February 2024 Web Application Vulnerabilities Released
In February, the Qualys Web Application Scanning (WAS) team released a critical security signatures update. This update now includes the detection of vulnerabilities in several commonly used software applications, such as Neo4j Browser, Neo4j Server, Apache Superset, Jenkins, Ivanti Connect Secure (ICS) and Ivanti Policy Secure Gateways, Zabbix, Oracle WebLogic, WordPress, Apache Solr, Fortra GoAnywhere MFT, pyLoad, Grafana, Apache Tomcat, NetScaler Application Delivery Controller (ADC) and NetScaler Gateway, Nginx, Microsoft Exchange Server and Roundcube Webmail. It’s essential to note that if these vulnerabilities are left unaddressed, they can pose substantial security risks, including the potential for data breaches, unauthorized access, and various malicious activities. To ensure the safety and security of their networks and systems, organizations should conduct a thorough security assessment and promptly resolve any identified vulnerabilities.
| QID | Title |
| 150781 | Neo4j Browser Detected |
| 150782 | Neo4j Server Detected |
| 150783 | Apache Superset: Cross-site Scripting Vulnerability (CVE-2023-49657) |
| 150784 | Jenkins Arbitrary File Read Vulnerability (CVE-2024-23897) |
| 150785 | Ivanti Connect Secure (ICS) and Ivanti Policy Secure Gateways Authentication Bypass Vulnerability (CVE-2023-46805) |
| 150786 | Ivanti Connect Secure (ICS) and Ivanti Policy Secure Gateways Command Injection Vulnerability (CVE-2024-21887) |
| 150787 | Zabbix Buffer Overread Vulnerability (CVE-2023-32726) |
| 150788 | Oracle WebLogic Server Multiple Vulnerabilities (CPUJAN2024) |
| 150791 | Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA Server-Side Request Forgery (SSRF) Vulnerability (CVE-2024-21893) |
| 150792 | Ivanti Connect Secure (ICS) Privilege Escalation Vulnerability (CVE-2024-21888) |
| 150794 | WordPress Booking Calendar Plugin: Unauthenticated SQL Injection Vulnerability (CVE-2024-1207) |
| 150799 | Ivanti Connect Secure (ICS) XML External Entity (XXE) Vulnerability (CVE-2024-22024) |
| 150800 | Apache Solr Insufficiently Protected Credentials Vulnerability (CVE-2023-50291) |
| 150801 | Fortra GoAnywhere MFT Authentication Bypass Vulnerability (CVE-2024-0204) |
| 150802 | Apache Solr Multiple Vulnerabilities (CVE-2023-50298, CVE-2023-50386) |
| 150803 | pyLoad Improper Access Control Vulnerability (CVE-2024-21644) |
| 150804 | Grafana Email Validation Bypass (CVE-2023-6152) |
| 150805 | Apache Tomcat Information Disclosure Vulnerability (CVE-2024-21733) |
| 150807 | NetScaler Application Delivery Controller (ADC) and NetScaler Gateway Multiple Vulnerabilities (CTX584986) |
| 150808 | Nginx Multiple HTTP/3 QUIC vulnerabilities (CVE-2024-24989, CVE-2024-24990) |
| 150809 | Microsoft Exchange Server Privilege Escalation Vulnerability (CVE-2024-21410) |
| 150810 | Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability (CVE-2023-43770) |
| 150812 | WordPress Bricks Theme: Unauthenticated Remote Code Execution Vulnerability (CVE-2024-25600) |
| 154148 | WordPress Popup Builder Plugin: Stored Cross-Site Scripting (XSS) Vulnerability (CVE-2023-6000) |
QID 150781: Neo4j Browser Detected
| CVE-ID | NA |
| Severity | Level 2 |
| CVSS 3.1 | 5.3 |
| CWE-ID | 200 |
| Affected Versions | Neo4j Browser |
Description:
Neo4j Browser is a tool that helps users interact with Neo4j graph databases online. However, it can be vulnerable to misuse by attackers who might try to use it as a starting point for launching attacks on other parts of your system.
To keep the Neo4j Browser secure, there are a few important steps to take. First, make sure to set up authentication so that only authorized users can access it. Also, restrict access to the browser to only those who really need it. Regularly update Neo4j Browser to patch any security holes that might be discovered, and use role-based access controls to limit what different users can do.
By scanning through Qualys WAS, you can help protect your Neo4j database and reduce the chances of it being exploited by hackers.
QID 150782: Neo4j Server Detected
| CVE-ID | NA |
| Severity | Level 2 |
| CVSS 3.1 | 5.3 |
| CWE-ID | 200 |
| Affected Versions | Neo4j Server |
Description:
Neo4j Server is a graph database server that manages and allows access to graph data using the Cypher query language.
However, it’s important to recognize that Neo4j Server could be targeted by malicious actors who may attempt to misuse it as a stepping stone for launching attacks on other parts of your application. To secure the Neo4j Server, apply regular security updates.
QID 150783: Apache Superset: Cross-site Scripting Vulnerability (CVE-2023-49657)
| CVE-ID | CVE-2023-49657 |
| Severity | Level 3 |
| CVSS 3.1 | 5.4 |
| CWE-ID | 79 |
| Affected Versions | Apache Superset before 3.0.3 |
Description:
Apache Superset is an open-source software application for data exploration and data visualization that is able to handle data at petabyte scale.
A stored cross-site scripting (XSS) vulnerability exists in Apache Superset. An authenticated attacker with create/update permissions on charts or dashboards could store a script or add a specific HTML snippet that would act as a stored XSS. The successful exploitation of this vulnerability could grant an attacker the ability to execute arbitrary JavaScript code within the interface’s context or gain access to sensitive, browser-based information.
Customers are advised to upgrade Apache Superset 3.0.3 to the latest version to remediate this vulnerability. For more information regarding this vulnerability, please refer to the Apache Superset Advisory.
QID 150784: Jenkins Arbitrary File Read Vulnerability (CVE-2024-23897)
| CVE-ID | CVE-2024-23897 |
| Severity | Level 5 |
| CVSS 3.1 | 7.5 |
| CWE-ID | 22 |
| Affected Versions | Jenkins weekly up to and including 2.441. Jenkins LTS up to and including LTS 2.426.2 |
Description:
Jenkins is an open-source automation server. It helps automate the parts of software development related to building, testing, and deploying, facilitating continuous integration, and continuous delivery. Jenkins uses the args4j library to parse command arguments and options on the Jenkins controller when processing CLI commands. This command parser has a feature that replaces an ‘@’ character followed by a file path in an argument with the files contents (expandAtFiles). This feature is enabled by default, and Jenkins 2.441 and earlier LTS 2.426.2 and earlier do not disable it. This allows attackers to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process.
Successful exploitation of this vulnerability could allow an unauthorized attacker to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process.
Customers are advised to upgrade to the latest Jenkins version. For more information regarding this vulnerability, please refer SECURITY-3314 Jenkins Security Advisory 2024-01-24.
QID 150785: Ivanti Connect Secure (ICS) and Ivanti Policy Secure Gateways Authentication Bypass Vulnerability (CVE-2023-46805)
| CVE-ID | CVE-2023-46805 |
| Severity | Level 5 |
| CVSS 3.1 | 8.2 |
| CWE-ID | 287 |
| Affected Versions | Ivanti Connect Secure (ICS) and Ivanti Policy Secure versions 9.x and 22.x |
Description:
Ivanti Connect Secure (ICS), formerly known as Pulse Connect Secure, is a Remote Access VPN solution, and Ivanti Policy Secure is a Network Access Control (NAC) solution developed by Ivanti.
An authentication bypass vulnerability exists in the web component of Ivanti ICS 9.x, 22.x, and Ivanti Policy Secure, which allows a remote attacker to access restricted resources by bypassing control checks. Successful exploitation of this vulnerability could allow a remote attacker to access restricted resources by bypassing control checks.
Customers are advised to refer to Ivanti KB for information pertaining to remediating this vulnerability.
QID 150786: Ivanti Connect Secure (ICS) and Ivanti Policy Secure Gateways Command Injection Vulnerability (CVE-2024-21887)
| CVE-ID | CVE-2024-21887 |
| Severity | Level 5 |
| CVSS 3.1 | 9.1 |
| CWE-ID | 77 |
| Affected Versions | Ivanti Connect Secure (ICS) and Ivanti Policy Secure versions 9.x and 22.x |
Description:
Ivanti Connect Secure (ICS), formerly known as Pulse Connect Secure, is a Remote Access VPN solution, and Ivanti Policy Secure is a Network Access Control (NAC) solution developed by Ivanti.
A Command Injection vulnerability exists in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x), which allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the target system. Customers are advised to refer to Ivanti KB for information pertaining to remediating this vulnerability.
QID 150787: Zabbix Buffer Overread Vulnerability (CVE-2023-32726)
| CVE-ID | CVE-2023-32726 |
| Severity | Level 3 |
| CVSS 3.1 | 8.1 |
| CWE-ID | 754 |
| Affected Versions | Zabbix version from 5.0.0 to 5.0.39 Zabbix version from 6.0.0 to 6.0.23 Zabbix version from 6.4.0 to 6.4.8 |
Description:
Zabbix, an open-source IT infrastructure monitoring tool encompassing networks, servers, virtual machines, and cloud services, has identified a vulnerability stemming from an inadequate check for RDLENGTH. This vulnerability, if exploited, could lead to a buffer overflow in the response from the DNS server. Such an attack has the potential to expose sensitive information, cause system crashes, or facilitate arbitrary code execution.
To mitigate this risk, customers are strongly advised to promptly upgrade their Zabbix installations to the latest version. Further details and instructions for the upgrade process can be found in the Zabbix vulnerability report labeled as ZBX-23855.
QID 150788: Oracle WebLogic Server Multiple Vulnerabilities (CPUJAN2024)
| CVE-ID | CVE-2024-20927, CVE-2023-49093, CVE-2024-20931, CVE-2023-44483, CVE-2023-43643, CVE-2024-20986, CVE-2023-42503 |
| Severity | Level 4 |
| CVSS 3.1 | 8.8 |
| CWE-ID | 1352 |
| Affected Versions | Oracle WebLogic Server version 12.2.1.4.0 Oracle WebLogic Server version 14.1.1.0.0 |
Description:
Oracle WebLogic Server, used by businesses for their applications, has some security issues in specific versions: 12.2.1.4.0 and 14.1.1.0.0.
If these vulnerabilities are exploited, it’s serious. An attacker could take over the entire server, accessing sensitive information and disrupting business applications.
To stay safe, Oracle has released patches to fix these issues. If you’re using Oracle WebLogic Server, update it with these patches. You can find more details about the patches in the Oracle – CPUJAN2024.
QID 150794: Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA Server-Side Request Forgery (SSRF) Vulnerability (CVE-2024-21893)
| CVE-ID | CVE-2024-21893 |
| Severity | Level 4 |
| CVSS 3.1 | 8.2 |
| CWE-ID | 918 |
| Affected Versions | Ivanti Connect Secure (ICS) and Ivanti Policy Secure versions 9.x and 22.x |
Description:
Ivanti Connect Secure (ICS), formerly known as Pulse Connect Secure, is a Remote Access VPN solution, and Ivanti Policy Secure is a Network Access Control (NAC) solution developed by Ivanti. A Server-Side Request Forgery (SSRF) vulnerability exists in the SAML component, which allows an attacker to access certain restricted resources without authentication. Successful exploitation of this vulnerability allows an attacker to access certain restricted resources without authentication.
Customers are advised to upgrade to Ivanti Connect Secure versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, 22.5R1.1 and 22.5R2.2, Ivanti Policy Secure version 22.5R1.1 and ZTA version 22.6R1.3 or later to remediate this vulnerability. For more information, please refer to Ivanti 000090322 and Ivanti KB.
QID 150792: Ivanti Connect Secure (ICS) Privilege Escalation Vulnerability (CVE-2024-21888)
| CVE-ID | CVE-2024-21888 |
| Severity | Level 4 |
| CVSS 3.1 | 8.8 |
| CWE-ID | 269 |
| Affected Versions | Ivanti Connect Secure (ICS) versions 9.x and 22.x |
Description:
Ivanti Connect Secure (ICS), formerly known as Pulse Connect Secure, is a Remote Access VPN solution developed by Ivanti.
A Privilege Escalation Vulnerability exists in the web component, which allows a user to elevate privileges to that of an administrator. Successful exploitation of this vulnerability could allow a user to elevate privileges to that of an administrator.
Customers are advised to upgrade Ivanti Connect Secure (ICS) to the latest version. For more information, please refer to Ivanti 000090322 and Ivanti KB.
QID 150794: WordPress Booking Calendar Plugin: Unauthenticated SQL Injection Vulnerability (CVE-2024-1207)
| CVE-ID | CVE-2024-1207 |
| Severity | Level 5 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 89 |
| Affected Versions | WordPress Booking Calendar Plugin before 9.9.1 |
Description:
The Booking Calendar plugin is a nice and user-friendly tool for creating reservation systems for your WordPress website.
The WP Booking Calendar plugin for WordPress is vulnerable to SQL Injection via the ‘calendar_request_params[dates_ddmmyy_csv]’ parameter due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. An unauthorized attacker could use this weakness to get into the system, access the database, take sensitive information, and control the database by making changes or deletions using SQL commands.
To address this issue and bolster security, it is strongly recommended that all customers promptly update to Booking Calendar 9.9.1 or a later release.
QID 150799: Ivanti Connect Secure (ICS) XML External Entity (XXE) Vulnerability (CVE-2024-22024)
| CVE-ID | CVE-2024-22024 |
| Severity | Level 4 |
| CVSS 3.1 | 8.3 |
| CWE-ID | 611 |
| Affected Versions | Ivanti Connect Secure version 9.1R14.4 Ivanti Connect Secure version 9.1R17.2 Ivanti Connect Secure version 9.1R18.3 Ivanti Connect Secure version 22.4R2.2 Ivanti Connect Secure version 22.5R1.1 Ivanti Connect Secure version 22.5R2.2 |
Description:
Ivanti Connect Secure (ICS), formerly known as Pulse Connect Secure, is a Remote Access VPN solution developed by Ivanti. An XML external entity or XXE vulnerability exists in the SAML component, which allows an attacker to access certain restricted resources without authentication.
Successful exploitation of this vulnerability could allow an attacker to access certain restricted resources without authentication. Customers are advised to upgrade Ivanti Connect Secure to versions 9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3, 22.6R2.2 or later to remediate this vulnerability. For more information, please refer to Ivanti 000090576 and Ivanti KB.
QID 150800: Apache Solr Insufficiently Protected Credentials Vulnerability (CVE-2023-50291)
| CVE-ID | CVE-2023-50291 |
| Severity | Level 3 |
| CVSS 3.1 | 7.5 |
| CWE-ID | 200 |
| Affected Versions | Apache Solr 6.0.0 through 8.11.2 Apache Solr 9.0.0 before 9.3.0 |
Description:
Apache Solr is an open-source enterprise search platform which is on Apache Lucene.
The installed version of Apache Solr is vulnerable to Information Exposure through the Solr Metrics API. Currently, there are two APIs to get the sysProps from a Solr process “/admin/info/properties” and “/admin/info/metrics”. One of the two endpoints that publish the Solr process’ Java system properties, /admin/info/properties, was only set up to hide system properties that had “password” contained in the name. There are a number of sensitive system properties, such as “basicauth” and “aws.secretKey”, that do not contain “password”; thus, their values were published via the “/admin/info/properties” endpoint. This endpoint populates the list of System Properties on the home screen of the Solr Admin page, making the exposed credentials visible in the UI.
Successful exploitation would lead to Information Disclosure vulnerability, which can help the attacker carry out further attacks and obtain sensitive information. Customers are advised to upgrade to the latest Apache Solr to remediate this vulnerability. For more information related to this vulnerability, please refer to the Apache Solr Advisory.
QID 150801: Fortra GoAnywhere MFT Authentication Bypass Vulnerability (CVE-2024-0204)
| CVE-ID | CVE-2024-0204 |
| Severity | Level 5 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 425 |
| Affected Versions | GoAnywhere MFT prior to version 7.4.1 |
Description:
Fortra GoAnywhere Managed File Transfer (MFT) is a secure file transfer solution that organizations use to exchange their data safely.
An Authentication bypass vulnerability exists in Fortra’s GoAnywhere MFT, which allows an unauthorized user to create an admin user via the administration portal. Successful exploitation of this vulnerability could allow a remote unauthorized user to create an admin user via the administration portal.
Customers are advised to upgrade GoAnywhere Managed File Transfer (MFT) to version 7.4.1 or later to remediate this vulnerability. For more information, please refer to the Fortra Security Advisory.
QID 150802: Apache Solr Multiple Vulnerabilities (CVE-2023-50298, CVE-2023-50386)
| CVE-ID | CVE-2023-50298, CVE-2023-50386 |
| Severity | Level 4 |
| CVSS 3.1 | 8.8 |
| CWE-ID | 200, 434, 913 |
| Affected Versions | Apache Solr 6.0.0 through 8.11.2 Apache Solr 9.0.0 before 9.4.1 |
Description:
Apache Solr is an open-source enterprise search platform which is on Apache Lucene.
The installed versions of Apache Solr have multiple vulnerabilities:
CVE-2023-50298: Apache Solr can expose ZooKeeper credentials via Streaming Expressions.
CVE-2023-50386: Apache Solr Backup/Restore APIs allow for the deployment of executables in malicious ConfigSets.
Successful exploitation would lead to obtaining the credentials, followed by gaining access to Solr’s Zookeeper Nodes or achieving remote code execution in cases where Solr clusters are unsecured and authentication hasn’t been enabled.
Customers are advised to upgrade to the latest Apache Solr to remediate this vulnerability. For more information related to this vulnerability, please refer to Apache Solr Advisory
QID 150803: pyLoad Improper Access Control Vulnerability (CVE-2024-21644)
| CVE-ID | CVE-2024-21644 |
| Severity | Level 3 |
| CVSS 3.1 | 7.5 |
| CWE-ID | 200,284 |
| Affected Versions | pyLoad upto 0.4.9 |
Description:
pyLoad is a web-based download manager designed for downloading files from popular video-hosting sites, torrents, and file-hosting websites.
In any installed version of pyLoad, an unauthenticated user can navigate to a specific URL and potentially expose the Flask configuration, revealing sensitive information such as the `SECRET_KEY` variable. Successful exploitation would lead to Information Disclosure vulnerability, which can help the attacker carry out further attacks and obtain sensitive information.
Customers are advised to upgrade to the latest pyLoad to remediate this vulnerability. For more information related to this vulnerability, please refer to the pyLoad Advisory.
QID 150804: Grafana Email Validation Bypass (CVE-2023-6152)
| CVE-ID | CVE-2023-6152 |
| Severity | Level 3 |
| CVSS 3.1 | 5.4 |
| CWE-ID | 863 |
| Affected Versions | Grafana versions before 9.5.16 Grafana versions from 10.0.0 to 10.0.11 Grafana versions from 10.1.0 to 10.1.7 Grafana versions from 10.2.0 to 10.2.4 Grafana versions from 10.3.0 to 10.3.3 |
Description:
Grafana is a multi-platform open-source analytics and interactive visualization web application. It provides charts, graphs, and alerts for the web when connected to supported data sources.
After a user signs up and verifies their email, they can change their email address in the profile settings without undergoing the verification process again. The ‘verify_email_enabled’ configuration option specifically validates the email only during the initial sign-up phase and does not enforce re-verification when changing the email in the profile settings.
If an unauthorized user gains access to an account and changes the associated email without re-verification, they could essentially take control of the account, potentially leading to unauthorized use or data compromise. Customers are advised to upgrade Grafana to the latest version to remediate this vulnerability. For more information regarding this vulnerability, please refer to the Grafana Advisory.
QID 150805: Apache Tomcat Information Disclosure Vulnerability (CVE-2024-21733)
| CVE-ID | CVE-2024-21733 |
| Severity | Level 3 |
| CVSS 3.1 | 5.3 |
| CWE-ID | 209 |
| Affected Versions | Apache Tomcat 8.5.7 to 8.5.63 Apache Tomcat 9.0.0-M11 to 9.0.43 |
Description:
Apache Tomcat is an open-source web server and servlet container developed by the Apache Software Foundation.
In affected versions of Apache Tomcat, Incomplete POST requests triggered an error response that could contain data from a previous request from another user. Successful exploitation of this vulnerability could result in revealing sensitive information to an unauthorized user.
Customers are advised to upgrade to relevant versions of Apache Tomcat:
Apache Tomcat 8.5.64 or later
Apache Tomcat 9.0.44 or later
For more information on this vulnerability, please refer to Apache Tomcat 8 Security Advisory and Apache Tomcat 9 Security Advisory.
QID 150807: NetScaler Application Delivery Controller (ADC) and NetScaler Gateway Multiple Vulnerabilities (CTX584986)
| CVE-ID | CVE-2023-6548, CVE-2023-6549 |
| Severity | Level 5 |
| CVSS 3.1 | 8.8 |
| CWE-ID | 94,119 |
| Affected Versions | NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35 NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15 NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21 NetScaler ADC and NetScaler Gateway 12.1 versions – End Of Life (EOL). |
Description:
Multiple vulnerabilities, including a Remote Code Execution (RCE) and a Denial of Service (DoS), have been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway).
CVE-2023-6548: Improper Control of Generation of Code (‘Code Injection’) in NetScaler ADC and NetScaler Gateway allows an attacker with access to NSIP, CLIP, or SNIP with management interface to perform Authenticated (low privileged) Remote Code Execution (RCE) on Management Interface.
CVE-2023-6549: Improper Restriction of Operations within the Bounds of a Memory Buffer in NetScaler ADC and NetScaler Gateway allows Unauthenticated Denial of Service (DoS).
Successful exploitation of these vulnerabilities could lead to Remote Code Execution (RCE) and/or a Denial of Service (DoS) attack.
Customers are advised to install the relevant updated versions of NetScaler ADC and/or NetScaler Gateway:
NetScaler ADC and NetScaler Gateway 14.1-12.35 and later releases
NetScaler ADC and NetScaler Gateway 13.1-51.15 and later releases
NetScaler ADC and NetScaler Gateway 13.0-92.21 and later releases
For more information pertaining to remediating this vulnerability, please refer to the Citrix Security Bulletin – CTX584986.
QID 150808 : Nginx Multiple HTTP/3 QUIC vulnerabilities (CVE-2024-24989, CVE-2024-24990)
| CVE-ID | CVE-2024-24989, CVE-2024-24990 |
| Severity | Level 4 |
| CVSS 3.1 | 7.5 |
| CWE-ID | 476, 416 |
| Affected Versions | NGINX Open source mainline version 1.25.3 or earlier NGINX Open source subscription packages R5 or R6 NGINX Plus R30 or R31 |
Description:
Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy, and HTTP cache.
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module (ngx_http_v3_module), undisclosed requests can cause NGINX worker processes to terminate. This vulnerability allows a remote unauthenticated attacker to cause a denial-of-service (DoS) on the NGINX system. Customers are advised to upgrade their NGINX software to the latest version to remediate this vulnerability. For more information related to this vulnerability, please refer to the Nginx Advisory.
QID 150809: Microsoft Exchange Server Privilege Escalation Vulnerability (CVE-2024-21410)
| CVE-ID | CVE-2024-21410 |
| Severity | Level 5 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 269 |
| Affected Versions | Exchange Server 2019 Exchange Server 2016 |
Description:
Microsoft Exchange Server is a mail server and calendaring server developed by Microsoft. It runs exclusively on Windows Server operating systems.
Multiple versions of Microsoft Exchange Server are affected by a Privilege Escalation Vulnerability. Successful exploitation of this vulnerability could allow an attacker to elevate privileges on the affected Exchange Server instance.
Customers are advised to upgrade Microsoft Exchange Server 2019 to the latest Cumulative Update 14 or later to remediate this vulnerability.
For details regarding Exchange Server 2019 Cumulative Update 14, please refer to KB5035606.
For more information on Mitigation guidelines and patching details for Microsoft Exchange Server 2016 and 2019, please refer to the Microsoft Security Advisory.
QID 150810: Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability (CVE-2023-43770)
| CVE-ID | CVE-2023-43770 |
| Severity | Level 3 |
| CVSS 3.1 | 6.1 |
| CWE-ID | 79 |
| Affected Versions | Roundcube before 1.4.14 Roundcube 1.5.x before 1.5.4 Roundcube 1.6.x before 1.6.3 |
Description:
Roundcube is a web-based IMAP email client. Roundcube allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior. Successful exploitation could allow an attacker to execute arbitrary JavaScript code in the context of the interface or allow the attacker to access sensitive, browser-based information. Customers are advised to upgrade to the latest Roundcube to remediate this vulnerability. For more information related to this vulnerability, please refer to the Roundcube Advisory.
QID 150812: WordPress Bricks Theme: Unauthenticated Remote Code Execution Vulnerability (CVE-2024-25600)
| CVE-ID | CVE-2024-25600 |
| Severity | Level 5 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 94 |
| Affected Versions | WordPress Bricks theme before 1.9.6 |
Description:
Bricks is an advanced, flexible, and easy-to-use WordPress theme that allows you to create any type of website.
The Bricks theme for WordPress is vulnerable to Remote Code Execution. This makes it possible for unauthenticated attackers to execute code on the server. Successful exploitation of this vulnerability could allow an unauthenticated attacker to execute arbitrary code on the target system. Customers are advised to upgrade to WordPress Bricks theme 1.9.6.1 or the latest version to remediate this vulnerability. For more information regarding this vulnerability, please refer to the WordPress Bricks theme.
QID 154148: WordPress Popup Builder Plugin: Stored Cross-Site Scripting (XSS) Vulnerability (CVE-2023-6000)
| CVE-ID | CVE-2023-6000 |
| Severity | Level 4 |
| CVSS 3.1 | 6.1 |
| CWE-ID | 79 |
| Affected Versions | Popup Builder prior to version 4.2.3 |
Description:
Popup Builder is a WordPress plugin that helps users create high-converting, promotional, and informative popups, providing a wide range of WordPress popup types, conditions, and events.
The affected versions of Popup Builder do not prevent simple visitors from updating existing popups and injecting raw JavaScript in them, which could lead to Stored XSS attacks. Successful exploitation of this vulnerability could allow attackers to perform any action the logged-in administrator they targeted is allowed to do on the targeted site, including installing arbitrary plugins and creating new rogue Administrator users.
Customers are advised to upgrade to the latest version of the Popup Builder plugin. For more information pertaining to this vulnerability, please refer to the WPScan Advisory.