December 2023 Web Application Vulnerabilities Released
In December, the Qualys Web Application Scanning (WAS) team released a critical security signatures update. This update now includes the detection of vulnerabilities in several commonly used software applications, such as ownCloud, WordPress, Apache Tomcat, Apache Superset, Apache ActiveMQ, Apache OFBiz, OpenCMS, Apache OFBiz, Zabbix, Atlassian Confluence Server and Data Center and Apache Struts2. It’s essential to note that if these vulnerabilities are left unaddressed, they can pose substantial security risks, including the potential for data breaches, unauthorized access, and various malicious activities. To ensure the safety and security of their networks and systems, organizations should conduct a thorough security assessment and promptly resolve any identified vulnerabilities.
| QID | Title |
| 150753 | ownCloud Graph API Information Disclosure Vulnerability (CVE-2023-49103) |
| 150754 | WordPress REST API User Enumeration Vulnerability |
| 150755 | Apache Tomcat Request Smuggling Vulnerability (CVE-2023-46589) |
| 150756 | Apache Superset Prior to 2.1.2 Multiple Security Vulnerabilities |
| 150757 | Apache ActiveMQ Remote Code Execution (RCE) Vulnerability (CVE-2023-46604) |
| 150758 | Apache OFBiz: Pre-Auth Remote Code Execution Vulnerability (CVE-2023-49070) |
| 150759 | WordPress Contact Form 7 Plugin: Authenticated Arbitrary File Upload Vulnerability (CVE-2023-6449) |
| 150760 | OpenCMS Cross-Site Scripting (XSS) Vulnerability (CVE-2023-6379) |
| 150761 | OpenCMS Open Redirect Vulnerability (CVE-2023-6380) |
| 150762 | WordPress Elementor Plugin: Arbitrary File Upload Vulnerability (CVE-2023-48777) |
| 150763 | WordPress Backup Migration Plugin: Unauthenticated Remote Code Execution Vulnerability (CVE-2023-6553) |
| 150764 | Zabbix Code Execution Vulnerability (CVE-2023-32727) |
| 150765 | Atlassian Confluence Server and Data Center Remote Code Execution (RCE) Vulnerability (CVE-2023-22522) |
| 150766 | WordPress The Events Calendar: Arbitrary Password Protected Post Read (CVE-2023-6203) |
| 150768 | Apache OFBiz: Pre-Auth Remote Code Execution Vulnerability (CVE-2023-51467) |
| 150769 | Apache OFBiz: Server-Side Request Forgery (SSRF) Vulnerability (CVE-2023-50968) |
| 150773 | OpenCMS Unauthenticated XXE Vulnerability (CVE-2023-42344) |
| 150774 | Apache Struts2 Remote Code Execution (RCE) Vulnerability (CVE-2023-50164) (Intrusive Check) |
| 520012 | Atlassian Bitbucket Data Center and Server Remote Code Execution (CVE-2022-1471) |
QID 150753: ownCloud Graph API Information Disclosure Vulnerability (CVE-2023-49103)
| CVE-ID | CVE-2023-49103 |
| Severity | Level 5 |
| CVSS 3.1 | 7.5 |
| CWE-ID | 200 |
| Affected Versions | graphapi version from 0.2.0 to 0.3.0 |
Description:
ownCloud is an open-source software product for sharing and syncing files in distributed and federated enterprise scenarios.
An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The “graphapi” app relies on a third-party library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key.
Exploitation of this vulnerability by an unauthenticated remote attacker could lead to the unauthorized disclosure of sensitive information, posing significant security risks. To address this issue, users are strongly advised to upgrade to Graph API version 0.3.1.
The vendor has also advised the following mitigation guidelines:
- Delete the file owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php.
Change the following secrets:
- ownCloud admin password
- Mail server credentials
- Database credentials
- Object-Store/S3 access-key
For more information regarding this vulnerability, please refer to the ownCloud Security Advisory.
QID 150754: WordPress REST API User Enumeration Vulnerability
| CVE-ID | NA |
| Severity | Level 3 |
| CVSS 3.1 | 5.3 |
| CWE-ID | 200 |
| Affected Versions | WordPress |
Description:
WordPress is an open-source blogging tool and content management system based on PHP and MySQL.
WordPress REST API username enumeration is a security flaw that lets attackers uncover valid usernames on a site. Exploiting this vulnerability allows unauthorized access to a list of users who have published at least one post. To safeguard against this, consider using a plugin like “Stop User Enumeration,” disabling the REST API, or implementing custom .htaccess rules to block username enumeration requests.
QID 150755: Apache Tomcat Request Smuggling Vulnerability (CVE-2023-46589)
| CVE-ID | CVE-2023-46589 |
| Severity | Level 4 |
| CVSS 3.1 | 7.5 |
| CWE-ID | 444 |
| Affected Versions | Apache Tomcat 11.0.0-M1 to 11.0.0-M10 Apache Tomcat 10.1.0-M1 to 10.1.15 Apache Tomcat 9.0.0-M1 to 9.0.82 Apache Tomcat 8.5.0 to 8.5.95 |
Description:
Apache Tomcat, an open-source web server and servlet container developed by the Apache Software Foundation, has identified a security vulnerability related to the incorrect parsing of HTTP trailer headers.
In specific scenarios, a maliciously crafted trailer header, surpassing the header size limit, may cause Tomcat to interpret a single request as multiple requests. This situation creates the potential for request smuggling, particularly when Tomcat is positioned behind a reverse proxy. Exploitation of this vulnerability could result in an HTTP request smuggling attack.
Customers are advised to upgrade to relevant versions of Apache Tomcat:
Apache Tomcat 11.0.0-M11 or later
Apache Tomcat 10.1.16 or later
Apache Tomcat 9.0.83 or later
Apache Tomcat 8.5.96 or later
For more information on this vulnerability, please refer to the Apache Tomcat 8 Security Advisory, Apache Tomcat 9 Security Advisory, Apache Tomcat 10 Security Advisory, and Apache Tomcat 11 Security Advisory.
QID 150756: Apache Superset Prior to 2.1.2 Multiple Security Vulnerabilities
| CVE-ID | CVE-2023-43701, CVE-2023-40610, CVE-2023-42501 |
| Severity | Level 4 |
| CVSS 3.1 | 8.8 |
| CWE-ID | 79, 863, 276 |
| Affected Versions | Apache Superset before 2.1.2 |
Description:
Apache Superset, an open-source application for data exploration and visualization capable of handling data at petabyte scale, has identified several vulnerabilities in certain versions.
CVE-2023-43701: Stored Cross-Site Scripting (XSS) on API endpoint.
CVE-2023-40610: Privilege escalation involving the default examples database.
CVE-2023-42501: Unnecessary read permissions within the Gamma role.
Successful exploitation of these vulnerabilities could lead to a security breach, compromising the integrity, availability, and confidentiality of the affected system.
Customers are advised to upgrade to Apache Superset 2.1.2 or to the latest version to remediate this vulnerability. For more information regarding this vulnerability, please refer to CVE-2023-43701, CVE-2023-40610, and CVE-2023-42501.
QID 150757: Apache ActiveMQ Remote Code Execution (RCE) Vulnerability (CVE-2023-46604)
| CVE-ID | CVE-2023-46604 |
| Severity | Level 5 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 502 |
| Affected Versions | Apache ActiveMQ 5.18.0 before 5.18.3 Apache ActiveMQ 5.17.0 before 5.17.6 Apache ActiveMQ 5.16.0 before 5.16.7 Apache ActiveMQ before 5.15.16 Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3 Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6 Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7 Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16 |
Description:
Apache ActiveMQ, a widely-used open-source, multi-protocol, Java-based message broker, has identified a critical Remote Code Execution (RCE) Vulnerability in the Java OpenWire protocol marshaller.
The vulnerability allows a remote attacker, with network access to either a Java-based OpenWire broker or client, to execute arbitrary shell commands. This occurs by manipulating serialized class types in the OpenWire protocol, enabling the attacker to instantiate any class on the classpath. Successful exploitation of this vulnerability grants the remote attacker the ability to run arbitrary shell commands on the target system.
Customers are advised to upgrade Apache ActiveMQ, both brokers and clients, to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 or later to remediate this vulnerability. For more information pertaining to this vulnerability, please refer to the ActiveMQ CVE-2023-46604 update and ActiveMQ Security Advisory
QID 150758: Apache OFBiz: Pre-Auth Remote Code Execution Vulnerability (CVE-2023-49070)
| CVE-ID | CVE-2023-49070 |
| Severity | Level 5 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 94 |
| Affected Versions | Apache OFBiz: before 18.12.10. |
Description:
Apache OFBiz, an open-source enterprise resource planning system, offers a comprehensive suite of applications designed to integrate and automate various business processes within an enterprise.
Apache OFBiz is currently susceptible to a critical Pre-Auth Remote Code Execution (RCE) vulnerability. This vulnerability stems from the continued presence of XML-RPC, which is no longer maintained. In the absence of proper authentication checks, an unauthenticated attacker can exploit this vulnerability to execute arbitrary code on the targeted system.
Customers are advised to upgrade to Apache OFBiz or to the latest version to remediate this vulnerability. For more information regarding this vulnerability, please refer to the Apache OFBiz Advisory.
QID 150759: WordPress Contact Form 7 Plugin: Authenticated Arbitrary File Upload Vulnerability (CVE-2023-6449)
| CVE-ID | CVE-2023-6449 |
| Severity | Level 4 |
| CVSS 3.1 | 7.2 |
| CWE-ID | 434 |
| Affected Versions | Contact Form 7 prior to version 5.8.4 |
Description:
Contact Form 7 is a widely-used WordPress plugin that empowers users to tailor and manage multiple contact forms, complete with integrated email functionality.
The Contact Form 7 plugin for WordPress is susceptible to a critical security flaw, allowing for arbitrary file uploads. This vulnerability arises from inadequate file type validation in the ‘validate’ function and insufficient blocklisting in the ‘wpcf7_antiscript_file_name’ function. Authenticated attackers with editor-level capabilities or higher can exploit this weakness to upload arbitrary files onto the affected site’s server. Notably, due to htaccess configuration, the immediate execution of remote code is generally prevented. By default, the uploaded file is promptly deleted from the server; however, certain configurations or other plugins may inadvertently extend the file’s lifespan on the server. In specific scenarios, this could facilitate remote code execution, especially when coupled with another vulnerability like local file inclusion.
Customers are advised to upgrade to version 5.8.4 or later versions to remediate this vulnerability. For more information regarding this vulnerability, please refer to Contact Form 7.
QID 150760: OpenCMS Cross-Site Scripting (XSS) Vulnerability (CVE-2023-6379)
| CVE-ID | CVE-2023-6379 |
| Severity | Level 3 |
| CVSS 3.1 | 6.1 |
| CWE-ID | 79 |
| Affected Versions | OpenCMS version 14 OpenCMS version 15 |
Description:
OpenCms, developed by Alkacon Software, is a sophisticated and user-friendly website content management system (CMS) that leverages Java and XML technology.
A critical Cross-Site Scripting (XSS) vulnerability has been identified in the Mercury template of OpenCms. This vulnerability exposes the system to potential exploitation by allowing an attacker to inject and execute arbitrary JavaScript code within the context of the interface. Successful exploitation could grant the attacker unauthorized access to sensitive, browser-based information, potentially compromising the security and integrity of the affected system.
Customers are advised to upgrade to OpenCMS 16 to remediate this vulnerability.
QID 150761: OpenCMS Open Redirect Vulnerability (CVE-2023-6380)
| CVE-ID | CVE-2023-6380 |
| Severity | Level 3 |
| CVSS 3.1 | 6.1 |
| CWE-ID | 701 |
| Affected Versions | OpenCMS version 14 OpenCMS version 15 |
Description:
OpenCms, a sophisticated website content management system (CMS) developed by Alkacon Software, is renowned for its professionalism and ease of use. It operates on Java and XML technology.
An Open Redirect vulnerability has been identified in the Mercury template of OpenCms. This vulnerability stems from improper sanitization of the ‘URI’ parameter. In the event of successful exploitation, an attacker could craft a specially designed link, tricking users into visiting it. Subsequently, users may be redirected to a malicious site, potentially compromising their security and confidentiality.
Customers are advised to upgrade to OpenCMS 16 to remediate this vulnerability.
QID 150762: WordPress Elementor Plugin: Arbitrary File Upload Vulnerability (CVE-2023-48777)
| CVE-ID | CVE-2023-48777 |
| Severity | Level 5 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 434 |
| Affected Versions | WordPress Elementor Plugin before 3.18.2 |
Description:
Elementor, a widely acclaimed WordPress plugin, empowers web creators to craft professional and visually stunning websites through its intuitive visual builder.
The WordPress Elementor plugin has been identified with a critical security flaw, potentially leading to remote code execution. This vulnerability is associated with the template import functionality, where inadequate safeguards during file uploads create an avenue for exploitation. In the event of successful exploitation, an attacker could upload a malicious file, enabling the execution of arbitrary code on the targeted system.
Customers are advised to upgrade to Elementor 3.18.2 or to later versions to remediate this vulnerability.
QID 150763: WordPress Backup Migration Plugin: Unauthenticated Remote Code Execution Vulnerability (CVE-2023-6553)
| CVE-ID | CVE-2023-6553 |
| Severity | Level 5 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 94 |
| Affected Versions | WordPress The Backup Migration Plugin before 1.3.8 |
Description:
The WordPress migrator plugin is designed to facilitate the seamless migration of WordPress sites across different hosts or domains.
The Backup Migration plugin for WordPress is currently susceptible to a critical Remote Code Execution (RCE) vulnerability, specifically within the /includes/backup-heart.php file. This vulnerability arises from an attacker’s ability to manipulate values passed to an include, creating an avenue for achieving remote code execution. The consequence is that unauthenticated threat actors can exploit this weakness to execute arbitrary code on the server. The ease of exploitation heightens the risk, as unauthorized individuals can execute code without proper authentication.
Customers are advised to upgrade to The Backup Migration 1.3.8 or to later versions to remediate this vulnerability.
QID 150764: Zabbix Code Execution Vulnerability (CVE-2023-32727)
| CVE-ID | CVE-2023-32727 |
| Severity | Level 4 |
| CVSS 3.1 | 7.2 |
| CWE-ID | 20 |
| Affected Versions | Zabbix version from 4.0.0 to 4.0.49 Zabbix version from 5.0.0 to 5.0.38 Zabbix version from 6.0.0 to 6.0.22 Zabbix version from 6.4.0 to 6.4.7 |
Description:
Zabbix, a powerful open-source software tool, is designed for monitoring IT infrastructure, including networks, servers, virtual machines, and cloud services.
A critical security flaw has been identified in Zabbix, where an attacker with the privilege to configure Zabbix items can leverage the icmpping() function to execute arbitrary code on the Zabbix server. This vulnerability arises from the ability to embed malicious commands within the icmpping() function. Successful exploitation of this vulnerability could enable a remote attacker to execute arbitrary shell commands on the target system, posing a significant risk to the security and integrity of the monitored infrastructure.
Customers are advised to upgrade Zabbix to the new version to remediate this vulnerability. For more information, please refer to ZBX-23857
QID 150765: Atlassian Confluence Server and Data Center Remote Code Execution (RCE) Vulnerability (CVE-2023-22522)
| CVE-ID | CVE-2023-22522 |
| Severity | Level 4 |
| CVSS 3.1 | 8.8 |
| CWE-ID | 74 |
| Affected Versions | Confluence Data Center and Server versions: 4.x.x,5.x.x,6.x.x,7.x.x,8.0.x,8.1.x,8.2.x,8.3.x,8.4.0,8.4.1,8.4.2,8.4.3,8.4.4,8.5.0,8.5.1,8.5.2,8.5.3 Confluence Data Center versions: 8.6.0,8.6.1 |
Description:
Confluence is a team collaboration software written in Java and mainly used in corporate environments, developed and marketed by Atlassian. Multiple versions of Atlassian Confluence Data Center and Confluence Server are affected by a Template Injection vulnerability which allows an authenticated attacker, including one with anonymous access, to inject unsafe user input into a Confluence page. Using this approach, an attacker is able to achieve Remote Code Execution (RCE) on an affected instance. Successful exploitation of this vulnerability could allow an authenticated attacker to achieve Remote Code Execution (RCE) on the target Confluence instance.
Customers are advised to upgrade relevant Confluence Data Center and Server to version 7.19.17 (LTS), 8.4.5, 8.5.4 (LTS), and version 8.6.0, 8.6.1 or later for Data Center Only. For more information pertaining to remediating this vulnerability, please refer to the Atlassian Security Advisory and CONFSERVER-93502
QID 150766: WordPress The Events Calendar: Arbitrary Password Protected Post Read (CVE-2023-6203)
| CVE-ID | CVE-2023-6203 |
| Severity | Level 3 |
| CVSS 3.1 | 7.5 |
| CWE-ID | 200 |
| Affected Versions | WordPress The Events Calendar Plugin before 6.2.8.1 |
Description:
The Events Calendar, a popular WordPress plugin, facilitates the seamless creation and management of events calendars on WordPress sites.
The Events Calendar WordPress plugin has been identified with a security vulnerability where the content of password-protected posts is inadvertently disclosed to unauthenticated users through a specifically crafted request. This vulnerability allows unauthorized access to sensitive information contained in password-protected posts.
Customers are advised to upgrade to The Events Calendar 6.2.8.2 or to later versions to remediate this vulnerability. For more information regarding this vulnerability, please refer to the Advisory.
QID 150773: OpenCMS Unauthenticated XXE Vulnerability (CVE-2023-42344)
| CVE-ID | CVE-2023-42344 |
| Severity | Level 5 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 611 |
| Affected Versions | OpenCMS version from 9.0.0 to 10.5.0 |
Description:
OpenCms, an open-source content management system (CMS) developed by Alkacon Software, is widely utilized for public Internet websites, extranets, and intranets. It is built on Java and XML technology.
Certain versions of OpenCms are found to have a critical XML External Entity Injection (XXE) vulnerability. This vulnerability poses a risk of remote exploitation, potentially allowing an attacker to execute arbitrary code or access sensitive files on the target system. The XXE vulnerability arises from inadequate handling of XML external entities, creating an avenue for unauthorized access and potential code execution.
Customers are advised to upgrade to OpenCMS 10.5.1 or later to patch the vulnerability. For more information regarding the vulnerability, please refer to the CVE-2023-42344.
QID 150774: Apache Struts2 Remote Code Execution (RCE) Vulnerability (CVE-2023-50164) (Intrusive Check)
| CVE-ID | CVE-2023-50164 |
| Severity | Level 5 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 552 |
| Affected Versions | Apache Struts 2.0.0 – 2.3.37(EOL) Apache Struts 2.5.0 – 2.5.32 Apache Struts 6.0.0 – 6.3.0 |
Description:
Apache Struts, a free and open-source MVC framework, empowers the creation of sophisticated Java web applications.
In certain versions of Apache Struts 2, a critical security vulnerability has been identified. This flaw allows an attacker to manipulate file upload parameters, potentially leading to paths traversal. Under specific circumstances, this manipulation can result in the upload of a malicious file, thereby creating a pathway for Remote Code Execution (RCE). Successfully exploiting this vulnerability provides a remote attacker with the ability to upload malicious files and execute arbitrary code on the targeted system.
Customers are advised to upgrade to Apache Struts version 2.5.33, 6.3.0.2, or later to remediate this vulnerability. For more information pertaining to this vulnerability, please refer to Apache Struts Security Bulletin S2-066.
QID 150768: Apache OFBiz: Pre-Auth Remote Code Execution Vulnerability (CVE-2023-51467)
| CVE-ID | CVE-2023-51467 |
| Severity | Level 5 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 918 |
| Affected Versions | Apache OFBiz: before 18.12.11 |
Description:
Apache OFBiz, an open-source enterprise resource planning (ERP) system, offers a suite of applications designed to streamline and automate various business processes within an enterprise.
A critical security vulnerability has been identified in Apache OFBiz, allowing attackers to bypass authentication and achieve a straightforward Server-Side Request Forgery (SSRF). This flaw enables unauthenticated attackers to execute arbitrary code on the targeted system. Customers are advised to upgrade Apache OFBiz to the latest version to remediate this vulnerability. For more information regarding this vulnerability, please refer to the Apache OFBiz Advisory.
QID 150769: Apache OFBiz: Server-Side Request Forgery (SSRF) Vulnerability (CVE-2023-50968)
| CVE-ID | CVE-2023-50968 |
| Severity | Level 4 |
| CVSS 3.1 | 8.2 |
| CWE-ID | 918 |
| Affected Versions | Apache OFBiz: before 18.12.10 |
Description:
Apache OFBiz, an open-source enterprise resource planning (ERP) system, delivers a comprehensive suite of applications to automate and integrate diverse business processes within an enterprise.
Apache OFBiz is currently affected by vulnerabilities that expose users to arbitrary file properties reading and Server-Side Request Forgery (SSRF) risks. These vulnerabilities can be exploited when users make URI calls without proper authorization, leading to potential unauthorized access to file information and the risk of SSRF attacks. Successful exploitation of these vulnerabilities could result in unauthorized access, data exposure, and the potential compromise of internal systems or services.
Customers are advised to upgrade Apache OFBiz to the latest version to remediate this vulnerability. For more information regarding this vulnerability, please refer to the Apache OFBiz Advisory.
QID 520012: Atlassian Bitbucket Data Center and Server Remote Code Execution (CVE-2022-1471)
| CVE-ID | CVE-2022-1471 |
| Severity | Level 5 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 20,502 |
| Affected Versions | Atlassian Bitbucket Server and Data Center version from 7.17.0 to version 7.20.3 Atlassian Bitbucket Server and Data Center version from 7.21.0 to version 7.21.15 Atlassian Bitbucket Server and Data Center version from 8.0.0 to Version 8.7.5 Atlassian Bitbucket Server and Data Center version from 8.8.0 to Version 8.8.6 Atlassian Bitbucket Server and Data Center version from 8.9.0 to Version 8.9.3 Atlassian Bitbucket Server and Data Center version from 8.10.0 to Version 8.10.3 Atlassian Bitbucket Server and Data Center version from 8.11.0 to Version 8.11.2 Atlassian Bitbucket Server and Data Center version 8.12.0 |
Description:
Bitbucket, a Git-based source code repository hosting service, is owned by Atlassian, a prominent software company.
Several Atlassian Data Center and Server Products utilize the SnakeYAML library for Java, which is found to be susceptible to a critical deserialization flaw. This vulnerability poses a risk of Remote Code Execution (RCE), wherein an unauthenticated attacker could exploit the flaw to execute arbitrary code on the target system.
The vendor has released a fix for this vulnerability. Customers are advised to refer to BSERV-14528 for more information pertaining to this vulnerability.