server, Microsoft Exchange Server, MinIO, and OpenSSL. If left unaddressed, these vulnerabilities could lead to serious security risks such as data breaches, unauthorized access, and other malicious activities. It is essential for organizations to perform a comprehensive security review and address any potential vulnerabilities to ensure the safety and security of their networks and systems.
| QID | Title |
|---|---|
| 150653 | PHP Incorrect Calculation of Buffer Size Vulnerability (CVE-2023-0568) |
| 150654 | PHP Denial of Service Vulnerability (CVE-2023-0662) |
| 150655 | phpMyAdmin Cross Site Scripting (XSS) Vulnerability (CVE-2023-25727) |
| 150656 | WordPress ShopLentor Plugin: Multiple Vulnerabilities (CVE-2023-0231,CVE-2023-0232) |
| 150657 | ZK Framework – Authentication Bypass Vulnerability (CVE-2022-36537) |
| 150658 | WordPress All in One SEO Pack Plugin: Multiple Stored Cross-Site Scripting Vulnerabilities (CVE-2023-0585,CVE-2023-0586) |
| 150659 | Grafana Multiple Stored Cross-Site Scripting Vulnerabilities (CVE-2023-0594,CVE-2023-0507) |
| 150660 | Apache HTTP Server Prior to 2.4.56 Multiple Security Vulnerabilities |
| 150661 | WordPress WooCommerce PDF Invoices and Packing Slips Plugin: Cross-Site Request Forgery Vulnerability (CVE-2022-47148) |
| 150662 | Apache Tomcat Information Disclosure Vulnerability (CVE-2023-28708) |
| 150663 | PHP Buffer Overflow Vulnerability (CVE-2022-37454) |
| 150664 | Microsoft Exchange Server Multiple Vulnerabilities (ProxyNotShell) (CVE-2022-41040,CVE-2022-41082) |
| 150665 | MinIO Information Disclosure Vulnerability (CVE-2023-28432) |
| 154132 | WordPress Contact Form 7 Plugin: Unrestricted File Upload and Remote Code Execution (RCE) Vulnerability (CVE-2020-35489) |
| 520011 | Open Secure Sockets Layer (OpenSSL) Type Confusion Vulnerability (CVE-2023-0286) |
QID 150653: PHP Incorrect Calculation of Buffer Size Vulnerability (CVE-2023-0568)
| CVE-ID | CVE-2023-0568 |
| Severity | Level 5 |
| CVSS 3.1 | 8.1 |
| CWE-ID | 131,770 |
| Affected Versions | PHP Versions from 8.0.0 to 8.0.27 PHP Versions from 8.1.0 before 8.1.15 PHP Versions from 8.2.0 before 8.2.2 |
Description:
PHP is a popular programming language that was originally designed for web-based applications with HTML content. It’s widely used by a variety of web-based software applications and supports multiple platforms. However, recently a vulnerability has been discovered in the PHP core path resolution function that could potentially lead to unauthorized data access or modification.
The issue with the vulnerability is that the allocated buffer is one byte too small. This means that when resolving paths with lengths close to the system’s MAXPATHLEN setting, the byte after the allocated buffer may be overwritten with a NUL value. This could allow an attacker to execute arbitrary code, steal sensitive information, or cause a denial-of-service condition.
To avoid such vulnerabilities, customers are strongly advised to upgrade to the latest version of PHP. Upgrading to the latest version will ensure that the vulnerability is fixed and your application remains secure. For more information on this issue, please refer to Sec Bug 81746.
QID 150654: PHP Denial of Service Vulnerability (CVE-2023-0662)
| CVE-ID | CVE-2023-0662 |
| Severity | Level 4 |
| CVSS 3.1 | 7.5 |
| CWE-ID | 400 |
| Affected Versions | PHP Versions from 8.0.0 to 8.0.27 PHP Versions from 8.1.0 before 8.1.15 PHP Versions from 8.2.0 before 8.2.2 |
Description:
PHP is a widely used programming language for developing web-based applications with HTML content. However, a vulnerability has been discovered in PHP that could potentially lead to a Denial of Service (DoS) attack on the server.
This vulnerability occurs when an excessive number of parts are included in an HTTP form upload. This can result in high consumption of server resources, leading to an excessive number of log entries. In turn, this could cause a DoS attack on the server by exhausting CPU resources or disk space. To avoid such vulnerabilities, customers are strongly advised to upgrade to the latest version of PHP. Upgrading to the latest version will ensure that the vulnerability is fixed, and your application remains secure. For more information please refer to Github Advisory.
QID 150655: phpMyAdmin Cross-Site Scripting (XSS) Vulnerability (CVE-2023-25727)
| CVE-ID | CVE-2023-25727 |
| Severity | Level 3 |
| CVSS 3.1 | 5.4 |
| CWE-ID | 79,661 |
| Affected Versions | phpMyAdmin versions prior to 4.9.11 phpMyAdmin versions prior to 5.1.2 |
Description:
phpMyAdmin is a widely-used tool for managing and administering databases like MySQL and MariaDB. However, a vulnerability has been discovered in the tool that could potentially allow an attacker to execute arbitrary JavaScript code or access sensitive, browser-based information.
The vulnerability occurs when an authenticated user uploads a specially-crafted .sql file through the drag-and-drop interface, which triggers an XSS attack. However, this vulnerability can be remediated by disabling the configuration directive $cfg[‘enable_drag_drop_import’]. This would prevent users from using the drag and drop upload feature, protecting against the vulnerability.
To ensure the security of your system, customers are strongly advised to upgrade to phpMyAdmin 5.2.1 or 4.9.11, or later versions. This upgrade will fix the vulnerability and ensure the safe management and administration of your databases. For more information regarding this vulnerability, please refer to phpMyAdmin Security Advisory
QID 150656: WordPress ShopLentor Plugin: Multiple Vulnerabilities (CVE-2023-0231, CVE-2023-0232)
| CVE-ID | CVE-2023-0231, CVE-2023-0232 |
| Severity | Level 4 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 502,79 |
| Affected Versions | ShopLentor prior to version 2.5.4 |
Description:
ShopLentor is a powerful WordPress plugin that enhances the functionality of WooCommerce stores with its advanced WooCommerce page builder for Elementor. However, multiple vulnerabilities have been discovered in the plugin that could potentially allow attackers to perform Stored Cross-Site Scripting attacks or even gain unauthorized access to sensitive data.
The first vulnerability, CVE-2023-0231, allows users with contributor-level access or higher to perform Stored Cross-Site Scripting attacks. This is due to the plugin’s failure to properly validate and escape certain block options. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the affected website.
The second vulnerability, CVE-2023-0232, involves the unserialization of user input from cookies, which is used to track viewed products and user data. This could lead to PHP Object Injection, potentially allowing attackers to gain unauthorized access to sensitive data, steal it, or take complete control of the affected website.
To ensure the security of your WooCommerce store, it is strongly advised that users update to the latest version of the plugin immediately. This will remediate the vulnerabilities and prevent any potential attacks.
QID 150657: ZK Framework – Authentication Bypass Vulnerability (CVE-2022-36537)
| CVE-ID | CVE-2022-36537 |
| Severity | Level 4 |
| CVSS 3.1 | 7.5 |
| CWE-ID | 200 |
| Affected Versions | ZK Framework prior to version 8.6.4.1 ZK Framework from 9.0.0 before version 9.0.1.3 ZK Framework from 9.5.0 before version 9.5.1.3 ZK Framework from 9.6.0 before version 9.6.2 |
Description:
ZK is an open-source Ajax Web application framework written in Java that enables the creation of graphical user interfaces for Web applications. Unfortunately, a security vulnerability has been identified in the ZK AuUploader servlets, which could potentially expose sensitive files to attackers.
The vulnerability allows an attacker to send a forged request to the /zkau/upload endpoint. If the request contains the nextURI parameter, the AuUploader will attempt to forward the request internally and output any documents it finds into the response. Since this is an internal forward, it can access documents located in the restricted WEB-INF folder, which includes files such as web.xml, zk.xml, and other files located in this directory.
Successful exploitation of this vulnerability could allow a remote attacker to read sensitive files located in the restricted WEB-INF folder. This exposure could lead to the exposure of internal files such as web.xml, zk.xml, and other files located in this directory, which could then be used to further attack the system.
To remediate this vulnerability, customers are advised to upgrade ZK Framework to version 9.6.2, 9.6.0.2, 9.5.1.4, 9.0.1.3, 8.6.4.2, or the latest version. By upgrading to the recommended version, users can ensure that their systems are protected from this vulnerability. For more information on this vulnerability, please refer to ZK-5150.
QID 150658: WordPress All-in-One SEO Pack Plugin: Multiple Stored Cross-Site Scripting Vulnerabilities (CVE-2023-0585, CVE-2023-0586)
| CVE-ID | CVE-2023-0585, CVE-2023-0586 |
| Severity | Level 3 |
| CVSS 3.1 | 5.4 |
| CWE-ID | 79 |
| Affected Versions | All in One SEO (AIOSEO) versions up to and including 4.2.9 |
Description:
All in One SEO (AIOSEO) is a popular WordPress plugin used by website owners to optimize their WordPress websites for search engines and social media. However, the plugin has recently been found to contain multiple vulnerabilities that could potentially allow attackers to execute arbitrary web scripts or inject malicious web scripts into pages.
The first vulnerability, CVE-2023-0585, is caused by insufficient input sanitization and output escaping. This allows authenticated attackers with Administrator or higher privileges to execute arbitrary web scripts. This attack is known as Stored Cross-Site Scripting and it can inject malicious scripts that will execute whenever a user accesses a page that has been injected.
The second vulnerability, CVE-2023-0586, is also related to Stored Cross-Site Scripting and can be exploited through multiple parameters. Due to the insufficient sanitization of input and the lack of proper output escaping, authenticated attackers with Contributor+ role or higher privileges can inject malicious web scripts into pages. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the interface or allow the attacker to access sensitive, browser-based information.
To remediate these vulnerabilities and ensure the security of your website, it is highly recommended that customers upgrade to the latest version of the All in One SEO plugin – version 4.3.0 or later. This will fix the vulnerabilities and prevent potential attacks on your website. For more information on these vulnerabilities, please visit All in One SEO.
QID 150659: Grafana Multiple Stored Cross-Site Scripting Vulnerabilities (CVE-2023-0594, CVE-2023-0507)
| CVE-ID | CVE-2023-0594, CVE-2023-0507 |
| Severity | Level 3 |
| CVSS 3.1 | 5.4 |
| CWE-ID | 79 |
| Affected Versions | Grafana versions from 7.0.0 to 8.5.21 Grafana versions from 9.2.0 to 9.2.13 Grafana versions from 9.3.0 to 9.3.8 |
Description:
Grafana is a widely-used open-source analytics and interactive visualization web application that provides various charts, graphs, and alerts for the web. Recently, multiple vulnerabilities have been discovered in Grafana that can be exploited by attackers to execute arbitrary JavaScript code in the context of the interface or access sensitive, browser-based information.
The first vulnerability, CVE-2023-0594, is a stored cross-site scripting (XSS) vulnerability that can be triggered by an editor with malicious intent injecting JavaScript into an unsanitized span attribute/resource in Grafana’s trace view visualization. This could allow the attacker to escalate their privileges and access an admin’s known password via a malicious dashboard.
The second vulnerability, CVE-2023-0507, is also a stored XSS vulnerability that affects Grafana’s GeoMap core plugin. This vulnerability can be exploited by an editor injecting arbitrary JavaScript into unsanitized map attributions. The attacker can escalate their privileges and access an admin’s known password via a malicious dashboard. It is recommended to update Grafana to the latest version and restrict editor role access to prevent successful exploitation.
In conclusion, customers are advised to upgrade to the latest version of Grafana to remediate these vulnerabilities. It’s important to note that these vulnerabilities can lead to unauthorized access, data leakage, or complete control of the affected website. For more information regarding these vulnerabilities, please refer to CVE-2023-0594 and CVE-2023-0507.
QID 150660: Apache HTTP Server Prior to 2.4.56 Multiple Security Vulnerabilities
| CVE-ID | CVE-2023-25690, CVE-2023-27522 |
| Severity | Level 4 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 444 |
| Affected Versions | Apache HTTP Server version from 2.4.0 to 2.4.55 |
Description:
Apache HTTP Server is a widely used open-source web server software that serves web content to visitors of websites. Unfortunately, several vulnerabilities have been discovered in affected versions of Apache HTTP Server:
CVE-2023-25690: This vulnerability could allow an attacker to perform HTTP Request Smuggling attacks if certain configurations are enabled. Specifically, if mod_proxy is enabled alongside a RewriteRule or ProxyPassMatch that includes a non-specific pattern that matches a portion of the user-supplied request-target data, and that data is then re-inserted into the proxied request-target using variable substitution, the system is vulnerable.
CVE-2023-27522: This vulnerability relates to HTTP Response Smuggling attacks that could occur via mod_proxy_uwsgi. Attackers can exploit this vulnerability by using special characters in the origin response header to truncate or split the response forwarded to the client. This could lead to HTTP request smuggling or response smuggling attacks.
It is highly recommended that users upgrade to the latest version of Apache HTTP Server as soon as possible to remediate these vulnerabilities. For more information regarding these vulnerabilities, please refer to Apache’s Security advisory
QID 150661: WordPress WooCommerce PDF Invoices and Packing Slips Plugin: Cross-Site Request Forgery Vulnerability (CVE-2022-47148)
| CVE-ID | CVE-2022-47148 |
| Severity | Level 3 |
| CVSS 3.1 | 4.3 |
| CWE-ID | 352 |
| Affected Versions | WooCommerce PDF Invoice and Packing Slips prior to 3.2.6 |
Description:
WooCommerce PDF Invoice and Packing Slips is a popular WooCommerce extension plugin that automatically generates and attaches a PDF invoice to the order confirmation emails sent out to customers. However, it has been discovered that the plugin contains a security vulnerability known as Cross Site Request Forgery (CSRF).
This vulnerability could potentially allow an attacker to trick users with higher privileges into performing unintended actions without their knowledge or consent. This could include modifying or deleting sensitive information, making unauthorized purchases, or carrying out other actions that could compromise the security and integrity of the system. Successful exploitation of this vulnerability could also allow an attacker to execute arbitrary JavaScript code in the context of the interface or access sensitive browser-based information.
To remediate this vulnerability, customers are advised to update to WooCommerce PDF Invoice and Packing Slips 3.2.6 or later. It is crucial to prioritize security updates and take immediate action to ensure the safety of your website and user data.
QID 150662: Apache Tomcat Information Disclosure Vulnerability (CVE-2023-28708)
| CVE-ID | CVE-2023-28708 |
| Severity | Level 3 |
| CVSS 3.1 | 4.3 |
| CWE-ID | 523 |
| Affected Versions | Apache Tomcat 11.0.0-M1 to 11.0.0-M2 Apache Tomcat 10.1.0-M1 to 10.1.5 Apache Tomcat 9.0.0-M1 to 9.0.71 Apache Tomcat 8.5.0 to 8.5.85 |
Description:
Apache Tomcat is a widely used open source web server and servlet container. However, a vulnerability has been identified in Tomcat’s RemoteIpFilter feature. When used with HTTP requests received from a reverse proxy that includes the X-Forwarded-Proto header set to https, session cookies created by Tomcat may be transmitted over an insecure channel if the secure attribute is not included in the cookies. This could potentially expose sensitive user data to attackers.
To address this vulnerability, it is highly recommended that customers upgrade to one of the following versions of Apache Tomcat: 11.0.0-M3, 10.1.6, 9.0.72, or 8.5.86. Alternatively, customers can install a newer version. Additional information on the vulnerability and the necessary steps to remediate it can be found in the Apache Tomcat Security Advisory.
QID 150663: PHP Buffer Overflow Vulnerability (CVE-2022-37454)
| CVE-ID | CVE-2022-37454 |
| Severity | Level 5 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 190 |
| Affected Versions | PHP versions before 7.4.33 PHP versions 8.0.0 prior to 8.0.25 PHP versions 8.1.0 prior to 8.1.12 |
Description:
PHP is a popular programming language for web-based applications, but a serious vulnerability has been discovered in the Keccak XKCP SHA-3 reference implementation prior to version fdc6fef. This vulnerability involves an integer overflow and resultant buffer overflow in the sponge function interface, which could allow attackers to execute arbitrary code or compromise cryptographic properties. To address this issue, it is strongly recommended that customers upgrade to the latest version of PHP. For further details, please see Sec Bug 81738.
QID 150664: Microsoft Exchange Server Multiple Vulnerabilities (ProxyNotShell) (CVE-2022-41040, CVE-2022-41082)
| CVE-ID | CVE-2022-41040, CVE-2022-41082 |
| Severity | Level 5 |
| CVSS 3.1 | 8.8 |
| CWE-ID | 918 |
| Affected Versions | Exchange Server 2013 CU23 Exchange Server 2016 CU22 Exchange Server 2016 CU23 Exchange Server 2019 CU11 Exchange Server 2019 CU12 |
Description:
Microsoft Exchange Server is a widely used mail server and calendaring server that runs exclusively on Windows Server operating systems. However, in August of 2022, cybersecurity company GTSC identified a new vulnerability in the Autodiscover service, which was abused by an attacker to perform remote code execution via PowerShell.
The observed attack was similar to the earlier ProxyShell vulnerability reported in August 2021. It appears to have implemented CVE-2022-41040 to gain privileged access and CVE-2022-41082 to perform remote code execution. Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary commands on the target system, potentially leading to significant data breaches.
An authenticated remote attacker can perform Server-Side Request Forgery (SSRF) attacks to escalate privileges and execute arbitrary PowerShell code on vulnerable Microsoft Exchange servers. As the attack is targeted against Microsoft Exchange Mailbox servers, the attacker can potentially gain access to other resources via lateral movement into Exchange and Active Directory environments.
Microsoft has provided guidance in their recent blog post to address the issue. However, it is still recommended that customers upgrade to the patched version released on November 8, 2022, or later to remediate these vulnerabilities. For more information regarding these vulnerabilities and patching details please refer Microsoft Security Advisory.
QID 150665: MinIO Information Disclosure Vulnerability (CVE-2023-28432)
| CVE-ID | CVE-2023-28432 |
| Severity | Level 4 |
| CVSS 3.1 | 7.5 |
| CWE-ID | 200 |
| Affected Versions | MinIO versions from RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z |
Description:
MinIO is a high-performance object storage solution that enables users to store unstructured data like videos, photos, and backups. It is an API-compatible platform with Amazon S3, making it a popular choice for cloud storage services.
However, a vulnerability has been discovered in MinIO that affects distributed deployments of the software. The issue results in sensitive environment variables such as MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD being returned without adequate protection. This can potentially allow malicious actors to gain unauthorized access to the entire MinIO cluster and compromise its security and integrity.
To mitigate this vulnerability, it is highly recommended that customers upgrade to the latest version of MinIO. This will ensure that the issue is resolved and that environment variables are properly protected from unauthorized access. Failure to upgrade could result in severe consequences, including data breaches and other security incidents.
QID 154132: WordPress Contact Form 7 Plugin: Unrestricted File Upload and Remote Code Execution (RCE) Vulnerability (CVE-2020-35489)
| CVE-ID | CVE-2020-35489 |
| Severity | Level 5 |
| CVSS 3.1 | 10 |
| CWE-ID | 434 |
| Affected Versions | Contact Form 7 prior to version 5.3.2 |
Description:
Contact Form 7 is a popular WordPress plugin that enables users to create and manage multiple contact forms with email functionality. However, certain versions of Contact Form 7 contain a vulnerability that allows unrestricted file uploads and potential remote code execution if the uploaded file contains special characters in its name. If exploited, this vulnerability could lead to the upload of malicious files and the execution of arbitrary code on the affected system.
To address this issue, customers are strongly advised to upgrade to version 5.3.2 or later. For more information regarding this vulnerability please refer Contact Form 7.
QID 520011: Open Secure Sockets Layer (OpenSSL) Type Confusion Vulnerability (CVE-2023-0286)
| CVE-ID | CVE-2023-0286 |
| Severity | Level 4 |
| CVSS 3.1 | 7.4 |
| CWE-ID | 843 |
| Affected Versions | OpenSSL version 1.0.2 to 1.0.2zf OpenSSL version 1.1.1 to 1.1.1q OpenSSL version 3.0.0 to 3.0.7 |
Description:
OpenSSL is a widely-used software library that provides cryptographic functions to secure network communications and identify parties on the internet. A security vulnerability has been identified that affects the processing of X.400 addresses in X.509 GeneralNames. This vulnerability is caused by a type confusion error in the parsing of X.400 addresses as an ASN1_STRING, while they are specified as an ASN1_TYPE in the GENERAL_NAME structure definition.
This vulnerability could be exploited by an attacker to pass arbitrary pointers to a memcmp call, potentially allowing them to read memory contents or execute a denial of service attack. This vulnerability is most likely to affect applications with custom CRL retrieval functionality and may require the attacker to control both the certificate chain and CRL. Customers are advised to upgrade to the latest version of OpenSSL and refer to the OpenSSL Security Advisory for additional details.