September 2023 Web Application Vulnerabilities Released
In the month of September, the Qualys Web Application Scanning (WAS) team released a critical update to its security signatures. This update now includes detection for vulnerabilities in several widely used software applications, including Zabbix, Ivanti Sentry, WordPress, Ivanti Endpoint Manager Mobile (EPMM), Apache Superset, Adobe ColdFusion, Atlassian Bitbucket Server, and Data Center, as well as Cacti.
These vulnerabilities, if left unattended, could pose significant security risks, including data breaches, unauthorized access, and various malicious activities. It is imperative for organizations to conduct a thorough security assessment and promptly address any potential vulnerabilities to ensure the safety and security of their networks and systems.
| QID | Title |
|---|---|
| 150706 | Zabbix Cross-Site Scripting (XSS) vulnerability (CVE-2023-29457) |
| 150707 | Zabbix Reflected Cross-Site Scripting (XSS) vulnerability (CVE-2023-29455) |
| 150708 | Zabbix Stored Cross-Site Scripting (XSS) vulnerability (CVE-2023-29454) |
| 150709 | Ivanti Sentry Authentication Bypass Vulnerability (CVE-2023-38035) |
| 150710 | WordPress GDPR Cookie Consent Plugin: Cross-Site Request Forgery Vulnerability (CVE-2023-4013) |
| 150711 | Ivanti Endpoint Manager Mobile (EPMM) Remote Unauthenticated API Access Vulnerability (CVE-2023-35078) |
| 150712 | Ivanti Endpoint Manager Mobile (EPMM) Remote Unauthenticated API Access Vulnerability (CVE-2023-35082) |
| 150713 | Apache Superset Prior to 2.1.1 Multiple Security Vulnerabilities |
| 150714 | Zabbix Web Interface Default Credentials |
| 150715 | Adobe ColdFusion Remote Code Execution (RCE) Vulnerability (APSB23-47) |
| 150716 | Adobe ColdFusion Access Control Bypass Vulnerability (CVE-2023-38205) |
| 150717 | WordPress Booster for Woocommerce Plugin: Cross-Site Scripting (XSS) vulnerability (CVE-2023-4945) |
| 150718 | Atlassian Bitbucket Server and Data Center: Remote Code Execution Vulnerability (CVE-2023-22513) |
| 150719 | PaperCut NG/MF Path Traversal Vulnerability (CVE-2023-39143) |
| 150720 | Cacti Prior to 1.2.25 Multiple Security Vulnerabilities |
QID 150706: Zabbix Cross-Site Scripting (XSS) vulnerability (CVE-2023-29457)
| CVE-ID | CVE-2023-29457 |
| Severity | Level 3 |
| CVSS 3.1 | 6.1 |
| CWE-ID | 20, 79 |
| Affected Versions | Zabbix version from 4.0.0 to 4.0.45 Zabbix version from 5.0.0 to 5.0.34 Zabbix version from 6.0.0 to 6.0.17 |
Description:
Zabbix, an open-source software tool for monitoring IT infrastructure components like networks, servers, virtual machines, and cloud services, recently identified a Reflected XSS vulnerability, a non-persistent attack. This security issue can expose XSS session cookies, allowing malicious actors to impersonate legitimate users and compromise their private accounts.
The successful exploitation of this vulnerability could grant an attacker the ability to execute arbitrary JavaScript code within the interface’s context or gain access to sensitive, browser-based information. To address this critical security concern, it is strongly recommended that all Zabbix users upgrade to the latest version promptly. For further details and guidance, please consult the information provided under the reference code ZBX-22988.
QID 150707: Zabbix Reflected Cross-Site Scripting (XSS) vulnerability (CVE-2023-29455)
| CVE-ID | CVE-2023-29455 |
| Severity | Level 3 |
| CVSS 3.1 | 6.1 |
| CWE-ID | 20, 79 |
| Affected Versions | Zabbix version from 4.0.0 to 4.0.45 Zabbix version from 5.0.0 to 5.0.33 |
Description:
Zabbix, an open-source software tool designed for monitoring various IT infrastructure components, including networks, servers, virtual machines, and cloud services, has recently identified a vulnerability related to Reflected XSS attacks, also known as non-persistent attacks.
In Reflected XSS attacks, a malicious script is reflected off a web application onto the victim’s browser. This typically occurs when a user clicks on a link that triggers a request to a website with a vulnerability, thereby enabling the execution of these malicious scripts.
The successful exploitation of this vulnerability could empower an attacker to execute arbitrary JavaScript code within the interface’s context or gain unauthorized access to sensitive browser-based information.
To mitigate this security risk effectively, it is strongly recommended that all Zabbix users promptly upgrade to the latest version. For comprehensive details and guidance regarding this issue, please consult the information provided under the reference code ZBX-22986.
QID 150708: Zabbix Stored Cross-Site Scripting (XSS) vulnerability (CVE-2023-29454)
| CVE-ID | CVE-2023-29454 |
| Severity | Level 3 |
| CVSS 3.1 | 5.4 |
| CWE-ID | 20, 79 |
| Affected Versions | Zabbix version from 4.0.0 to 4.0.45 Zabbix version from 5.0.0 to 5.0.33 Zabbix version from 6.0.0 to 6.0.16 |
Description:
Zabbix, an open-source software tool renowned for monitoring diverse aspects of IT infrastructure, including networks, servers, virtual machines, and cloud services, has identified a vulnerability known as Stored or Persistent Cross-Site Scripting (XSS).
Stored XSS is a specific type of XSS attack in which the attacker initially injects a malicious payload into the web application. The application then inadvertently stores this payload in a database or server-side text files. Subsequently, whenever any user accesses the web pages, the application unknowingly executes the stored payload, posing a significant security risk.
The successful exploitation of this vulnerability can empower an attacker to execute arbitrary JavaScript code within the interface’s context or gain unauthorized access to sensitive browser-based information.
To effectively address and rectify this security concern, we strongly recommend that all Zabbix customers upgrade to the latest version. For comprehensive details and guidance regarding this issue, please refer to the information provided under the reference code ZBX-22985.
QID 150709: Ivanti Sentry Authentication Bypass Vulnerability (CVE-2023-38035)
| CVE-ID | CVE-2023-38035 |
| Severity | Level 5 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 863 |
| Affected Versions | Ivanti Sentry version 9.18.0 and prior |
Description:
Ivanti Sentry, formerly MobileIron Sentry, functions as an inline gateway responsible for the management, encryption, and security of traffic flowing between mobile devices and backend enterprise systems.
A recently discovered vulnerability has been identified, which allows an unauthenticated actor with access to the System Manager Portal (typically hosted on port 8443) to manipulate configurations within Sentry and its underlying operating system. Successful exploitation of this vulnerability grants a malicious actor the ability to execute OS commands on the appliance with root privileges.
It is of utmost importance that customers take immediate action to safeguard their systems. This involves updating Ivanti Sentry to the latest patched versions provided by the vendor. The vendor has released RPM scripts for all supported versions, offering a comprehensive solution to this security concern. For detailed information and guidance, please consult the Ivanti Sentry Security Advisory
QID 150710: WordPress GDPR Cookie Consent Plugin: Cross-Site Request Forgery Vulnerability (CVE-2023-4013)
| CVE-ID | CVE-2023-4013 |
| Severity | Level 3 |
| CVSS 3.1 | 6.5 |
| CWE-ID | 352 |
| Affected Versions | GDPR Cookie Compliance plugin prior to 4.12.5 |
Description:
GDPR Cookie Compliance, a user-friendly WordPress plugin designed to assist website owners in aligning with privacy and cookie regulations, has identified a security vulnerability in versions before 4.12.5 (including CCPA, DSGVO, and Cookie Consent).
The vulnerability stems from insufficient CSRF (Cross-Site Request Forgery) checks when managing the plugin’s license. This oversight could enable attackers to manipulate the licenses of logged-in administrators through CSRF attacks.
To address this issue and bolster security, it is strongly recommended that all customers promptly update their GDPR Cookie Compliance plugin 4.12.5 or a later release.
QID 150711: Ivanti Endpoint Manager Mobile (EPMM) Remote Unauthenticated API Access Vulnerability (CVE-2023-35078)
| CVE-ID | CVE-2023-35078 |
| Severity | Level 5 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 287 |
| Affected Versions | Ivanti EPMM version 11.10 and prior |
Description:
Ivanti Endpoint Manager Mobile (EPMM), formerly referred to as MobileIron Core, serves as a pivotal mobile management software engine, empowering IT teams to establish policies governing mobile devices, applications, and content.
A critical vulnerability has recently come to light within Ivanti Endpoint Manager Mobile (EPMM), affecting all supported versions, including 11.10, 11.9, and 11.8, and posing a risk to older versions and releases.
If successfully exploited, this vulnerability could grant unauthorized remote actors, particularly those accessible over the internet, potential access to users’ personally identifiable information. Furthermore, it may allow these actors to carry out limited modifications to the server configuration.
Customers are advised to update Ivanti EPMM to patched versions. The vendor has released RPM scripts for all supported versions. Please refer to Ivanti Security Advisory
QID 150712: Ivanti Endpoint Manager Mobile (EPMM) Remote Unauthenticated API Access Vulnerability (CVE-2023-35082)
| CVE-ID | CVE-2023-35082 |
| Severity | Level 5 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 287 |
| Affected Versions | Ivanti EPMM version 11.10 and prior |
Description:
Ivanti Endpoint Manager Mobile (EPMM), formerly recognized as MobileIron Core, serves as a versatile mobile management software engine that empowers IT administrators to establish policies governing mobile devices, applications, and content.
However, a critical vulnerability has been identified in MobileIron Core, which poses a significant security risk. This vulnerability relates to an authentication bypass issue, allowing unauthorized users to access restricted functionality or resources within the application without the necessary authentication. The successful exploitation of this vulnerability could potentially grant remote attackers access to these restricted functions or resources due to the authentication bypass mechanism.
To safeguard your system and mitigate this security concern, we strongly recommend that all customers promptly update their Ivanti EPMM installations to the latest patched versions provided by the vendor. The vendor has thoughtfully released RPM scripts tailored for all supported versions, offering a comprehensive solution to address this vulnerability. For detailed guidance and further information, please consult the Ivanti Security Advisory.
QID 150713: Apache Superset Before 2.1.1 Multiple Security Vulnerabilities
| CVE-ID | CVE-2023-36388, CVE-2023-36387, CVE-2023-39265, CVE-2023-32672, CVE-2023-39264, CVE-2023-37941 |
| Severity | Level 4 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 918, 20, 863, 209, 502 |
| Affected Versions | Apache Superset versions up to and including 2.0.1 |
Description:
Apache Superset, an open-source data exploration and visualization tool capable of handling data at a petabyte scale, has identified several critical vulnerabilities affecting multiple versions:
- CVE-2023-36388: An improper REST API permission in Apache Superset allows authenticated Gamma users to test the network.
- CVE-2023-36387: Apache Superset has an improper default REST API permission for Gamma users, enabling authenticated Gamma users to test database connections.
- CVE-2023-39265: Apache Superset could incorrectly register SQLite database connections when an attacker uses alternative driver names like SQLite+pysqlite or by utilizing database imports. This could potentially lead to unintended file creation on Superset web servers. If Apache Superset uses an SQLite database for metadata (not recommended for production use), it could result in more severe vulnerabilities affecting confidentiality and integrity.
- CVE-2023-32672: Incorrect authorization checks in SQLLab within Apache Superset. Authenticated users could query tables they do not have proper access to within Superset, potentially exploiting a SQL parsing vulnerability.
- CVE-2023-39264: Stack traces for errors were enabled by default, exposing internal traces on REST API endpoints to users.
- CVE-2023-37941: If an attacker gains write access to the Apache Superset metadata database, they could persist a specially crafted Python object, potentially leading to remote code execution on Superset’s web backend. This vulnerability affects Apache Superset versions 1.5.0 up to and including 2.1.0.
Successful exploitation of these vulnerabilities could result in security breaches, affecting integrity, availability, and confidentiality. To address these critical security concerns, all users must upgrade their Apache Superset installations to the latest version available.
QID 150714: Zabbix Web Interface Default Credentials
| CVE-ID | NA |
| Severity | Level 4 |
| CVSS 3.1 | 7.3 |
| CWE-ID | 1392 |
| Affected Versions | Zabbix Web Interface |
Description:
Zabbix, an open-source software solution for monitoring IT infrastructure encompassing networks, servers, virtual machines, and cloud services, is vulnerable in its default settings. Specifically, the Zabbix Web Interface comes with predefined login credentials, with ‘Admin’ as the username and ‘Zabbix’ as the default password, granting access to its management interface.
It’s crucial to recognize that malicious actors could exploit this vulnerability, potentially leading to unauthorized administrative access to the application.
To fortify security measures, all Zabbix customers are strongly advised to immediately change the default login credentials to robust, unique combinations resistant to unauthorized access attempts.
QID 150715: Adobe ColdFusion Remote Code Execution (RCE) Vulnerability (APSB23-47)
| CVE-ID | CVE-2023-293000, CVE-2023-38203, CVE-2023-38204 |
| Severity | Level 5 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 502 |
| Affected Versions | ColdFusion (2023 release) Update 2 and earlier versions. ColdFusion (2021 release) Update 8 and earlier versions. ColdFusion (2018 release) Update 18 and earlier versions. |
Description:
Adobe ColdFusion, renowned as an application server and platform for developing and deploying web and mobile applications, has recently uncovered a critical security concern affecting multiple versions.
Specifically, these versions of ColdFusion are susceptible to a Deserialization of Untrusted Data Vulnerability, which, if exploited, could potentially lead to the execution of arbitrary code. This security issue poses a significant risk, mainly as it allows an unauthenticated attacker to execute arbitrary code on the targeted system.
To rectify this vulnerability and bolster system security, Adobe has diligently released security updates for ColdFusion versions spanning 2023, 2021, and 2018. All customers must immediately apply the provided fix to their ColdFusion installations. For comprehensive details and guidance related to this critical security concern, customers are advised to refer to Adobe’s security bulletin APSB23-47.
QID 150716: Adobe ColdFusion Access Control Bypass Vulnerability (CVE-2023-38205)
| CVE-ID | CVE-2023-38205 |
| Severity | Level 4 |
| CVSS 3.1 | 7.5 |
| CWE-ID | 284 |
| Affected Versions | ColdFusion (2023 release) Update 2 and earlier versions. ColdFusion (2021 release) Update 8 and earlier versions. ColdFusion (2018 release) Update 18 and earlier versions. |
Description:
Adobe ColdFusion, a versatile application server and platform for crafting and launching web and mobile applications, has identified a significant security concern impacting multiple versions.
Specifically, these versions of ColdFusion are susceptible to an Improper Access Control Vulnerability, potentially resulting in a Security feature bypass. This vulnerability is especially critical as it could permit an unauthenticated attacker to access the administration CFM and CFC endpoints.
To mitigate this security risk effectively, Adobe has promptly issued security updates for ColdFusion across versions 2023, 2021, and 2018. We strongly recommend that all customers immediately apply the provided fix to their ColdFusion installations.
We advise customers to refer to Adobe’s security bulletin APSB23-47 for comprehensive details and guidance regarding this crucial security issue.
QID 150717: WordPress Booster for Woocommerce Plugin: Cross-Site Scripting (XSS) vulnerability (CVE-2023-4945)
| CVE-ID | CVE-2023-4945 |
| Severity | Level 3 |
| CVSS 3.1 | 5.4 |
| CWE-ID | 79 |
| Affected Versions | The Booster for WooCommerce WordPress plugin before 7.1.1 |
Description:
Booster for WooCommerce is a WordPress plugin designed to expand WooCommerce’s capabilities by offering various modules that site owners can easily enable or disable.
However, a security issue has been discovered in the Booster for WooCommerce plugin for WordPress. It is vulnerable to Stored Cross-Site Scripting (XSS) through multiple shortcodes because it lacks proper input sanitization and output escaping for user-supplied attributes. This vulnerability allows authenticated attackers with contributor-level permissions or higher to inject arbitrary web scripts into pages. These scripts then execute whenever a user accesses the affected page.
Successful exploitation of this vulnerability could enable attackers to inject HTML or JavaScript via cross-site scripting, potentially leading to further attacks and unauthorized access to sensitive information.
To address this security concern, it is strongly recommended that all customers upgrade to Booster for WooCommerce 7.1.1 or a later release.
QID 150718: Atlassian Bitbucket Server and Data Center: Remote Code Execution Vulnerability (CVE-2023-22513)
| CVE-ID | CVE-2023-22513 |
| Severity | Level 5 |
| CVSS 3.1 | 8.8 |
| CWE-ID | 94 |
| Affected Versions | Atlassian Bitbucket Server and Data Center version from 8.9.0 before version 8.9.5 Atlassian Bitbucket Server and Data Center version from 8.10.0 before version 8.10.5 Atlassian Bitbucket Server and Data Center version from 8.11.0 before version 8.11.4 Atlassian Bitbucket Server and Data Center version from 8.12.0 before version 8.12.2 Atlassian Bitbucket Server and Data Center version from 8.13.0 before version 8.13.1 |
Description:
Bitbucket is a Git-based source code repository hosting service owned by Atlassian. A critical Remote Code Execution (RCE) vulnerability with a high severity level has been identified in Bitbucket Data Center and Server, starting from version 8.0.0.
This RCE vulnerability enables authenticated attackers to execute arbitrary code. This poses a severe threat to confidentiality, integrity, and availability, and it does not require any user interaction to be exploited.
Successful exploitation of this vulnerability grants authenticated attackers the ability to execute arbitrary code, significantly impacting confidentiality, integrity, and availability.
To mitigate this significant security risk, Atlassian strongly recommends that all Bitbucket Data Center and Server customers upgrade to the latest version. The vendor has released a fix for this vulnerability, and customers are urged to refer to the Bitbucket Security Advisory for comprehensive information regarding this critical issue.
QID 150719: PaperCut NG/MF Path Traversal Vulnerability (CVE-2023-39143)
| CVE-ID | CVE-2023-39143 |
| Severity | Level 4 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 22 |
| Affected Versions | PaperCut NG/MF prior to version 22.1.3 |
Description:
PaperCut NG/MF is a robust print management system, designed to effortlessly oversee and regulate resources. It offers intuitive administrative and user tools that are securely accessible from any network location through a web browser.
However, a critical security issue is affecting multiple versions of PaperCut NG/MF on Windows. This vulnerability involves Path Traversal, potentially leading to Remote Code Execution (RCE). In the event of successful exploitation, an unauthenticated attacker could gain access to upload, read, or delete arbitrary files, and this could ultimately result in Remote Code Execution (RCE), particularly when external device integration configuration is enabled.
To address this significant security concern effectively, all customers must upgrade to the latest PaperCut NG/MF version. Detailed information about the patches and updates can be found in the PaperCut Security Bulletin.
QID 150720: Cacti Before 1.2.25 Multiple Security Vulnerabilities
| CVE-ID | CVE-2023-39365, CVE-2023-39362, CVE-2023-39358, CVE-2023-39510, CVE-2023-39357, CVE-2023-39515, CVE-2023-39366, CVE-2023-39513, CVE-2023-39364, CVE-2023-39359, CVE-2023-39361, CVE-2023-39512, CVE-2023-30534, CVE-2023-39516, CVE-2023-31132, CVE-2023-39360, CVE-2023-39514, CVE-2023-39511 |
| Severity | Level 5 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 502, 306, 89, 20, 79, 78, 601 |
| Affected Versions | Cacti prior to version 1.2.25 |
Description:
Cacti, an open-source web-based network monitoring and graphing tool, originally designed as a front-end application for the industry-standard data logging tool RRDtool, has been found to have multiple security vulnerabilities.
These vulnerabilities are as follows:
- CVE-2023-30534: Insecure deserialization of filter data.
- CVE-2023-31132: Privilege escalation in cases where Cacti is installed using Windows Installer defaults.
- CVE-2023-39357: SQL Injection vulnerability when saving data with sql_save().
- CVE-2023-39358: Authenticated SQL injection vulnerability when managing reports.
- CVE-2023-39359: Authenticated SQL injection vulnerability when managing graphs.
- CVE-2023-39360: Cross-site scripting vulnerability when creating new graphs.
- CVE-2023-39361: Unauthenticated SQL Injection when viewing graphs.
- CVE-2023-39362: Authenticated command injection when using SNMP options.
- CVE-2023-39364: Open redirect in the change password functionality.
- CVE-2023-39365: SQL Injection when using regular expressions.
- CVE-2023-39366: Cross-site scripting vulnerability with Device Name when managing Data Sources.
- CVE-2023-39510: Cross-site scripting vulnerability with Device Name when administering Reports.
- CVE-2023-39511: Cross-site scripting vulnerability with Device Name when editing Graphs while managing Reports.
- CVE-2023-39512: Cross-site scripting vulnerability with Device Name when managing Data Sources.
- CVE-2023-39513: Cross-site scripting vulnerability with Device Name when debugging data queries.
- CVE-2023-39514: Cross-site scripting vulnerability with Data Source Name when managing Graphs.
- CVE-2023-39515: Cross-site scripting vulnerability with Data Source Name when debugging Data Queries.
- CVE-2023-39516: Cross-site scripting vulnerability with Data Source Information when managing Data Sources.
The successful exploitation of these vulnerabilities could allow an unauthenticated remote attacker to gain control of the Cacti server.
To effectively address these security concerns, it is strongly recommended that all customers upgrade to Cacti 1.2.25 or a later release.
