January 2024 Web Application Vulnerabilities Released
In January, the Qualys Web Application Scanning (WAS) team released a critical security signatures update. This update now includes the detection of vulnerabilities in several commonly used software applications such as WordPress, Apache Solr, Atlassian Confluence Server and Data Center, XWiki, Drupal, and OpenSSL. It’s essential to note that if these vulnerabilities are left unaddressed, they can pose substantial security risks, including the potential for data breaches, unauthorized access, and various malicious activities. To ensure the safety and security of their networks and systems, organizations should conduct a thorough security assessment and promptly resolve any identified vulnerabilities.
| QID | Title |
| 150770 | WordPress Email Address Disclosure Vulnerability (CVE-2023-5561) |
| 150771 | WordPress Backup Migration Plugin: Sensitive Data Exposure (CVE-2023-6271) |
| 150772 | WordPress Hostinger Plugin: Missing Authorization Vulnerability (CVE-2023-6751) |
| 150775 | WordPress MW WP Form Plugin: Unauthenticated Arbitrary File Upload Vulnerability (CVE-2023-6316) |
| 150776 | WordPress ElementsKit Plugin: Unauthenticated Sensitive Information Exposure Vulnerability (CVE-2023-6582) |
| 150777 | Apache Solr: Sensitive Information Exposure Vulnerability (CVE-2023-50290) |
| 150778 | XWiki Remote Code Execution (RCE) Vulnerability (CVE-2024-21650) |
| 150779 | Atlassian Confluence Data Center and Server Remote Code Execution (RCE) Vulnerability (CVE-2023-22527) |
| 150780 | Atlassian Confluence Data Center and Server Remote Code Execution (RCE) Vulnerability (CVE-2023-22527) (Exploitation Check) |
| 154146 | WordPress Multiple Vulnerabilities: Security Release 6.4.2 |
| 154147 | Drupal Denial of Service (DoS) Vulnerability (CVE-2024-22362) |
| 520013 | Open Secure Sockets Layer (OpenSSL) POLY1305 MAC Improper Authentication (CVE-2023-6129) |
QID 150770: WordPress Email Address Disclosure Vulnerability (CVE-2023-5561)
| CVE-ID | CVE-2023-5561 |
| Severity | Level 3 |
| CVSS 3.1 | 5.3 |
| CWE-ID | 284 |
| Affected Versions | WordPress versions from 4.7 to 4.7.26 WordPress versions from 4.8 to 4.8.22 WordPress versions from 4.9 to 4.8.23 WordPress versions from 5.0 to 5.0.19 WordPress versions from 5.1 to 5.1.16 WordPress versions from 5.2 to 5.2.18 WordPress versions from 5.3 to 5.3.15 WordPress versions from 5.4 to 5.4.13 WordPress versions from 5.5 to 5.5.12 WordPress versions from 5.6 to 5.6.11 WordPress versions from 5.7 to 5.7.9 WordPress versions from 5.8 to 5.8.7 WordPress versions from 5.9 to 5.9.7 WordPress versions from 6.1 to 6.1.3 WordPress versions from 6.2 to 6.2.2 WordPress versions from 6.3 to 6.3.1 |
Description:
WordPress, a widely used free and open-source content management system, operates on PHP and integrates with MySQL or MariaDB databases. However, certain versions of WordPress exhibit a security vulnerability wherein the restriction of searchable user fields via the REST API is inadequately implemented. This flaw allows unauthenticated attackers to employ an Oracle-style attack, thereby discerning the email addresses of users who have published public posts on the targeted website.
Exploitation of this vulnerability poses a significant threat to user privacy, as it enables unauthorized individuals to gather email addresses. Users are advised to upgrade to WordPress 6.3.2 or later to remediate this vulnerability. For more information, please refer to the WordPress Security Release.
QID 150771: WordPress Backup Migration Plugin: Sensitive Data Exposure (CVE-2023-6271)
| CVE-ID | CVE-2023-6271 |
| Severity | Level 3 |
| CVSS 3.1 | 7.5 |
| CWE-ID | 200 |
| Affected Versions | WordPress The Backup Migration Plugin before 1.3.6. |
Description:
A WordPress migrator plugin facilitates the seamless transfer of your WordPress site across various hosts or domains. However, a potential security vulnerability has been identified in certain versions of this plugin. The issue arises from the plugin storing in-progress backup information in easily accessible, publicly available files. This situation poses a risk, as attackers monitoring these files may exploit the vulnerability to extract sensitive information from the site’s backups.
Successful exploitation of this vulnerability could lead to the unauthorized disclosure of sensitive information, compromising the integrity and confidentiality of data. To mitigate this risk, users are strongly advised to upgrade to The Backup Migration 1.3.6 or any subsequent releases.
QID 150772: WordPress Hostinger Plugin: Missing Authorization Vulnerability (CVE-2023-6751)
| CVE-ID | CVE-2023-6751 |
| Severity | Level 4 |
| CVSS 3.1 | 6.5 |
| CWE-ID | 862 |
| Affected Versions | WordPress Hostinger Plugin before 1.9.8 |
Description:
The Hostinger WordPress plugin streamlines the process of swiftly launching WordPress websites with user-friendly features. However, a security vulnerability has been identified in certain versions of the Hostinger plugin. The issue stems from a missing capability check on the “publish_website” function, which exposes the plugin to unauthorized settings updates.
This vulnerability creates a potential avenue for unauthenticated attackers to manipulate maintenance mode, enabling them to arbitrarily enable or disable it. Successful exploitation of this security flaw could grant unauthorized access to crucial website settings, posing a risk to the site’s availability and functionality.
To address and eliminate this vulnerability, users are strongly urged to upgrade to Hostinger 1.9.8 or later releases.
QID 150775: WordPress MW WP Form Plugin: Unauthenticated Arbitrary File Upload Vulnerability (CVE-2023-6316)
| CVE-ID | CVE-2023-6316 |
| Severity | Level 5 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 434 |
| Affected Versions | WordPress MW WP Form Plugin before 5.0.2 |
Description:
MW WP Form, a shortcode-based contact form plugin for WordPress that enhances website interactivity, has unfortunately been identified with a security vulnerability in certain versions. The vulnerability stems from insufficient file type validation within the ‘_single_file_upload’ function, making it susceptible to arbitrary file uploads.
This flaw creates a potential avenue for unauthenticated attackers to upload arbitrary files onto the server of the affected site. The consequences of successful exploitation may extend to remote code execution, posing a severe threat to the website’s integrity and security.
To mitigate this risk, users are strongly advised to promptly upgrade to MW WP Form 5.0.2 or any subsequent releases.
QID 150776: WordPress ElementsKit Plugin: Unauthenticated Sensitive Information Exposure Vulnerability (CVE-2023-6582)
| CVE-ID | CVE-2023-6582 |
| Severity | Level 4 |
| CVSS 3.1 | 5.3 |
| CWE-ID | 200 |
| Affected Versions | WordPress Elements Kit Plugin before 3.0.4 |
Description:
Elements Kit, an all-encompassing advanced addon designed to enhance page builders with a variety of widgets and features, unfortunately has a security vulnerability in certain versions. The vulnerability is traced to the ‘ekit_widgetarea_content’ function within the ElementsKit Elementor addons plugin for WordPress.
This particular flaw opens up the potential for unauthenticated attackers to exploit Sensitive Information Exposure, specifically gaining access to the contents of posts in draft, private, or pending review status. This information should ideally remain confidential and not be visible to the general public, especially for posts created with Elementor.
To address and rectify this security concern, users are strongly advised to promptly upgrade to Elements Kit 3.0.4 or later releases.
QID 150777: Apache Solr: Sensitive Information Exposure Vulnerability (CVE-2023-50290)
| CVE-ID | CVE-2023-50290 |
| Severity | Level 4 |
| CVSS 3.1 | 6.5 |
| CWE-ID | 200 |
| Affected Versions | Solr 9.0 to 9.2.1 |
Description:
Apache Solr, an open-source enterprise search platform based on Apache Lucene, has recently been flagged with a vulnerability related to Information Exposure through the Solr Metrics API. The Solr Metrics API unintentionally exposes all unprotected environment variables accessible to each Apache Solr instance.
Despite users having the capability to specify which environment variables to conceal, it’s important to highlight that these variables lack the strict definition inherent in Solr, unlike Java system properties. Additionally, these variables may be configured for the entire host, differing from Java system properties that are set on a per-Java-process basis.
While the Solr Metrics API is ostensibly secured by the “metrics-read” permission, it’s worth noting that Solr Clouds with Authorization setups are still vulnerable to users with the “metrics-read” permission. Successfully exploiting this vulnerability could lead to an Information Disclosure scenario, potentially enabling attackers to execute further exploits and gain access to sensitive information.
To address this security concern, users are strongly advised to upgrade to the latest version of Apache Solr. For a comprehensive understanding of this issue, users are encouraged to refer to the official Apache Solr Advisory.
QID 150778: XWiki Remote Code Execution (RCE) Vulnerability (CVE-2024-21650)
| CVE-ID | CVE-2024-21650 |
| Severity | Level 5 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 94, 95 |
| Affected Versions | XWiki versions prior to 14.10.17 XWiki versions from 15.0 up to 15.5.3 XWiki versions from 15.6 up to 15.7 |
Description:
XWiki Platform, a versatile wiki platform that provides runtime services for applications built on it, has recently uncovered a critical security vulnerability in specific versions. This vulnerability revolves around the user registration feature, creating a potential avenue for remote code execution (RCE) attacks.
In affected versions of XWiki, an attacker can exploit this weakness by manipulating the “first name” or “last name” fields during user registration to inject malicious payloads. This vulnerability is particularly impactful on installations with user registration enabled for guests. Successful exploitation of this flaw could empower an attacker to execute arbitrary code, posing a significant risk to the security of the target system.
To address and rectify this security concern, users are strongly advised to upgrade to the relevant XWiki versions: 14.10.17, 15.5.3, or 15.8-rc-1.
For detailed information on this security issue, users are encouraged to refer to the GitHub Security Advisory provided by XWiki.
QID 150779: Atlassian Confluence Data Center and Server Remote Code Execution (RCE) Vulnerability (CVE-2023-22527)
| CVE-ID | CVE-2023-22527 |
| Severity | Level 5 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 1336 |
| Affected Versions | Confluence Data Center and Server 8.0.x Confluence Data Center and Server 8.1.x Confluence Data Center and Server 8.2.x Confluence Data Center and Server 8.3.x Confluence Data Center and Server 8.4.x Confluence Data Center and Server 8.5.0 to 8.5.3 |
Description:
Confluence, a Java-based team collaboration software widely used in corporate environments and developed by Atlassian, has recently uncovered a critical Template Injection Vulnerability in outdated versions of Confluence Data Center and Server. This vulnerability creates a potential entry point for unauthenticated attackers to exploit and potentially execute Remote Code (RCE) on affected versions.
To address and mitigate this security concern, it is strongly recommended that users upgrade their Confluence Data Center and Server to the latest versions: version 8.5.4 (LTS) or later for both Data Center and Server, and version 8.6.0, 8.6.1, or later for Data Center exclusively.
For a thorough understanding of how to remediate this vulnerability, users are encouraged to consult the Atlassian Security Advisory.
QID 150780: Atlassian Confluence Data Center and Server Remote Code Execution (RCE) Vulnerability (CVE-2023-22527) (Exploitation Check)
| CVE-ID | CVE-2023-22527 |
| Severity | Level 5 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 1336 |
| Affected Versions | Confluence Data Center and Server 8.0.x Confluence Data Center and Server 8.1.x Confluence Data Center and Server 8.2.x Confluence Data Center and Server 8.3.x Confluence Data Center and Server 8.4.x Confluence Data Center and Server 8.5.0 to 8.5.3 |
Description:
Confluence, a Java-based team collaboration software widely used in corporate environments and developed by Atlassian, has recently uncovered a critical Template Injection Vulnerability in outdated versions of Confluence Data Center and Server. This vulnerability creates a potential entry point for unauthenticated attackers to exploit and potentially execute Remote Code (RCE) on affected versions.
To address and mitigate this security concern, it is strongly recommended that users upgrade their Confluence Data Center and Server to the latest versions: version 8.5.4 (LTS) or later for both Data Center and Server, and version 8.6.0, 8.6.1, or later for Data Center exclusively.
For a thorough understanding of how to remediate this vulnerability, users are encouraged to consult the Atlassian Security Advisory.
QID 154146: WordPress Multiple Vulnerabilities: Security Release 6.4.2
| CVE-ID | NA |
| Severity | Level 4 |
| CVSS 3.1 | 7.3 |
| CWE-ID | 1352 |
| Affected Versions | WordPress versions prior to 6.4.2 |
Description:
WordPress, a widely used free and open-source content management system powered by PHP and compatible with MySQL or MariaDB databases, has just rolled out a crucial security update with the release of version 6.4.2. This latest update not only addresses several bug fixes but also takes on a Remote Code Execution (RCE) vulnerability. While this vulnerability isn’t immediately exploitable in the core, it does pose a potential for high severity, especially when paired with certain plugins, particularly in multisite installations.
The vulnerabilities that have been identified, if successfully exploited, could compromise the Confidentiality, Availability, and Integrity of the target application. To enhance the security stance of WordPress installations, users are advised to upgrade to WordPress 6.4.2 or later to remediate this vulnerability. For more information, please refer to the WordPress Security Release.
QID 154147: Drupal Denial of Service (DoS) Vulnerability (CVE-2024-22362)
| CVE-ID | CVE-2024-22362 |
| Severity | Level 3 |
| CVSS 3.1 | 7.5 |
| CWE-ID | 400 |
| Affected Versions | Drupal version 9.3.6 |
Description:
Drupal, an esteemed free and open-source content management framework written in PHP and distributed under the GNU General Public License, has identified a vulnerability in certain versions pertaining to the Improper Handling of Structural Elements Leading to Denial of Service (DoS). This vulnerability exposes a potential avenue for attackers to initiate a Denial of Service (DoS) attack by sending specially crafted requests.
Users are advised to upgrade Drupal to the latest version for remediating this vulnerability.
QID 520013: Open Secure Sockets Layer (OpenSSL) POLY1305 MAC Improper Authentication (CVE-2023-6129)
| CVE-ID | CVE-2023-6129 |
| Severity | Level 3 |
| CVSS 3.1 | 6.5 |
| CWE-ID | 126 |
| Affected Versions | OpenSSL version 3.0.0 to 3.0.12 OpenSSL version 3.1.0 to 3.1.4 OpenSSL version 3.2.0 |
Description:
OpenSSL is a software library for applications that secure communications over computer networks against eavesdropping or the need to identify the party at the other end.
The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications running on PowerPC CPU-based platforms if the CPU provides vector instructions. If an attacker can influence whether the POLY1305 MAC algorithm is used, the application state might be corrupted with various application-dependent consequences. The POLY1305 MAC (message authentication code) implementation in OpenSSL for PowerPC CPUs restores the contents of vector registers in a different order than they are saved. Thus, the contents of some of these vector registers are corrupted when returning to the caller. The vulnerable code is used only on newer PowerPC processors supporting the PowerISA 2.07 instructions. The consequences of this kind of internal application state corruption can be various, from no consequences, if the calling application does not depend on the contents of non-volatile XMM registers at all, to the worst consequences, where the attacker could get complete control of the application process. However, unless the compiler uses the vector registers for storing pointers, the most likely consequence, if any, would be an incorrect result of some application-dependent calculations or a crash leading to a denial of service. The POLY1305 MAC algorithm is most frequently used as part of the CHACHA20-POLY1305 AEAD (authenticated encryption with associated data) algorithm. The most common usage of this AEAD cipher is with TLS protocol versions 1.2 and 1.3. If this cipher is enabled on the server, a malicious client can influence whether this AEAD cipher is used. This implies that TLS server applications using OpenSSL can potentially be impacted. However, we are currently not aware of any concrete application that would be affected by this issue; therefore, we consider this a Low severity security issue.
The vendor has released a patch to address these vulnerabilities. Customers are advised to refer to the OpenSSL Security Advisory for more information pertaining to these vulnerabilities.