February 2024 Web Application Vulnerabilities Released

Hitesh Kadu

In February, the Qualys Web Application Scanning (WAS) team released a critical security signatures update. This update now includes the detection of vulnerabilities in several commonly used software applications, such as Neo4j Browser, Neo4j Server, Apache Superset, Jenkins, Ivanti Connect Secure (ICS) and Ivanti Policy Secure Gateways, Zabbix, Oracle WebLogic, WordPress, Apache Solr, Fortra GoAnywhere MFT, pyLoad, Grafana, Apache Tomcat, NetScaler Application Delivery Controller (ADC) and NetScaler Gateway, Nginx, Microsoft Exchange Server and Roundcube Webmail. It’s essential to note that if these vulnerabilities are left unaddressed, they can pose substantial security risks, including the potential for data breaches, unauthorized access, and various malicious activities. To ensure the safety and security of their networks and systems, organizations should conduct a thorough security assessment and promptly resolve any identified vulnerabilities.

QIDTitle
150781Neo4j Browser Detected
150782Neo4j Server Detected
150783Apache Superset: Cross-site Scripting Vulnerability (CVE-2023-49657)
150784Jenkins Arbitrary File Read Vulnerability (CVE-2024-23897)
150785Ivanti Connect Secure (ICS) and Ivanti Policy Secure Gateways Authentication Bypass Vulnerability (CVE-2023-46805)
150786Ivanti Connect Secure (ICS) and Ivanti Policy Secure Gateways Command Injection Vulnerability (CVE-2024-21887)
150787Zabbix Buffer Overread Vulnerability (CVE-2023-32726)
150788Oracle WebLogic Server Multiple Vulnerabilities (CPUJAN2024)
150791Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA Server-Side Request Forgery (SSRF) Vulnerability (CVE-2024-21893)
150792Ivanti Connect Secure (ICS) Privilege Escalation Vulnerability (CVE-2024-21888)
150794WordPress Booking Calendar Plugin: Unauthenticated SQL Injection Vulnerability (CVE-2024-1207)
150799Ivanti Connect Secure (ICS) XML External Entity (XXE) Vulnerability (CVE-2024-22024)
150800Apache Solr Insufficiently Protected Credentials Vulnerability (CVE-2023-50291)
150801Fortra GoAnywhere MFT Authentication Bypass Vulnerability (CVE-2024-0204)
150802Apache Solr Multiple Vulnerabilities (CVE-2023-50298, CVE-2023-50386)
150803pyLoad Improper Access Control Vulnerability (CVE-2024-21644)
150804Grafana Email Validation Bypass (CVE-2023-6152)
150805Apache Tomcat Information Disclosure Vulnerability (CVE-2024-21733)
150807NetScaler Application Delivery Controller (ADC) and NetScaler Gateway Multiple Vulnerabilities (CTX584986)
150808Nginx Multiple HTTP/3 QUIC vulnerabilities (CVE-2024-24989, CVE-2024-24990)
150809Microsoft Exchange Server Privilege Escalation Vulnerability (CVE-2024-21410)
150810Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability (CVE-2023-43770)
150812WordPress Bricks Theme: Unauthenticated Remote Code Execution Vulnerability (CVE-2024-25600)
154148WordPress Popup Builder Plugin: Stored Cross-Site Scripting (XSS) Vulnerability (CVE-2023-6000)

QID 150781: Neo4j Browser Detected

CVE-IDNA
SeverityLevel 2
CVSS 3.15.3
CWE-ID200
Affected VersionsNeo4j Browser

Description:

Neo4j Browser is a tool that helps users interact with Neo4j graph databases online. However, it can be vulnerable to misuse by attackers who might try to use it as a starting point for launching attacks on other parts of your system.

To keep the Neo4j Browser secure, there are a few important steps to take. First, make sure to set up authentication so that only authorized users can access it. Also, restrict access to the browser to only those who really need it. Regularly update Neo4j Browser to patch any security holes that might be discovered, and use role-based access controls to limit what different users can do.

By scanning through Qualys WAS, you can help protect your Neo4j database and reduce the chances of it being exploited by hackers.

QID 150782: Neo4j Server Detected

CVE-IDNA
SeverityLevel 2
CVSS 3.15.3
CWE-ID200
Affected VersionsNeo4j Server

Description:

Neo4j Server is a graph database server that manages and allows access to graph data using the Cypher query language.

However, it’s important to recognize that Neo4j Server could be targeted by malicious actors who may attempt to misuse it as a stepping stone for launching attacks on other parts of your application. To secure the Neo4j Server, apply regular security updates.

QID 150783: Apache Superset: Cross-site Scripting Vulnerability (CVE-2023-49657)

CVE-IDCVE-2023-49657
SeverityLevel 3
CVSS 3.15.4
CWE-ID79
Affected VersionsApache Superset before 3.0.3

Description:

Apache Superset is an open-source software application for data exploration and data visualization that is able to handle data at petabyte scale.

A stored cross-site scripting (XSS) vulnerability exists in Apache Superset. An authenticated attacker with create/update permissions on charts or dashboards could store a script or add a specific HTML snippet that would act as a stored XSS. The successful exploitation of this vulnerability could grant an attacker the ability to execute arbitrary JavaScript code within the interface’s context or gain access to sensitive, browser-based information.

Customers are advised to upgrade Apache Superset 3.0.3 to the latest version to remediate this vulnerability. For more information regarding this vulnerability, please refer to the Apache Superset Advisory.

QID 150784: Jenkins Arbitrary File Read Vulnerability (CVE-2024-23897)

CVE-IDCVE-2024-23897
SeverityLevel 5
CVSS 3.17.5
CWE-ID22
Affected VersionsJenkins weekly up to and including 2.441.
Jenkins LTS up to and including LTS 2.426.2

Description:

Jenkins is an open-source automation server. It helps automate the parts of software development related to building, testing, and deploying, facilitating continuous integration, and continuous delivery. Jenkins uses the args4j library to parse command arguments and options on the Jenkins controller when processing CLI commands. This command parser has a feature that replaces an ‘@’ character followed by a file path in an argument with the files contents (expandAtFiles). This feature is enabled by default, and Jenkins 2.441 and earlier LTS 2.426.2 and earlier do not disable it. This allows attackers to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process.

Successful exploitation of this vulnerability could allow an unauthorized attacker to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process.

Customers are advised to upgrade to the latest Jenkins version. For more information regarding this vulnerability, please refer SECURITY-3314 Jenkins Security Advisory 2024-01-24.

QID 150785: Ivanti Connect Secure (ICS) and Ivanti Policy Secure Gateways Authentication Bypass Vulnerability (CVE-2023-46805)

CVE-IDCVE-2023-46805
SeverityLevel 5
CVSS 3.18.2
CWE-ID287
Affected VersionsIvanti Connect Secure (ICS) and Ivanti Policy Secure versions 9.x and 22.x

Description:

Ivanti Connect Secure (ICS), formerly known as Pulse Connect Secure, is a Remote Access VPN solution, and Ivanti Policy Secure is a Network Access Control (NAC) solution developed by Ivanti.

An authentication bypass vulnerability exists in the web component of Ivanti ICS 9.x, 22.x, and Ivanti Policy Secure, which allows a remote attacker to access restricted resources by bypassing control checks. Successful exploitation of this vulnerability could allow a remote attacker to access restricted resources by bypassing control checks.

Customers are advised to refer to Ivanti KB for information pertaining to remediating this vulnerability.

QID 150786: Ivanti Connect Secure (ICS) and Ivanti Policy Secure Gateways Command Injection Vulnerability (CVE-2024-21887)

CVE-IDCVE-2024-21887
SeverityLevel 5
CVSS 3.19.1
CWE-ID77
Affected VersionsIvanti Connect Secure (ICS) and Ivanti Policy Secure versions 9.x and 22.x

Description:

Ivanti Connect Secure (ICS), formerly known as Pulse Connect Secure, is a Remote Access VPN solution, and Ivanti Policy Secure is a Network Access Control (NAC) solution developed by Ivanti.

A Command Injection vulnerability exists in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x), which allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the target system. Customers are advised to refer to Ivanti KB for information pertaining to remediating this vulnerability.

QID 150787: Zabbix Buffer Overread Vulnerability (CVE-2023-32726)

CVE-IDCVE-2023-32726
SeverityLevel 3
CVSS 3.18.1
CWE-ID754
Affected VersionsZabbix version from 5.0.0 to 5.0.39
Zabbix version from 6.0.0 to 6.0.23
Zabbix version from 6.4.0 to 6.4.8

Description:

Zabbix, an open-source IT infrastructure monitoring tool encompassing networks, servers, virtual machines, and cloud services, has identified a vulnerability stemming from an inadequate check for RDLENGTH. This vulnerability, if exploited, could lead to a buffer overflow in the response from the DNS server. Such an attack has the potential to expose sensitive information, cause system crashes, or facilitate arbitrary code execution.

To mitigate this risk, customers are strongly advised to promptly upgrade their Zabbix installations to the latest version. Further details and instructions for the upgrade process can be found in the Zabbix vulnerability report labeled as ZBX-23855.

QID 150788: Oracle WebLogic Server Multiple Vulnerabilities (CPUJAN2024)

CVE-IDCVE-2024-20927, CVE-2023-49093, CVE-2024-20931, CVE-2023-44483, CVE-2023-43643, CVE-2024-20986, CVE-2023-42503
SeverityLevel 4
CVSS 3.18.8
CWE-ID1352
Affected VersionsOracle WebLogic Server version 12.2.1.4.0
Oracle WebLogic Server version 14.1.1.0.0

Description:

Oracle WebLogic Server, used by businesses for their applications, has some security issues in specific versions: 12.2.1.4.0 and 14.1.1.0.0.

If these vulnerabilities are exploited, it’s serious. An attacker could take over the entire server, accessing sensitive information and disrupting business applications.

To stay safe, Oracle has released patches to fix these issues. If you’re using Oracle WebLogic Server, update it with these patches. You can find more details about the patches in the Oracle – CPUJAN2024.

QID 150794: Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA Server-Side Request Forgery (SSRF) Vulnerability (CVE-2024-21893)

CVE-IDCVE-2024-21893
SeverityLevel 4
CVSS 3.18.2
CWE-ID918
Affected VersionsIvanti Connect Secure (ICS) and Ivanti Policy Secure versions 9.x and 22.x

Description:

Ivanti Connect Secure (ICS), formerly known as Pulse Connect Secure, is a Remote Access VPN solution, and Ivanti Policy Secure is a Network Access Control (NAC) solution developed by Ivanti. A Server-Side Request Forgery (SSRF) vulnerability exists in the SAML component, which allows an attacker to access certain restricted resources without authentication. Successful exploitation of this vulnerability allows an attacker to access certain restricted resources without authentication.

Customers are advised to upgrade to Ivanti Connect Secure versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, 22.5R1.1 and 22.5R2.2, Ivanti Policy Secure version 22.5R1.1 and ZTA version 22.6R1.3 or later to remediate this vulnerability. For more information, please refer to Ivanti 000090322 and Ivanti KB.

QID 150792: Ivanti Connect Secure (ICS) Privilege Escalation Vulnerability (CVE-2024-21888)

CVE-IDCVE-2024-21888
SeverityLevel 4
CVSS 3.18.8
CWE-ID269
Affected VersionsIvanti Connect Secure (ICS) versions 9.x and 22.x

Description:

Ivanti Connect Secure (ICS), formerly known as Pulse Connect Secure, is a Remote Access VPN solution developed by Ivanti.

A Privilege Escalation Vulnerability exists in the web component, which allows a user to elevate privileges to that of an administrator. Successful exploitation of this vulnerability could allow a user to elevate privileges to that of an administrator.

Customers are advised to upgrade Ivanti Connect Secure (ICS) to the latest version. For more information, please refer to Ivanti 000090322 and Ivanti KB.

QID 150794: WordPress Booking Calendar Plugin: Unauthenticated SQL Injection Vulnerability (CVE-2024-1207)

CVE-IDCVE-2024-1207
SeverityLevel 5
CVSS 3.19.8
CWE-ID89
Affected VersionsWordPress Booking Calendar Plugin before 9.9.1

Description:

The Booking Calendar plugin is a nice and user-friendly tool for creating reservation systems for your WordPress website.

The WP Booking Calendar plugin for WordPress is vulnerable to SQL Injection via the ‘calendar_request_params[dates_ddmmyy_csv]’ parameter due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. An unauthorized attacker could use this weakness to get into the system, access the database, take sensitive information, and control the database by making changes or deletions using SQL commands.

To address this issue and bolster security, it is strongly recommended that all customers promptly update to Booking Calendar 9.9.1 or a later release.

QID 150799: Ivanti Connect Secure (ICS) XML External Entity (XXE) Vulnerability (CVE-2024-22024)

CVE-IDCVE-2024-22024
SeverityLevel 4
CVSS 3.18.3
CWE-ID611
Affected VersionsIvanti Connect Secure version 9.1R14.4
Ivanti Connect Secure version 9.1R17.2
Ivanti Connect Secure version 9.1R18.3
Ivanti Connect Secure version 22.4R2.2
Ivanti Connect Secure version 22.5R1.1
Ivanti Connect Secure version 22.5R2.2

Description:

Ivanti Connect Secure (ICS), formerly known as Pulse Connect Secure, is a Remote Access VPN solution developed by Ivanti. An XML external entity or XXE vulnerability exists in the SAML component, which allows an attacker to access certain restricted resources without authentication.

Successful exploitation of this vulnerability could allow an attacker to access certain restricted resources without authentication. Customers are advised to upgrade Ivanti Connect Secure to versions 9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3, 22.6R2.2 or later to remediate this vulnerability. For more information, please refer to Ivanti 000090576 and Ivanti KB.

QID 150800: Apache Solr Insufficiently Protected Credentials Vulnerability (CVE-2023-50291)

CVE-IDCVE-2023-50291
SeverityLevel 3
CVSS 3.17.5
CWE-ID200
Affected VersionsApache Solr 6.0.0 through 8.11.2
Apache Solr 9.0.0 before 9.3.0

Description:

Apache Solr is an open-source enterprise search platform which is on Apache Lucene.

The installed version of Apache Solr is vulnerable to Information Exposure through the Solr Metrics API. Currently, there are two APIs to get the sysProps from a Solr process “/admin/info/properties” and “/admin/info/metrics”. One of the two endpoints that publish the Solr process’ Java system properties, /admin/info/properties, was only set up to hide system properties that had “password” contained in the name. There are a number of sensitive system properties, such as “basicauth” and “aws.secretKey”, that do not contain “password”; thus, their values were published via the “/admin/info/properties” endpoint. This endpoint populates the list of System Properties on the home screen of the Solr Admin page, making the exposed credentials visible in the UI.

Successful exploitation would lead to Information Disclosure vulnerability, which can help the attacker carry out further attacks and obtain sensitive information. Customers are advised to upgrade to the latest Apache Solr to remediate this vulnerability. For more information related to this vulnerability, please refer to the Apache Solr Advisory.

QID 150801: Fortra GoAnywhere MFT Authentication Bypass Vulnerability (CVE-2024-0204)

CVE-IDCVE-2024-0204
SeverityLevel 5
CVSS 3.19.8
CWE-ID425
Affected VersionsGoAnywhere MFT prior to version 7.4.1

Description:

Fortra GoAnywhere Managed File Transfer (MFT) is a secure file transfer solution that organizations use to exchange their data safely.

An Authentication bypass vulnerability exists in Fortra’s GoAnywhere MFT, which allows an unauthorized user to create an admin user via the administration portal. Successful exploitation of this vulnerability could allow a remote unauthorized user to create an admin user via the administration portal.

Customers are advised to upgrade GoAnywhere Managed File Transfer (MFT) to version 7.4.1 or later to remediate this vulnerability. For more information, please refer to the Fortra Security Advisory.

QID 150802: Apache Solr Multiple Vulnerabilities (CVE-2023-50298, CVE-2023-50386)

CVE-IDCVE-2023-50298, CVE-2023-50386
SeverityLevel 4
CVSS 3.18.8
CWE-ID200, 434, 913
Affected VersionsApache Solr 6.0.0 through 8.11.2
Apache Solr 9.0.0 before 9.4.1

Description:

Apache Solr is an open-source enterprise search platform which is on Apache Lucene.

The installed versions of Apache Solr have multiple vulnerabilities:
CVE-2023-50298: Apache Solr can expose ZooKeeper credentials via Streaming Expressions.
CVE-2023-50386: Apache Solr Backup/Restore APIs allow for the deployment of executables in malicious ConfigSets.

Successful exploitation would lead to obtaining the credentials, followed by gaining access to Solr’s Zookeeper Nodes or achieving remote code execution in cases where Solr clusters are unsecured and authentication hasn’t been enabled.

Customers are advised to upgrade to the latest Apache Solr to remediate this vulnerability. For more information related to this vulnerability, please refer to Apache Solr Advisory

QID 150803: pyLoad Improper Access Control Vulnerability (CVE-2024-21644)

CVE-IDCVE-2024-21644
SeverityLevel 3
CVSS 3.17.5
CWE-ID200,284
Affected VersionspyLoad upto 0.4.9

Description:

pyLoad is a web-based download manager designed for downloading files from popular video-hosting sites, torrents, and file-hosting websites.

In any installed version of pyLoad, an unauthenticated user can navigate to a specific URL and potentially expose the Flask configuration, revealing sensitive information such as the `SECRET_KEY` variable. Successful exploitation would lead to Information Disclosure vulnerability, which can help the attacker carry out further attacks and obtain sensitive information. 

Customers are advised to upgrade to the latest pyLoad to remediate this vulnerability. For more information related to this vulnerability, please refer to the pyLoad Advisory.

QID 150804: Grafana Email Validation Bypass (CVE-2023-6152)

CVE-IDCVE-2023-6152
SeverityLevel 3
CVSS 3.15.4
CWE-ID863
Affected VersionsGrafana versions before 9.5.16
Grafana versions from 10.0.0 to 10.0.11
Grafana versions from 10.1.0 to 10.1.7
Grafana versions from 10.2.0 to 10.2.4
Grafana versions from 10.3.0 to 10.3.3

Description:

Grafana is a multi-platform open-source analytics and interactive visualization web application. It provides charts, graphs, and alerts for the web when connected to supported data sources.

After a user signs up and verifies their email, they can change their email address in the profile settings without undergoing the verification process again. The ‘verify_email_enabled’ configuration option specifically validates the email only during the initial sign-up phase and does not enforce re-verification when changing the email in the profile settings.

If an unauthorized user gains access to an account and changes the associated email without re-verification, they could essentially take control of the account, potentially leading to unauthorized use or data compromise. Customers are advised to upgrade Grafana to the latest version to remediate this vulnerability. For more information regarding this vulnerability, please refer to the Grafana Advisory.

QID 150805: Apache Tomcat Information Disclosure Vulnerability (CVE-2024-21733)

CVE-IDCVE-2024-21733
SeverityLevel 3
CVSS 3.15.3
CWE-ID209
Affected VersionsApache Tomcat 8.5.7 to 8.5.63
Apache Tomcat 9.0.0-M11 to 9.0.43

Description:

Apache Tomcat is an open-source web server and servlet container developed by the Apache Software Foundation.

In affected versions of Apache Tomcat, Incomplete POST requests triggered an error response that could contain data from a previous request from another user. Successful exploitation of this vulnerability could result in revealing sensitive information to an unauthorized user.

Customers are advised to upgrade to relevant versions of Apache Tomcat:

Apache Tomcat 8.5.64 or later
Apache Tomcat 9.0.44 or later

For more information on this vulnerability, please refer to Apache Tomcat 8 Security Advisory and Apache Tomcat 9 Security Advisory.

QID 150807: NetScaler Application Delivery Controller (ADC) and NetScaler Gateway Multiple Vulnerabilities (CTX584986)

CVE-IDCVE-2023-6548, CVE-2023-6549
SeverityLevel 5
CVSS 3.18.8
CWE-ID94,119
Affected VersionsNetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35
NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15
NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21
NetScaler ADC and NetScaler Gateway 12.1 versions – End Of Life (EOL).

Description:

Multiple vulnerabilities, including a Remote Code Execution (RCE) and a Denial of Service (DoS), have been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway).

CVE-2023-6548: Improper Control of Generation of Code (‘Code Injection’) in NetScaler ADC and NetScaler Gateway allows an attacker with access to NSIP, CLIP, or SNIP with management interface to perform Authenticated (low privileged) Remote Code Execution (RCE) on Management Interface.
CVE-2023-6549: Improper Restriction of Operations within the Bounds of a Memory Buffer in NetScaler ADC and NetScaler Gateway allows Unauthenticated Denial of Service (DoS).

Successful exploitation of these vulnerabilities could lead to Remote Code Execution (RCE) and/or a Denial of Service (DoS) attack.

Customers are advised to install the relevant updated versions of NetScaler ADC and/or NetScaler Gateway:

NetScaler ADC and NetScaler Gateway 14.1-12.35 and later releases
NetScaler ADC and NetScaler Gateway 13.1-51.15 and later releases
NetScaler ADC and NetScaler Gateway 13.0-92.21 and later releases

For more information pertaining to remediating this vulnerability, please refer to the Citrix Security Bulletin – CTX584986.

QID 150808 : Nginx Multiple HTTP/3 QUIC vulnerabilities (CVE-2024-24989, CVE-2024-24990)

CVE-IDCVE-2024-24989, CVE-2024-24990
SeverityLevel 4
CVSS 3.17.5
CWE-ID476, 416
Affected VersionsNGINX Open source mainline version 1.25.3 or earlier
NGINX Open source subscription packages R5 or R6
NGINX Plus R30 or R31

Description:

Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy, and HTTP cache.

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module (ngx_http_v3_module), undisclosed requests can cause NGINX worker processes to terminate. This vulnerability allows a remote unauthenticated attacker to cause a denial-of-service (DoS) on the NGINX system. Customers are advised to upgrade their NGINX software to the latest version to remediate this vulnerability. For more information related to this vulnerability, please refer to the Nginx Advisory.

QID 150809: Microsoft Exchange Server Privilege Escalation Vulnerability (CVE-2024-21410)

CVE-IDCVE-2024-21410
SeverityLevel 5
CVSS 3.19.8
CWE-ID269
Affected VersionsExchange Server 2019
Exchange Server 2016

Description:

Microsoft Exchange Server is a mail server and calendaring server developed by Microsoft. It runs exclusively on Windows Server operating systems.

Multiple versions of Microsoft Exchange Server are affected by a Privilege Escalation Vulnerability. Successful exploitation of this vulnerability could allow an attacker to elevate privileges on the affected Exchange Server instance.

Customers are advised to upgrade Microsoft Exchange Server 2019 to the latest Cumulative Update 14 or later to remediate this vulnerability.

For details regarding Exchange Server 2019 Cumulative Update 14, please refer to KB5035606.

For more information on Mitigation guidelines and patching details for Microsoft Exchange Server 2016 and 2019, please refer to the Microsoft Security Advisory.

QID 150810: Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability (CVE-2023-43770)

CVE-IDCVE-2023-43770
SeverityLevel 3
CVSS 3.16.1
CWE-ID79
Affected VersionsRoundcube before 1.4.14
Roundcube 1.5.x before 1.5.4
Roundcube 1.6.x before 1.6.3

Description:

Roundcube is a web-based IMAP email client.  Roundcube allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior. Successful exploitation could allow an attacker to execute arbitrary JavaScript code in the context of the interface or allow the attacker to access sensitive, browser-based information. Customers are advised to upgrade to the latest Roundcube to remediate this vulnerability. For more information related to this vulnerability, please refer to the Roundcube Advisory.

QID 150812: WordPress Bricks Theme: Unauthenticated Remote Code Execution Vulnerability (CVE-2024-25600)

CVE-IDCVE-2024-25600
SeverityLevel 5
CVSS 3.19.8
CWE-ID94
Affected VersionsWordPress Bricks theme before 1.9.6

Description:

Bricks is an advanced, flexible, and easy-to-use WordPress theme that allows you to create any type of website.

The Bricks theme for WordPress is vulnerable to Remote Code Execution. This makes it possible for unauthenticated attackers to execute code on the server. Successful exploitation of this vulnerability could allow an unauthenticated attacker to execute arbitrary code on the target system. Customers are advised to upgrade to WordPress Bricks theme 1.9.6.1 or the latest version to remediate this vulnerability. For more information regarding this vulnerability, please refer to the WordPress Bricks theme.

QID 154148: WordPress Popup Builder Plugin: Stored Cross-Site Scripting (XSS) Vulnerability (CVE-2023-6000)

CVE-IDCVE-2023-6000
SeverityLevel 4
CVSS 3.16.1
CWE-ID79
Affected VersionsPopup Builder prior to version 4.2.3

Description:

Popup Builder is a WordPress plugin that helps users create high-converting, promotional, and informative popups, providing a wide range of WordPress popup types, conditions, and events.

The affected versions of Popup Builder do not prevent simple visitors from updating existing popups and injecting raw JavaScript in them, which could lead to Stored XSS attacks. Successful exploitation of this vulnerability could allow attackers to perform any action the logged-in administrator they targeted is allowed to do on the targeted site, including installing arbitrary plugins and creating new rogue Administrator users. 

Customers are advised to upgrade to the latest version of the Popup Builder plugin. For more information pertaining to this vulnerability, please refer to the WPScan Advisory.

Share your Comments

Comments

Your email address will not be published. Required fields are marked *