November 2023 Web Application Vulnerabilities Released
In November, the Qualys Web Application Scanning (WAS) team released a critical security signatures update. This update now includes the detection of vulnerabilities in several commonly used software applications, such as Barracuda Email Security Gateway (ESG), Atlassian Confluence Server and Data Center, Cisco IOS XE, Grafana, dotCMS, WS_FTP, Juniper Network Operating System (Junos OS), Apache OFBiz, Splunk, Microsoft Exchange Server, Adobe ColdFusion, and GeoServer. It’s essential to note that if these vulnerabilities are left unaddressed, they can pose substantial security risks, including the potential for data breaches, unauthorized access, and various malicious activities. To ensure the safety and security of their networks and systems, organizations should conduct a thorough security assessment and promptly resolve any identified vulnerabilities.
| QID | Title |
|---|---|
| 150701 | Barracuda Email Security Gateway (ESG) Command Injection Vulnerability (CVE-2023-2868) |
| 150738 | Atlassian Confluence Server and Data Center Improper Authorization Vulnerability (CVE-2023-22518) |
| 150739 | Cisco IOS XE Web UI Privilege Escalation Vulnerability (CVE-2023-20198) |
| 150740 | Grafana Improper Privilege Management Vulnerability (CVE-2023-4822) |
| 150741 | dotCMS Broken Access Control Vulnerability (CVE-2023-3042) |
| 150742 | WS_FTP Server Multiple Critical Vulnerabilities – (September 2023) |
| 150744 | Juniper Network Operating System (Junos OS) Remote Code Execution (RCE) Vulnerability (CVE-2023-36845) |
| 150745 | Atlassian Confluence Server and Data Center Broken Access Control Vulnerability (CVE-2023-22515) (Exploitation Check) |
| 150746 | Apache OFBiz: Unauthenticated Execution of Solr Plugin Queries (CVE-2023-46819) |
| 150747 | Splunk Enterprise Remote Code Execution Vulnerability (CVE-2023-46214) |
| 150748 | Microsoft Exchange Server: Unauthenticated Multiple Server-Side Request Forgery Vulnerabilities (0day) |
| 150749 | WordPress WP Fastest Cache Plugin: SQL Injection Vulnerability (CVE-2023-6063) |
| 150750 | Adobe ColdFusion Multiple Arbitrary Code Execution and Security Feature Bypass Vulnerability (APSB23-52) |
| 150751 | GeoServer Web Map Service (WMS) Dynamic Styling Server-Side Request Forgery (SSRF) Vulnerability (CVE-2023-41339) |
| 150752 | GeoServer Web Processing Service (WPS) Server-Side Request Forgery (SSRF) Vulnerability (CVE-2023-43795) |
QID 150701: Barracuda Email Security Gateway (ESG) Command Injection Vulnerability (CVE-2023-2868)
| CVE-ID | CVE-2023-2868 |
| Severity | Level 5 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 77, 20 |
| Affected Versions | Barracuda ESG from version 5.1.3.001 up to 9.2.0.006 |
Description:
The Barracuda Email Security Gateway (ESG) serves as a crucial email security gateway, overseeing and filtering all inbound and outbound email traffic to safeguard organizations against email-borne threats and data leaks.
A critical remote command injection vulnerability has been identified in the Barracuda Email Security Gateway due to inadequate sanitization of .tar file processing. The vulnerability arises from incomplete input validation of user-supplied .tar files, specifically in relation to the names of files within the archive. Exploitation of this vulnerability could enable a remote attacker to execute arbitrary code on the target system, utilizing the privileges of the Email Security Gateway.
To address this security risk, it is strongly recommended that customers upgrade to Barracuda Email Security Gateway version 9.2.0.008 or later. Furthermore, impacted customers should cease the use of the compromised ESG appliance and promptly contact Barracuda support to acquire a new ESG virtual or hardware appliance. As an additional precautionary measure, users are advised to rotate any relevant credentials associated with the ESG appliance, including those connected to LDAP or AD, Barracuda Cloud Control, FTP Server, SMB, and any private TLS certificates. For comprehensive details on this vulnerability, please refer to the Barracuda Security Advisory.
NOTE: For Selenium-based authentication please use Qualys Browser Recorder. For more details on creating Selenium scripts please refer to Qualys Browser Recorder Guide.
QID 150738: Atlassian Confluence Server and Data Center Improper Authorization Vulnerability (CVE-2023-22518)
| CVE-ID | CVE-2023-22518 |
| Severity | Level 5 |
| CVSS 3.1 | 9.1 |
| CWE-ID | 286 |
| Affected Versions | Confluence versions prior to 7.19.16 Confluence versions prior to 8.3.4 Confluence versions prior to 8.4.4 Confluence versions prior to 8.5.3 Confluence versions prior to 8.6.1 |
Description:
Confluence, a widely used team collaboration tool by Atlassian, has a serious security flaw affecting all versions of Confluence Data Center and Server. This issue allows attackers to reset Confluence and make an admin account even without proper permission. This gives them unauthorized control and could lead to losing data.
Atlassian has released a fix to address this issue. Customers are advised to upgrade to Confluence version 7.19.16, 8.3.4, 8.4.4, 8.5.3, 8.6.1 or later. For more information pertaining to remediating this vulnerability please refer to Atlassian Security Advisory.
QID 150739: Cisco IOS XE Web UI Privilege Escalation Vulnerability (CVE-2023-20198)
| CVE-ID | CVE-2023-20198 |
| Severity | Level 5 |
| CVSS 3.1 | 10 |
| CWE-ID | 269 |
| Affected Versions | Cisco IOS XE from 16.12 up to 16.12.10a Cisco IOS XE from 17.3 up to 17.3.8a Cisco IOS XE from 17.6 up to 17.6.6a Cisco IOS XE from 17.9 up to 17.9.4a |
Description:
Cisco IOS XE, a network operating system used for enterprise networking by Cisco Systems, is facing a privilege escalation vulnerability in its web user interface. This flaw could enable a remote, unauthenticated attacker to create an account with privileged access level 15. The attacker can then use that account to gain control of the affected device.
Cisco has released fixes to address CVE-2023-20198, Customers are advised to refer Software Fix Availability document for detailed information. For more information pertaining to this vulnerability please refer to Cisco Security Advisory.
QID 150740: Grafana Improper Privilege Management Vulnerability (CVE-2023-4822)
| CVE-ID | CVE-2023-4822 |
| Severity | Level 4 |
| CVSS 3.1 | 7.2 |
| CWE-ID | 269 |
| Affected Versions | Grafana versions from 8.0.0 to 9.4.16 Grafana versions from 9.5.0 to 9.5.11 Grafana versions from 10.0.0 to 10.0.7 Grafana versions from 10.1.0 to 10.1.3 |
Description:
Grafana is a multi-platform open-source analytics and interactive visualization web application. It provides charts, graphs, and alerts for the web when connected to supported data sources.
The vulnerability impacts Grafana instances with several organizations, and allows a user with Organization Admin permissions in one organization to change the permissions associated with Organization Viewer, Organization Editor and Organization Admin roles in all organizations. It also allows an Organization Admin to assign or revoke any permissions that they have to any user globally. This means that any Organization Admin can elevate their own permissions in any organization that they are already a member of, or elevate or restrict the permissions of any other user. The vulnerability does not allow a user to become a member of an organization that they are not already a member of, or to add any other users to an organization that the current user is not a member of
Customers are advised to upgrade to Grafana to the latest version to remediate this vulnerability. For more information regarding this vulnerability please refer Grafana Advisory.
QID 150741: dotCMS Broken Access Control Vulnerability (CVE-2023-3042)
| CVE-ID | CVE-2023-3042 |
| Severity | Level 3 |
| CVSS 3.1 | 6.1 |
| CWE-ID | 79,20 |
| Affected Versions | dotCMS versions from 5.3.8, 21.06, 22.03 and 23.01 |
Description:
dotCMS, an open-source content management system written in Java, is facing a security flaw in its NormalizationFilter. This flaw fails to remove double slashes (//) from URLs, potentially opening avenues for bypassing cross-site scripting (XSS) and access controls. If successfully exploited, an attacker could trigger XSS and manipulate access controls.
To address this vulnerability, it is strongly advised that customers upgrade to the latest version of dotCMS. More information about this issue can be found in the SI-68 reference.
QID 150742: WS_FTP Server Multiple Critical Vulnerabilities – (September 2023)
| CVE-ID | CVE-2023-40044,CVE-2023-42657,CVE-2023-40045 |
| Severity | Level 5 |
| CVSS 3.1 | 9.6 |
| CWE-ID | 22, 502, 79 |
| Affected Versions | WS_FTP prior to version 8.7.4 WS_FTP from 8.8.0 to 8.8.1 |
Description:
WS_FTP, a secure file transfer software from Ipswitch, Inc., is facing several security vulnerabilities:
CVE-2023-40044: In WS_FTP Server, a pre-authenticated attacker could use a .NET deserialization flaw in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system.
CVE-2023-42657: WS_FTP Server has a directory traversal vulnerability. An attacker could exploit this to perform unauthorized file operations outside of their allowed WS_FTP folder path, potentially affecting the underlying operating system.
CVE-2023-40045: WS_FTP Server’s Ad Hoc Transfer module has a reflected cross-site scripting (XSS) vulnerability. Exploiting this could allow an attacker to execute malicious JavaScript in a user’s browser, potentially leading to unauthorized file manipulation or remote command execution.
To address these issues, customers are strongly advised to upgrade to WS_FTP version 8.8.2 or later. For more details about the patches, please refer to the WS_FTP Server Advisory.
QID 150744: Juniper Network Operating System (Junos OS) Remote Code Execution (RCE) Vulnerability (CVE-2023-36845)
| CVE-ID | CVE-2023-36845 |
| Severity | Level 5 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 473 |
| Affected Versions | 21.1 version 21.1R1 and later versions 21.2 versions prior to 21.2R3-S7 21.3 versions prior to 21.3R3-S5 21.4 versions prior to 21.4R3-S5 22.1 versions prior to 22.1R3-S4 22.2 versions prior to 22.2R3-S2 22.3 versions prior to 22.3R2-S2, 22.3R3-S1 22.4 versions prior to 22.4R2-S1, 22.4R3 23.2 versions prior to 23.2R1-S1, 23.2R2 |
Description:
Juniper Junos is the network operating system used in Juniper Networks’ hardware systems. A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series and SRX Series allows an unauthenticated, network-based attacker to control an important environment variable. Using a crafted request which sets the variable PHPRC an attacker is able to modify the PHP execution environment allowing the injection and execution of code.
The vendor has released a patch addressing the vulnerabilities, for more information please refer JSA72300.
QID 150745: Atlassian Confluence Server and Data Center Broken Access Control Vulnerability (CVE-2023-22515) (Exploitation Check)
| CVE-ID | CVE-2023-22515 |
| Severity | Level 5 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 284 |
| Affected Versions | Confluence versions 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.1.0, 8.1.1, 8.1.3, 8.1.4, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.3.0, 8.3.1, 8.3.2, 8.4.0, 8.4.1, 8.4.2, 8.5.0, 8.5.1 |
Description:
A serious security issue has been found in the Atlassian Confluence Data Center and Server. This vulnerability, known as CVE-2023-22515, is rated as critical with a high severity score. What makes it particularly concerning is that a remote attacker could potentially exploit it without much effort or any user interaction. If successfully exploited, this vulnerability allows attackers to create unauthorized Confluence administrator accounts, providing them access to Confluence instances.
To address this critical issue, Atlassian has released a fix. It’s imperative for customers to consult Atlassian Security Advisory for detailed information on how to remedy this vulnerability.
QID 150746: Apache OFBiz: Unauthenticated Execution of Solr Plugin Queries (CVE-2023-46819)
| CVE-ID | CVE-2023-46819 |
| Severity | Level 3 |
| CVSS 3.1 | 5.3 |
| CWE-ID | 306 |
| Affected Versions | Apache OFBiz: before 18.12.09 |
Description:
Apache OFBiz, an open-source enterprise resource planning system, offers a suite of applications for integrating and automating various business processes within an enterprise.
A security concern has been identified: Missing Authentication in Apache OFBiz when utilizing the Solr plugin. If exploited, this vulnerability could enable an attacker to execute Solr plugin queries without authentication. To address this vulnerability, customers are strongly recommended to upgrade to the latest version of Apache OFBiz. For additional details about this vulnerability, please refer to the Apache OFBiz Advisory.
QID 150747: Splunk Enterprise Remote Code Execution Vulnerability (CVE-2023-46214)
| CVE-ID | CVE-2023-46214 |
| Severity | Level 5 |
| CVSS 3.1 | 8.8 |
| CWE-ID | 91 |
| Affected Versions | Splunk Enterprise versions below 9.0.7 and 9.1.2 |
Description:
Splunk Enterprise, a powerful software tool for searching, analyzing, and visualizing IT infrastructure or business data, has been identified with a security concern. Specifically, Splunk Enterprise does not safely sanitize extensible stylesheet language transformations (XSLT) provided by users. This oversight could allow an attacker to upload malicious XSLT, potentially leading to remote code execution on the Splunk Enterprise instance.
To address this vulnerability, customers are strongly recommended to upgrade Splunk Enterprise to version 9.0.7, 9.1.2, or any subsequent releases. This update is crucial for mitigating the risk of remote code execution. For more detailed information about this vulnerability, please refer to SVD-2023-1104.
QID 150748: Microsoft Exchange Server: Unauthenticated Multiple Server-Side Request Forgery Vulnerabilities (0day)
| CVE-ID | NA |
| Severity | Level 4 |
| CVSS 3.1 | 8.3 |
| CWE-ID | 918 |
| Affected Versions | Microsoft Exchange Server |
Description:
Microsoft Exchange Server, a widely used mail and calendaring server developed by Microsoft, has been identified with a security vulnerability. This vulnerability is an authenticated Server-Side Request Forgery (SSRF) issue, specifically found within the ‘CreateAttachmentFromUri,’ ‘DownloadDataFromUri,’ and ‘DownloadDataFromOfficeMarketPlace’ methods. The problem arises from the lack of proper validation of a Uniform Resource Identifier (URI) before accessing resources. Exploiting this flaw allows an attacker to reveal information within the context of the Exchange server.
As of now, Microsoft has not released a patch to address this vulnerability. For more in-depth details about this security concern, please refer to the ZDI Blog or ZDI-23-1581, ZDI-23-1579, ZDI-23-1580 advisories.
QID 150749: WordPress WP Fastest Cache Plugin: SQL Injection Vulnerability (CVE-2023-6063)
| CVE-ID | CVE-2023-6063 |
| Severity | Level 5 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 89 |
| Affected Versions | WP Fastest Cache versions up to and including 1.2.2 |
Description:
WP Fastest Cache is a WordPress plugin. It’s not only a wp cache plugin but also a speed optimization WordPress cache plugin.
The WP Fastest Cache plugin for WordPress has a security issue that allows attackers to perform SQL Injection. This occurs because the plugin does not properly handle the ‘$username’ variable from user cookies, lacking necessary precautions in the SQL query. As a result, unauthorized attackers can add extra SQL queries to the existing ones, potentially extracting sensitive data from the database. An unauthorized attacker could use this weakness to get into the system, access the database, take sensitive information, and control the database by making changes or deletions using SQL commands. Customers are advised to upgrade to WP Fastest Cache 1.2.2 or a later version to remediate this vulnerability.
QID 150750: Adobe ColdFusion Multiple Arbitrary Code Execution and Security Feature Bypass Vulnerability (APSB23-52)
| CVE-ID | CVE-2023-44350,CVE-2023-26347,CVE-2023-44351,CVE-2023-44352,CVE-2023-44353,CVE-2023-44355 |
| Severity | Level 5 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 502,284,79,20 |
| Affected Versions | ColdFusion (2023 release) Update 5 and earlier versions. ColdFusion (2021 release) Update 11 and earlier versions. |
Description:
Adobe ColdFusion, an application server for building and deploying web and mobile applications, is currently facing multiple vulnerabilities, including Deserialization of Untrusted Data, Improper Access Control, Cross-Site Scripting (XSS), and Improper Input Validation. These vulnerabilities pose risks such as Arbitrary Code Execution and Security Feature Bypass. Adobe has responded to these concerns by issuing security updates for ColdFusion versions 2023 and 2021.
Successful exploitation of these vulnerabilities could enable an attacker to execute arbitrary code on the targeted system. To mitigate these risks, customers are strongly advised to upgrade to ColdFusion 2023 Update 6 and ColdFusion 2021 Update 12. For more information pertaining to this vulnerability please refer APSB23-52.
QID 150751: GeoServer Web Map Service (WMS) Dynamic Styling Server-Side Request Forgery (SSRF) Vulnerability (CVE-2023-41339)
| CVE-ID | CVE-2023-41339 |
| Severity | Level 4 |
| CVSS 3.1 | 5.3 |
| CWE-ID | 918 |
| Affected Versions | GeoServer Versions prior to version 2.22.5 GeoServer Versions prior to version 2.23.2 |
Description:
GeoServer, an open-source software server in Java, facilitates the sharing and editing of geospatial data. However, a security vulnerability has been identified in GeoServer related to the WMS specification, which defines an “sld” parameter for operations like GetMap, GetLegendGraphic, and GetFeatureInfo. This vulnerability allows for user-supplied ‘dynamic styling’ without proper URL checks, potentially leading to a Service Side Request Forgery (SSRF).
Exploiting this vulnerability could empower an unauthenticated attacker to execute a Blind SSRF attack, enabling the theft of NetNTLMv2 hashes through file requests to malicious servers. To address this security risk, customers are advised to upgrade to relevant GeoServer version 2.22.5, 2.23.2 or later to remediate this vulnerability. For more information pertaining to this vulnerability please refer GeoServer Security Advisory.
QID 150752: GeoServer Web Processing Service (WPS) Server-Side Request Forgery (SSRF) Vulnerability (CVE-2023-43795)
| CVE-ID | CVE-2023-43795 |
| Severity | Level 4 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 918 |
| Affected Versions | GeoServer Versions prior to version 2.22.5 GeoServer Versions prior to version 2.23.2 |
Description:
GeoServer, a Java-based open-source software server, enables users to share and edit geospatial data. However, a security vulnerability has been identified in GeoServer related to the OGC Web Processing Service (WPS) specification. This specification is designed to process information from any server using GET and POST requests, creating a potential risk for Service-Side Request Forgery (SSRF) attacks.
Exploiting this vulnerability could result in unauthorized access, data exposure, and potential access to internal systems or services. To address this security concern, customers are advised to upgrade to relevant GeoServer version 2.22.5, 2.23.2 or later to remediate this vulnerability. For more information pertaining to this vulnerability please refer GeoServer Security Advisory.