October 2023 Web Application Vulnerabilities Released
In October, the Qualys Web Application Scanning (WAS) team rolled out a critical security signatures update. This update now covers detecting vulnerabilities in several commonly used software applications. These applications include PaperCut NG/MF, Openfire, Citrix Application Delivery Controller (ADC), GraphQL, Atlassian Confluence Server and Data Center, WordPress, Apache Tomcat, Nginx, Zabbix, Oracle WebLogic Server, Apache HTTP Server, and Drupal.
It’s essential to note that if these vulnerabilities are left unaddressed, they can present substantial security risks, including the potential for data breaches, unauthorized access, and various malicious activities. To ensure the safety and security of their networks and systems, organizations should conduct a thorough security assessment and promptly resolve any identified vulnerabilities.
| QID | Title |
|---|---|
| 150721 | PaperCut NG/MF Remote Code Execution (RCE) Vulnerability (CVE-2023-27350) |
| 150722 | Openfire Path Traversal Vulnerability (CVE-2023-32315) |
| 150723 | Citrix Application Delivery Controller (ADC) and Citrix Gateway Multiple Vulnerabilities (CTX477714) |
| 150724 | GraphQL Detected |
| 150725 | Atlassian Confluence Server and Data Center Broken Access Control Vulnerability (CVE-2023-22515) |
| 150726 | WordPress Media Library Assistant Plugin: Remote Code Execution Vulnerability (CVE-2023-4634) |
| 150728 | PaperCut NG/MF Unauthenticated XMLRPC Functionality (CVE-2023-4568) |
| 150729 | Apache Tomcat Denial of Service (DoS) Vulnerability (CVE-2023-42794) |
| 150731 | Detected Nginx Web Server |
| 150732 | Apache Tomcat Multiple Vulnerabilities (CVE-2023-42795, CVE-2023-44487, CVE-2023-45648) |
| 150733 | Zabbix Stored Cross-Site Scripting (XSS) vulnerability (CVE-2023-32721) |
| 150734 | Zabbix Stack-buffer Overflow Vulnerability (CVE-2023-32722) |
| 150735 | Oracle WebLogic Server Multiple Vulnerabilities (CPU – OCT2023) |
| 150736 | WordPress Royal Elementor Addons Plugin: Unauthenticated Arbitrary File Upload Vulnerability (CVE-2023-5360) |
| 150737 | Apache HTTP Server Prior to 2.4.58 Multiple Security Vulnerabilities |
| 154143 | Drupal Core: Cache Poisoning Vulnerability (CVE-2023-5256) |
| 154144 | WordPress W3 Total Cache Plugin: Reflected Cross-Site Scripting (XSS) Vulnerability (CVE-2021-24436) |
| 154145 | WordPress Information Disclosure Vulnerability (CVE-2023-39999) |
QID 150721: PaperCut NG/MF Remote Code Execution (RCE) Vulnerability (CVE-2023-27350)
| CVE-ID | CVE-2023-27350 |
| Severity | Level 5 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 284 |
| Affected Versions | PaperCut NG/MF version from 8.0.0 prior to 20.1.7 PaperCut NG/MF version from 21.0.0 prior to 21.2.11 PaperCut NG/MF version from 22.0.0 prior to 22.0.9 |
Description:
PaperCut NG/MF is a robust print management system designed for effortless resource monitoring and control. Its intuitive administrative and user tools are easily accessible through a secure web browser interface from anywhere on your network.
However, in multiple versions of PaperCut NG/MF, a critical vulnerability exists within the SetupCompleted class. Remote attackers can exploit this flaw to bypass authentication and execute arbitrary code within the SYSTEM context. If successfully exploited, this vulnerability allows an unauthenticated attacker to run arbitrary code on the targeted system.
To mitigate this security risk, it is strongly recommended that customers promptly upgrade to the latest version of PaperCut NG/MF. For a comprehensive understanding of the patch details, please refer to the official PaperCut Security Bulletin.
QID 150722: Openfire Path Traversal Vulnerability (CVE-2023-32315)
| CVE-ID | CVE-2023-32315 |
| Severity | Level 4 |
| CVSS 3.1 | 7.5 |
| CWE-ID | 22 |
| Affected Versions | Openfire from 3.10.0 to 4.6.8 Openfire from 4.7.0 to 4.7.5 |
Description:
Openfire, formerly known as Wildfire, stands as a versatile cross-platform real-time collaboration server built upon the XMPP protocol. It fosters seamless communication and collaboration among users.
However, a notable security concern came to light concerning Openfire’s administrative console, the Admin Console. This web-based application was vulnerable to a path traversal attack via the setup environment. This vulnerability allowed unauthenticated users to exploit the Openfire Setup Environment within an already configured Openfire environment, gaining unauthorized access to restricted pages within the Openfire Admin Console, typically reserved for administrative users. The successful exploitation of this vulnerability could potentially grant remote attackers access to sensitive files stored on the target server.
To secure your Openfire deployment, we strongly recommend that customers promptly upgrade to the latest version of Openfire. For in-depth information regarding this vulnerability, please refer to Openfire’s Security advisory.
QID 150723: Citrix Application Delivery Controller (ADC) and Citrix Gateway Multiple Vulnerabilities (CTX477714)
| CVE-ID | CVE-2023-24487,CVE-2023-24488 |
| Severity | Level 3 |
| CVSS 3.1 | 7.5 |
| CWE-ID | 79,253 |
| Affected Versions | Citrix ADC and Citrix Gateway 13.1 before 13.1-45.61 Citrix ADC and Citrix Gateway 13.0 before 13.0-90.11 Citrix ADC and Citrix Gateway 12.1 before 12.1-65.35 Citrix ADC 13.1-FIPS before 13.1-37.150 Citrix ADC 12.1-FIPS and NDcPP before 12.1-55.296 |
Description:
Citrix ADC and Citrix Gateway, robust application delivery solutions designed for both on-premises and cloud environments, have been the focus of recent security discoveries by researchers. Petr Juhanak, Dylan Pindur, and Wisdomtree have identified two significant vulnerabilities.
- CVE-2023-24487: Arbitrary File Read Vulnerability
- CVE-2023-24488: Cross-Site Scripting Vulnerability
To mitigate these vulnerabilities, customers are strongly advised to upgrade to the following versions:
- Citrix ADC and Citrix Gateway 13.1-45.61 and later releases
- Citrix ADC 12.1-FIPS 12.1-55.296 and later releases of 12.1-FIPS
- Citrix ADC 13.1-FIPS 13.1-37.150 and later releases of 13.1-FIPS
- Citrix ADC and Citrix Gateway 13.0-90.11 and later releases of 13.0
- Citrix ADC and Citrix Gateway 12.1-65.35 and later releases of 12.1
- Citrix ADC 12.1-NDcPP 12.1-55.296 and later releases of 12.1-NDcPP
For detailed information, please refer to the Citrix Security Bulletin – CTX477714
QID 150724: GraphQL Detected
Description:
GraphQL is an open-source language used for querying and managing APIs, along with a server-side runtime designed specifically for efficiently handling these queries on an application’s data. It has gained popularity as a modern alternative to conventional REST or SOAP APIs due to its flexibility and optimized approach to retrieving data.
Qualys Web Application Scanning (WAS) has introduced the IG QID, a dedicated detection mechanism to identify the presence of GraphQL in the target application.
The existence of a GraphQL endpoint in an application presents a potential security risk, as malicious actors can potentially exploit it as a launching pad for various attacks against the target application.
To secure GraphQL endpoints, implement authentication, authorization, input validation, rate limiting, error handling, and monitoring while keeping dependencies up-to-date and disabling introspection in the production environment.
QID 150725: Atlassian Confluence Server and Data Center Broken Access Control Vulnerability (CVE-2023-22515)
| CVE-ID | CVE-2023-22515 |
| Severity | Level 5 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 284 |
| Affected Versions | Confluence versions 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.1.0, 8.1.1, 8.1.3, 8.1.4, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.3.0, 8.3.1, 8.3.2, 8.4.0, 8.4.1, 8.4.2, 8.5.0, 8.5.1 |
Description
A serious security issue has been found in the Atlassian Confluence Data Center and Server. This vulnerability, CVE-2023-22515, is rated as critical with a high severity score. What makes it particularly concerning is that a remote attacker could potentially exploit it without much effort or any user interaction. If successfully exploited, this vulnerability allows attackers to create unauthorized Confluence administrator accounts, providing them access to Confluence instances.
To address this critical issue, Atlassian has released a fix. Customers must consult Atlassian Security Advisory for detailed information on how to remedy this vulnerability.
QID 150726: WordPress Media Library Assistant Plugin: Remote Code Execution Vulnerability (CVE-2023-4634)
| CVE-ID | CVE-2023-4634 |
| Severity | Level 5 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 73 |
| Affected Versions | The Media Library Assistant plugin prior to 3.10 |
Description:
Media Library Assistant is a WordPress back-end plugin designed to streamline the organization and management of media files, enhancing the functionality of your website.
However, it has come to our attention that the Media Library Assistant plugin for WordPress is susceptible to two critical security vulnerabilities: Local File Inclusion and Remote Code Execution. These vulnerabilities stem from inadequate controls on file paths supplied to the ‘mla_stream_file’ parameter within the ~/includes/mla-stream-image.php file, where image processing is executed using Imagick(). This oversight opens the door for unauthenticated attackers to introduce files via FTP, which can lead to directory listing, local file inclusion, and executing arbitrary code on the target system.
To fortify the security of your WordPress website and prevent potential exploitation, we strongly recommend that customers promptly upgrade to Media Library Assistant plugin 3.10 or any subsequent versions.
QID 150728: PaperCut NG/MF Unauthenticated XMLRPC Functionality (CVE-2023-4568)
| CVE-ID | CVE-2023-4568 |
| Severity | Level 3 |
| CVSS 3.1 | 6.5 |
| CWE-ID | 287 |
| Affected Versions | PaperCut NG/MF version prior to 22.0.12 |
Description:
PaperCut NG/MF is a print management system designed for efficient resource monitoring and control. Some versions of PaperCut NG/MF have a security issue where unauthenticated XMLRPC commands can be executed by default. This means that unauthorized users can potentially access and control the system remotely through these commands, which can be a significant security risk.
To enhance the security of your PaperCut NG/MF installation, we strongly recommend applying the relevant mitigations outlined by PaperCut regarding Unauthenticated XMLRPC Functionality. For comprehensive details, please refer to the IP Address Allow-listing.
QID 150729: Apache Tomcat Denial of Service (DoS) Vulnerability (CVE-2023-42794)
| CVE-ID | CVE-2023-42794 |
| Severity | Level 2 |
| CVSS 3.1 | 7.5 |
| CWE-ID | 459 |
| Affected Versions | Apache Tomcat 9.0.70 to 9.0.80 Apache Tomcat 8.5.85 to 8.5.93 |
Description:
Apache Tomcat is a popular web server and servlet container used in web applications. It recently had a security issue related to a part of its code called Commons FileUpload, which, in an unreleased update, created a vulnerability. This issue primarily affects Windows systems.
The problem arises when a web application doesn’t properly close a file stream for an uploaded file. This can leave the file on the disk, eventually leading to a denial of service due to running out of disk space.
To address this security vulnerability in Apache Tomcat, it is crucial to upgrade to the recommended versions for your deployment. Specifically, updating to Apache Tomcat 9.0.81 or any later version for Tomcat 9 and Apache Tomcat 8.5.94 or any subsequent version for Tomcat 8 is essential. Detailed information about this vulnerability and the necessary steps for mitigation can be found in the Apache Tomcat 8 Security Advisory and Apache Tomcat 9 Security Advisory.
QID 150731: Detected Nginx Web Server
Description:
Nginx is a powerful web server with many uses, not just serving web pages. It can also act as a reverse proxy, load balancer, mail proxy, and HTTP cache. Its flexibility and efficiency make it a popular choice for various web infrastructure needs.
Furthermore, Qualys Web Application Scanning (WAS) has released a new QID to detect Nginx servers. This QID simplifies identifying Nginx instances within your web infrastructure, providing an added layer of security and enabling more effective performance management.
QID 150732: Apache Tomcat Multiple Vulnerabilities (CVE-2023-42795, CVE-2023-44487, CVE-2023-45648)
| CVE-ID | CVE-2023-42795,CVE-2023-44487,CVE-2023-45648 |
| Severity | Level 5 |
| CVSS 3.1 | 7.5 |
| CWE-ID | 400,20,459 |
| Affected Versions | Apache Tomcat 11.0.0-M1 to 11.0.0-M11 Apache Tomcat 10.1.0-M1 to 10.1.13 Apache Tomcat 9.0.0-M1 to 9.0.80 Apache Tomcat 8.5.0 to 8.5.93 |
Description:
Apache Tomcat, a widely used open-source web server and servlet container developed by the esteemed Apache Software Foundation has recently been found to have multiple vulnerabilities across various versions. These vulnerabilities are as follows:
- CVE-2023-42795: Under certain conditions, Apache Tomcat may mishandle the recycling process of internal objects, such as request and response objects. This mishandling can lead to information leakage from the current request/response to the subsequent one.
- CVE-2023-44487: Tomcat’s HTTP/2 implementation is susceptible to a rapid reset attack, often resulting in a denial of service condition, typically manifesting as an OutOfMemoryError.
- CVE-2023-45648: Apache Tomcat fails to parse HTTP trailer headers accurately. Crafted, invalid trailer headers could trick Tomcat into treating a single request as multiple requests, potentially exposing vulnerabilities like request smuggling when deployed behind a reverse proxy.
Exploiting these vulnerabilities could lead to a Denial of Service (DoS) attack or unauthorized access to sensitive information. To mitigate these risks, we strongly advise customers to upgrade their Apache Tomcat installations to the following versions:
- Apache Tomcat 11.0.0-M12 or any later release
- Apache Tomcat 10.1.14 or any later version
- Apache Tomcat 9.0.81 or any subsequent release
- Apache Tomcat 8.5.94 or any later version
For a better understanding of these security problems and clear instructions on how to fix them, please check the Apache Tomcat Security Advisories: Apache Tomcat 8 Security Advisory, Apache Tomcat 9 Security Advisory, Apache Tomcat 10 Security Advisory, Apache Tomcat 11 Security Advisory.
QID 150733: Zabbix Stored Cross-Site Scripting (XSS) vulnerability (CVE-2023-32721)
| CVE-ID | CVE-2023-32721 |
| Severity | Level 3 |
| CVSS 3.1 | 5.4 |
| CWE-ID | 20,79 |
| Affected Versions | Zabbix version from 4.0.0 to 4.0.47 Zabbix version from 5.0.0 to 5.0.36 Zabbix version from 6.0.0 to 6.0.20 Zabbix version from 6.4.0 to 6.4.5 |
Description:
Zabbix is a well-known tool for monitoring IT systems like networks, servers, and more. Recently, a security problem was found in the Zabbix web application related to Cross-Site Scripting (XSS). This issue happens when someone adds extra spaces before a URL. If an attacker exploits this, they could run their code on Zabbix, potentially accessing sensitive information.
To make your Zabbix system safer, it’s crucial to update to the latest version. This update fixes the problem and keeps your IT monitoring secure and reliable. For comprehensive details and guidance on this issue, please refer to ZBX-23389.
QID 150734: Zabbix Stack-buffer Overflow Vulnerability (CVE-2023-32722)
| CVE-ID | CVE-2023-32722 |
| Severity | Level 5 |
| CVSS 3.1 | 7.8 |
| CWE-ID | 120 |
| Affected Versions | Zabbix version from 6.0.0 to 6.0.20 Zabbix version from 6.4.0 to 6.4.5 |
Description:
Zabbix, a trusted open-source IT infrastructure monitoring tool, is critical in overseeing networks, servers, virtual machines, and cloud services.
However, a concerning vulnerability has been identified within the zabbix/src/libs/zbxjson module. This vulnerability is related to a buffer overflow risk when parsing JSON files using zbx_json_open. Such buffer overflows typically pose a significant threat, potentially leading to remote code execution, making it crucial to address this issue promptly.
To make your Zabbix system safer, it’s crucial to update to the latest version. This update fixes the problem and keeps your IT monitoring secure and reliable. For comprehensive information and guidance on addressing this concern, please refer to ZBX-23390.
QID 150735: Oracle WebLogic Server Multiple Vulnerabilities (CPU – OCT2023)
| CVE-ID | CVE-2022-42920,CVE-2022-29599,CVE-2023-22069,CVE-2023-22072,CVE-2023-22089,CVE-2023-22101,CVE-2022-29546,CVE-2022-23491,CVE-2023-22086,CVE-2023-22108,CVE-2022-44729,CVE-2023-2976,CVE-2021-36374,CVE-2020-13956,CVE-2023-35116 |
| Severity | Level 5 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 1352 |
| Affected Versions | Oracle WebLogic Server version 12.2.1.3.0 Oracle WebLogic Server version 12.2.1.4.0 Oracle WebLogic Server version 14.1.1.0.0 |
Description:
Oracle WebLogic Server, used by businesses for their applications, has some security issues in specific versions: 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0.
If these vulnerabilities are exploited, it’s serious. An attacker could take over the entire server, accessing sensitive information and disrupting business applications.
To stay safe, Oracle has released patches to fix these issues. If you’re using Oracle WebLogic Server, update it with these patches. You can find more details about the patches in the Oracle Critical Patch Update Advisory – OCT2023.
QID 150736: WordPress Royal Elementor Addons Plugin: Unauthenticated Arbitrary File Upload Vulnerability (CVE-2023-5360)
| CVE-ID | CVE-2023-5360 |
| Severity | Level 5 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 20 |
| Affected Versions | Royal Elementor addons prior to version 1.3.79 |
Description
The Royal Elementor Addons and Templates plugin for WordPress has a security issue. It’s related to how files are uploaded. This vulnerability arises from inadequate file type validation within the handle_file_upload() function, accessed via AJAX. This lapse enables attackers to manipulate the “allowed_file_types” parameter by introducing a preferred file extension with a special character, effectively allowing the uploaded file to bypass their filtering mechanisms. If successfully exploited, this vulnerability allows unauthenticated attackers to upload arbitrary files to the targeted site’s server, potentially leading to remote code execution.
To make your WordPress website more secure and avoid these risks, it’s essential to update the Royal Elementor addons 1.3.79 or a newer one. This update will help keep your website safe and dependable. You can find more information and instructions on how to do this in the Wordfence Advisory.
QID 150737: Apache HTTP Server Before 2.4.58 Multiple Security Vulnerabilities
| CVE-ID | CVE-2023-43622,CVE-2023-31122,CVE-2023-45802 |
| Severity | Level 3 |
| CVSS 3.1 | 9.1 |
| CWE-ID | 125,400 |
| Affected Versions | Apache HTTP Server version from 2.4.0 to 2.4.57 |
Description:
The Apache HTTP Server, commonly known as Apache, is a renowned cross-platform web server software cherished for its open-source nature.
Versions of the Apache HTTP server before 2.4.58 are susceptible to various vulnerabilities.
These vulnerabilities include:
- CVE-2023-31122: An Out-of-bounds Read vulnerability found in mod_macro of Apache HTTP Server.
- CVE-2023-43622: A Denial of Service (DoS) issue in HTTP/2, mainly when the initial window size is set to 0.
- CVE-2023-45802: About HTTP/2, a situation arises where, upon a client resetting a stream (RST frame), memory resources allocated for requests are not promptly reclaimed. This can lead to uncontrolled resource consumption or buffer over-read, especially if an attacker keeps the connection busy and open by sending new requests and resets.
To make your Apache server more secure and prevent these vulnerabilities, it’s highly advised to update it to the newest version of Apache HTTP Server. This upgrade will effectively remediate these concerns and help maintain the security and stability of your web server. For comprehensive information regarding this vulnerability, please refer to Apache’s Security advisory.
QID 154143: Drupal Core: Cache Poisoning Vulnerability (CVE-2023-5256)
| CVE-ID | CVE-2023-5256 |
| Severity | Level 4 |
| CVSS 3.1 | 7.5 |
| CWE-ID | 200 |
| Affected Versions | Drupal from 8.7.0 to 9.5.11 Drupal from 10.0.0 to 10.0.11 Drupal from 10.1.0 to 10.1.4 |
Description:
Drupal is a flexible and open-source content management system. However, there’s a concern with the JSON API module in Drupal. It can, in certain situations, reveal error information. This could unintentionally cache sensitive data, making it accessible to people without proper access, possibly causing security issues.
This problem affects only websites that use the JSON: API module. To lower the risk, site administrators can choose to uninstall this module. Exploiting this vulnerability could lead to sensitive data becoming accessible to unauthorized users, potentially causing security problems.
To make your Drupal setup safer and prevent these potential issues, it’s strongly recommended to update to the latest version of Drupal. For detailed insights into this vulnerability and comprehensive guidance, please refer to Drupal’s Security Advisory, SA-CORE-2023-006.
QID 154144: WordPress W3 Total Cache Plugin: Reflected Cross-Site Scripting (XSS) Vulnerability (CVE-2021-24436)
| CVE-ID | CVE-2021-24436 |
| Severity | Level 3 |
| CVSS 3.1 | 6.1 |
| CWE-ID | 79 |
| Affected Versions | W3 Total Cache prior to version 2.1.4 |
Description:
W3 Total Cache, a robust WordPress plugin that enhances SEO, Core Web Vitals, and overall user experience, achieves this by optimizing website performance and reducing loading times through features like content delivery network (CDN) integration.
Some versions of W3 Total Cache have a security issue. This problem concerns a Cross-Site Scripting (XSS) flaw in the “extension” parameter on the Extensions dashboard. If an attacker successfully exploits this, they could run their code on the interface, possibly accessing sensitive information in your web browser.
To safeguard your WordPress website against these risks, we strongly advise customers to promptly upgrade to the latest version of the W3 Total Cache plugin. This upgrade effectively addresses the vulnerability and maintains the security and performance of your site. For comprehensive insights into addressing this concern, please consult the WPScan Advisory.
QID 154145: WordPress Information Disclosure Vulnerability (CVE-2023-39999)
| CVE-ID | CVE-2023-39999 |
| Severity | Level 3 |
| CVSS 3.1 | 4.3 |
| CWE-ID | 200 |
| Affected Versions | WordPress from 4.1 to 4.1.38 WordPress from 4.2 to 4.2.35 WordPress from 4.3 to 4.3.31 WordPress from 4.4 to 4.4.30 WordPress from 4.5 to 4.5.29 WordPress from 4.6 to 4.6.26 WordPress from 4.7 to 4.7.26 WordPress from 4.8 to 4.8.22 WordPress from 4.9 to 4.9.23 WordPress from 5.0 to 5.0.19 WordPress from 5.1 to 5.1.16 WordPress from 5.2 to 5.2.18 WordPress from 5.3 to 5.3.15 WordPress from 5.4 to 5.4.13 WordPress from 5.5 to 5.5.12 WordPress from 5.6 to 5.6.11 WordPress from 5.7 to 5.7.9 WordPress from 5.8 to 5.8.7 WordPress from 5.9 to 5.9.7 WordPress from 6.0 to 6.0.5 WordPress from 6.1 to 6.1.3 WordPress from 6.2 to 6.2.2 WordPress from 6.3 to 6.3.1 |
Description:
WordPress, a widely-used free and open-source content management system powered by PHP and compatible with MySQL or MariaDB databases, has encountered a security vulnerability that demands attention.
This vulnerability poses a risk of exposing sensitive information to unauthorized actors. In the event of successful exploitation, unauthorized attackers may gain access to this sensitive information, which can have profound implications.
To fortify the security of your WordPress installation and guard against such threats, we strongly recommend that customers promptly upgrade to the latest version of WordPress. For comprehensive insights into these security concerns, please visit the WordPress Security Release for additional information.