March 2024 Web Application Vulnerabilities Released

Hitesh Kadu

In March, the Qualys Web Application Scanning (WAS) team released a critical security signatures update. This update now includes the detection of vulnerabilities in several commonly used software applications, such as WordPress, ConnectWise ScreenConnect, aiohttp, Progress OpenEdge, IBM Operational Decision Manager, Apache Tomcat, JetBrains TeamCity, Apache Superset, Apache OFBiz, Grafana, Adobe ColdFusion, Microsoft Exchange Server, IIS Web Server, Apache HTTP Server, GeoServer and Joomla. It’s essential to note that if these vulnerabilities are left unaddressed, they can pose substantial security risks, including the potential for data breaches, unauthorized access, and various malicious activities. To ensure the safety and security of their networks and systems, organizations should conduct a thorough security assessment and promptly resolve any identified vulnerabilities.

QIDTitle
150815WordPress Ultimate Member Plugin: SQL Injection Vulnerability (CVE-2024-1071)
150816ConnectWise ScreenConnect Multiple Vulnerabilities (CVE-2024-1708, CVE-2024-1709)
150817aiohttp Directory Traversal Vulnerability (CVE-2024-23334)
150818WordPress GiveWP Plugin: SQL Injection Vulnerability (CVE-2023-0224)
150819Progress OpenEdge Authentication Gateway Authentication Bypass Vulnerability (CVE-2024-1403)
150820Disclosure of Comments in HTML Source
150821IBM Operational Decision Manager – JNDI Injection Vulnerability (CVE-2024-22320)
150822Default Tomcat WebServer Page Found
150824JetBrains TeamCity Authentication Bypass Vulnerability (CVE-2024-27198)
150825JetBrains TeamCity Authentication Bypass Vulnerability (CVE-2024-27199)
150826Apache Superset Multiple Vulnerabilities
150827Apache OFBiz Prior to 18.12.12 Multiple Security Vulnerabilities
150828Grafana Data Source Permission Escalation Vulnerability (CVE-2024-1442)
150830WordPress File Manager Plugin: Directory Traversal Vulnerability (CVE-2023-6825)
150831WordPress NotificationX Plugin: SQL Injection Vulnerability (CVE-2024-1698)
150832Adobe ColdFusion Arbitrary File Read Vulnerability (CVE-2024-20767)
150834Microsoft Exchange Server Remote Code Execution (RCE) Vulnerability (CVE-2024-26198)
150835Apache Tomcat Multiple Denial of Service (DoS) Vulnerabilities (CVE-2024-23672, CVE-2024-24549)
150836WordPress LearnPress Plugin: Command Injection Vulnerability (CVE-2023-6634)
150838WordPress WP Statistics Plugin: Stored Cross-Site Scripting (XSS) Vulnerability (CVE-2024-2194)
150839WordPress Contact Form 7 Plugin: Reflected Cross-Site Scripting (XSS) Vulnerability (CVE-2024-2242)
150840WordPress Essential Blocks Plugin: Local File Inclusion Vulnerability (CVE-2023-6623)
150841Default IIS Web Server Page Found
150842Default Web Page for Apache Web Server Found
150848WordPress ProfilePress Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-1806)
150849WordPress Ultimate Member Plugin: Unauthenticated Stored Cross-Site Scripting Vulnerability (CVE-2024-2123)
150850GeoServer Multiple Stored Cross-Site Scripting (XSS) Vulnerabilities (CVE-2024-23642, CVE-2024-23819, CVE-2024-23821)
154149Joomla! Core Cross-Site Scripting (XSS) Vulnerability (CVE-2024-21724)
154150Joomla! Core Cross-Site Scripting (XSS) Vulnerability (CVE-2024-21726)
154151Joomla! Core Cross-Site Scripting (XSS) Vulnerability (CVE-2024-21725)
154152Joomla! Core Open Redirect Vulnerability (CVE-2024-21723)
154153Joomla! Core Insufficient Session Expiration Vulnerability (CVE-2024-21722)

QID 150815: WordPress Ultimate Member Plugin: SQL Injection Vulnerability (CVE-2024-1071)

CVE-IDCVE-2024-1071
SeverityLevel 5
CVSS 3.19.8
CWE-ID89
Affected VersionsWordPress Ultimate Member Plugin before 2.8.3

Description:

A critical security flaw, known as CVE-2024-1071, has been found in the Ultimate Member plugin for WordPress. This vulnerability, with a CVSS score of 9.8, poses a significant risk to over 200,000 active installations.

Ultimate Member WordPress plugin is vulnerable to SQL Injection via the “sorting” parameter due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Customers are advised to upgrade to Ultimate Member 2.8.3 or a later version to remediate this vulnerability.

QID 150816: ConnectWise ScreenConnect Multiple Vulnerabilities (CVE-2024-1708, CVE-2024-1709)

CVE-IDCVE-2024-1708, CVE-2024-1709
SeverityLevel 5
CVSS 3.110
CWE-ID22, 288
Affected VersionsConnectWise ScreenConnect 23.9.7 and prior

Description:

ConnectWise ScreenConnect is a Remote desktop and access software. 

Multiple versions of ConnectWise ScreenConnect are affected by the following vulnerabilities:
CVE-2024-1708: A Path-traversal vulnerability that may allow an attacker to execute remote code or directly impact confidential data or critical systems.
CVE-2024-1709: An Authentication Bypass vulnerability using an Alternate Path or Channel, which may allow an attacker direct access to confidential information or critical systems.

If these vulnerabilities are exploited successfully, it could enable attackers to execute remote code or directly compromise sensitive data and essential systems.

To address this vulnerability, customers are strongly recommended to upgrade ConnectWise ScreenConnect to version 23.9.8 or later. For further details, please consult the ConnectWise Security Bulletin.

QID 150817: aiohttp Directory Traversal Vulnerability (CVE-2024-23334)

CVE-IDCVE-2024-23334
SeverityLevel 3
CVSS 3.17.5
CWE-ID22
Affected Versionsaiohttp from version 1.0.5 up to 3.9.2

Description:

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python.

When ‘follow_symlinks’ is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. If this vulnerability is successfully exploited, it could grant attackers the ability to read arbitrary files on the target system.

To address this vulnerability, customers are strongly advised to upgrade aiohttp to version 3.9.2 or later. For additional details, please consult the aiohttp Security Advisory.

QID 150818: WordPress GiveWP Plugin: SQL Injection Vulnerability (CVE-2023-0224)

CVE-IDCVE-2023-0224
SeverityLevel 5
CVSS 3.19.8
CWE-ID89
Affected VersionsGiveWP prior to version 2.24.1

Description:

GiveWP is a WordPress plugin that allows users to create a Donation and Fundraising Platform. 

The affected version of GiveWP does not properly escape user input before it reaches SQL queries, which could let unauthenticated attackers perform SQL Injection attacks. Successfully exploiting this vulnerability could grant an unauthenticated attacker the ability to execute SQL Injection attacks. 

To address this vulnerability, customers are strongly advised to upgrade to GiveWP 2.24.1 or later. For further details regarding this vulnerability, please consult the GiveWP Security Advisory.

QID 150819: Progress OpenEdge Authentication Gateway Authentication Bypass Vulnerability (CVE-2024-1403)

CVE-IDCVE-2024-1403
SeverityLevel 5
CVSS 3.110
CWE-ID288
Affected VersionsOpenEdge Release 11.7.18 and earlier
OpenEdge 12.2.13 and earlier
OpenEdge 12.8.0

Description:

OpenEdge Advanced Business Language, or OpenEdge ABL for short, is a business application development language created and maintained by Progress Software Corporation. 

When the OpenEdge Authentication Gateway (OEAG) is configured with an OpenEdge Domain that uses the OS local authentication provider to grant user-id and password logins on operating platforms supported by active releases of OpenEdge, a vulnerability in the authentication routines may lead to unauthorized access on attempted logins.
Similarly, when an AdminServer connection is made by OpenEdge Explorer (OEE) and OpenEdge Management (OEM), it also utilizes the OS local authentication provider on supported platforms to grant user-id and password logins that may also lead to unauthorized login access.

Successfully exploiting this vulnerability could enable a remote attacker to access restricted resources by circumventing control checks. Customers are advised to refer to OpenEdge for information pertaining to remediating this vulnerability.

QID 150820: Disclosure of Comments in HTML Source

Description:

While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links or links that were not meant to be browsed by users, old code fragments, etc. An attacker who finds these comments can map the application’s structure and files, expose hidden parts of the site, and study the fragments of code to reverse engineer the application, which may help develop further attacks against the site.

Comments in HTML response should be removed to avoid sensitive information exposure. Review the web application HTML source and remove all text between tags: <!– and –>, tags included.

Qualys Web Application Scanning (WAS) has released this QID to help identify these comments in the HTML source. Customers can utilize this QID to identify and remove any potentially risky comments, thereby reducing the risk of information exposure and potential exploitation by attackers.

QID 150821: IBM Operational Decision Manager – JNDI Injection Vulnerability (CVE-2024-22320)

CVE-IDCVE-2024-22320
SeverityLevel 5
CVSS 3.18.8
CWE-ID20
Affected VersionsIBM Operational Decision Manager version 8.10.3
IBM Operational Decision Manager version 8.10.4
IBM Operational Decision Manager version 8.10.5.1
IBM Operational Decision Manager version 8.11.0.1
IBM Operational Decision Manager version 8.11.1
IBM Operational Decision Manager version 8.12.0.1

Description:

IBM Operational Decision Manager is a comprehensive decision automation platform that allows organizations to model, deploy, and manage business rules and decisions.

IBM Operational Decision Manager could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization. By sending specially crafted requests, an attacker could exploit this vulnerability to execute arbitrary code in the context of SYSTEM.

Successfully exploiting this vulnerability could enable a remote attacker to execute arbitrary code on the target system.

The vendor has released a patch addressing the vulnerability. For more information, please refer to the IBM Security Advisory

QID 150822: Default Tomcat WebServer Page Found

Description:

Qualys Web Application Scanning (WAS) has issued a QID to identify default pages associated with Tomcat web servers. These default pages are common and may show documentation or important paths for configuration. It’s important to find and fix these default pages to avoid showing sensitive information or causing security problems.

When common default pages are exposed, version information about servers can be revealed. Attackers use this information to identify any known weaknesses and exploit them.

QID 150824: JetBrains TeamCity Authentication Bypass Vulnerability (CVE-2024-27198)

CVE-IDCVE-2024-27198
SeverityLevel 5
CVSS 3.19.8
CWE-ID288
Affected VersionsJetBrains TeamCity prior to 2023.11.4

Description:

TeamCity is a general-purpose CI/CD software platform that allows for flexible workflows, collaboration, and development practices.

JetBrains TeamCity is affected by an Authentication bypass vulnerability which allows it to perform admin actions. Successful exploitation of this vulnerability could allow a remote, unauthenticated attacker to take complete control of a vulnerable TeamCity server. Customers are advised to upgrade TeamCity to version 2023.11.4 or later to remediate this vulnerability. For more information, please refer to JetBrains TeamCity.

QID 150825: JetBrains TeamCity Authentication Bypass Vulnerability (CVE-2024-27199)

CVE-IDCVE-2024-27199
SeverityLevel 4
CVSS 3.17.3
CWE-ID23
Affected VersionsJetBrains TeamCity prior to 2023.11.4

Description:

TeamCity is a general-purpose CI/CD software platform that allows for flexible workflows, collaboration, and development practices.

JetBrains TeamCity is affected by a Path traversal vulnerability, which allows it to perform admin actions. Successful exploitation of this vulnerability could allow a remote, unauthenticated attacker to gain access to sensitive admin endpoints, exposing information about the TeamCity server. Customers are advised to upgrade TeamCity to version 2023.11.4 or later to remediate this vulnerability. For more information, please refer to JetBrains TeamCity.

QID 150826: Apache Superset Multiple Vulnerabilities

CVE-IDCVE-2024-24772, CVE-2024-26016, CVE-2024-24779, CVE-2024-27315, CVE-2024-24773
SeverityLevel 4
CVSS 3.15
CWE-ID20, 863, 200
Affected VersionsApache Superset before 3.0.4
Apache Superset 3.1.0 before 3.1.1

Description:

Apache Superset is an open-source software application for data exploration and visualization that can handle data at petabyte scale.

Affected versions of Apache Superset have multiple vulnerabilities:
CVE-2024-24772: This vulnerability stems from inadequate neutralization of custom SQL in embedded contexts, potentially leading to unauthorized access or manipulation of sensitive data.

CVE-2024-26016: Insufficient authorization validation during the import of dashboards and charts creates a security loophole, allowing unauthorized users to gain access to or modify critical visualizations.

CVE-2024-24779: In this scenario, the software lacks proper data authorization protocols when creating a new dataset, potentially exposing sensitive information to unauthorized individuals.

CVE-2024-27315: The vulnerability arises from improper error handling in the alert system, introducing the possibility of unintended consequences or unauthorized information disclosure.

CVE-2024-24773: This vulnerability results from inadequate validation of SQL statements, potentially enabling unauthorized access to data through SQL injection attacks.

Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality. 

Customers are advised to upgrade to Apache Superset to the latest version to remediate this vulnerability.
For more information regarding this vulnerability, please refer to the following:
CVE-2024-24772
CVE-2024-26016
CVE-2024-24779
CVE-2024-27315
CVE-2024-24773

QID 150827: Apache OFBiz Prior to 18.12.12 Multiple Security Vulnerabilities

CVE-IDCVE-2024-23946, CVE-2024-25065
SeverityLevel 4
CVSS 3.15.3
CWE-ID22,434 
Affected VersionsApache OFBiz: before 18.12.12

Description:

Apache OFBiz is an open-source enterprise resource planning system. It provides a suite of enterprise applications that integrate and automate many of the business processes of an enterprise.

Affected versions of Apache OFBiz have multiple vulnerabilities:
CVE-2024-23946: Possible path traversal in Apache OFBiz allowing file inclusion.
CVE-2024-25065: Possible path traversal in Apache OFBiz allowing authentication bypass.

Successful exploitation of this vulnerability could allow an unauthenticated attacker to read sensitive files on the target server or access restricted resources by bypassing control checks.

Customers are advised to upgrade Apache OFBiz to the latest version to remediate this vulnerability. For more information regarding this vulnerability, please refer to the Apache OFBiz Advisory.

QID 150828: Grafana Data Source Permission Escalation Vulnerability (CVE-2024-1442)

CVE-IDCVE-2024-1442
SeverityLevel 3
CVSS 3.16
CWE-ID269
Affected VersionsGrafana 10.3.0 to Grafana 10.3.4
Grafana 10.2.0 to Grafana 10.2.5
Grafana 10.1.0 to Grafana 10.1.8
Grafana 10.0.0 to Grafana 10.0.12
All versions older than Grafana 9.5.17

Description:

Grafana is a multi-platform open-source analytics and interactive visualization web application. It provides charts, graphs, and alerts for the web when connected to supported data sources.

A user with the permissions to create a data source can use Grafana API to create a data source with UID set to *. Doing this will grant the user access to read, query, edit, and delete all data sources within the organization. This vulnerability lets a user, with data source creation permission in an organization, access and manipulate any existing data source by querying, editing, sharing, and deleting within that organization. Customers are advised to upgrade to Grafana to the latest version to remediate this vulnerability. For more information regarding this vulnerability, please refer to the Grafana Advisory.

QID 150830: WordPress File Manager Plugin: Directory Traversal Vulnerability (CVE-2023-6825)

CVE-IDCVE-2023-6825
SeverityLevel 5
CVSS 3.19.9
CWE-ID22
Affected VersionsFile Manager prior to version 7.2.2

Description:

File Manager is a WordPress plugin that allows users to edit, delete, upload, download, zip, copy, and paste files and folders directly from the WordPress backend.

The File Manager and File Manager Pro plugins for WordPress are vulnerable to Directory Traversal via the target parameter in the mk_file_folder_manager_action_callback_shortcode function. This makes it possible for attackers to read the contents of arbitrary files on the server, which can contain sensitive information, and to upload files into directories other than the intended directory for file uploads. The free version requires Administrator access for this vulnerability to be exploitable. The Pro version allows a file manager to be embedded via a shortcode and also allows admins to grant file-handling privileges to other user levels, which could lead to this vulnerability being exploited by lower-level users.

Successful exploitation of this vulnerability could allow an attacker to read the contents of arbitrary files on the server, potentially exposing sensitive information, and to upload files into directories other than the intended directory for file uploads.

Customers are advised to upgrade File Manager to version 7.2.2 or later to remediate this vulnerability. For more information pertaining to this vulnerability, please refer to the Wordfence Advisory.

QID 150831: WordPress NotificationX Plugin: SQL Injection Vulnerability (CVE-2024-1698)

CVE-IDCVE-2024-1698
SeverityLevel 5
CVSS 3.19.8
CWE-ID89
Affected VersionsNotificationX prior to version 2.8.3

Description:

NotificationX is a WordPress plugin that allows users to create and display attractive notification pop-ups on their websites.

The NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor plugin for WordPress is vulnerable to SQL Injection via the ‘type’ parameter due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Successful exploitation of this vulnerability could allow an unauthenticated attacker to append additional SQL queries into already existing queries, potentially extracting sensitive information from the database

Customers are advised to upgrade NotificationX to version 2.8.3 or later to remediate this vulnerability. For more information pertaining to this vulnerability, please refer to the Wordfence Advisory.

QID 150832: Adobe ColdFusion Arbitrary File Read Vulnerability (CVE-2024-20767)

CVE-IDCVE-2024-20767
SeverityLevel 4
CVSS 3.18.2
CWE-ID284
Affected VersionsColdFusion (2023 release) Update 6 and earlier versions.
ColdFusion (2021 release) Update 12 and earlier versions.

Description:

Adobe ColdFusion is an application server and a platform for building and deploying web and mobile applications. Multiple versions of Adobe ColdFusion are affected by an Arbitrary File System Read vulnerability; Adobe has issued security updates addressing this vulnerability for ColdFusion versions 2023 and 2021. Successful exploitation of this vulnerability could allow an attacker to read the contents of arbitrary files from the target system.

Adobe has released fixes to address this issue. Customers are advised to upgrade to ColdFusion 2023 Update 7 and ColdFusion 2021 Update 13. For more information pertaining to this vulnerability, please refer to APSB24-14.

QID 150834: Microsoft Exchange Server Remote Code Execution (RCE) Vulnerability (CVE-2024-26198)

CVE-IDCVE-2024-26198
SeverityLevel 5
CVSS 3.18.8
CWE-ID427
Affected VersionsExchange Server 2019 Cumulative Update 14
Exchange Server 2019 Cumulative Update 13
Exchange Server 2016 Cumulative Update 23

Description:

Microsoft Exchange Server is a mail server and calendaring server developed by Microsoft. It runs exclusively on Windows Server operating systems.

Multiple versions of Microsoft Exchange Server are affected by a Remote Code Execution (RCE) Vulnerability when loading malicious DLL files. Successful exploitation of this vulnerability could allow an unauthenticated attacker to load a malicious DLL file, which could lead to Remote Code Execution (RCE).

Customers are advised to apply the latest relevant updates for Microsoft Exchange Server 2019 and Microsoft Exchange Server 2016:

Exchange Server 2019 Cumulative Update 14 – KB5036401
Exchange Server 2019 Cumulative Update 13 – KB5036402
Exchange Server 2016 Cumulative Update 23 – KB5036386

For more information pertaining to this vulnerability, please refer to the Microsoft Security Advisory.

QID 150835: Apache Tomcat Multiple Denial of Service (DoS) Vulnerabilities (CVE-2024-23672, CVE-2024-24549)

CVE-IDCVE-2024-23672, CVE-2024-24549
SeverityLevel 4
CVSS 3.17.5
CWE-ID400
Affected VersionsApache Tomcat 11.0.0-M1 to 11.0.0-M16
Apache Tomcat 10.1.0-M1 to 10.1.18
Apache Tomcat 9.0.0-M1 to 9.0.85
Apache Tomcat 8.5.0 to 8.5.98

Description:

Apache Tomcat is an open-source web server and servlet container developed by the Apache Software Foundation.

Affected versions of Apache Tomcat have multiple vulnerabilities:
CVE-2024-23672: It was possible for a WebSocket client to keep a WebSocket connection open, leading to increased resource consumption.
CVE-2024-24549: When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.

Successful exploitation of the vulnerability can allow an attacker to trigger a DoS.

Customers are advised to upgrade to relevant versions of Apache Tomcat:
Apache Tomcat 11.0.0-M17 or later
Apache Tomcat 10.1.19 or later
Apache Tomcat 9.0.86 or later
Apache Tomcat 8.5.99 or later
For more information on this vulnerability, please refer to Apache Tomcat 8 Security AdvisoryApache Tomcat 9 Security AdvisoryApache Tomcat 10 Security Advisory, and Apache Tomcat 11 Security Advisory.

QID 150836: WordPress LearnPress Plugin: Command Injection Vulnerability (CVE-2023-6634)

CVE-IDCVE-2023-6634
SeverityLevel 5
CVSS 3.19.8
CWE-ID77
Affected VersionsWordPress LearnPress Plugin before 4.2.5.8

Description:

LearnPress is a free WordPress LMS Plugin that allows you to create and sell online courses.

The LearnPress plugin for WordPress is vulnerable to Command Injection via the get_content function. This is due to the plugin making use of the call_user_func function with user input. This makes it possible for unauthenticated attackers to execute any public function with one parameter, which could result in remote code execution.

Successfully exploiting this vulnerability could allow an attacker to execute arbitrary commands on the target system. Customers are advised to upgrade to LearnPress 4.2.5.8 or a later version to remediate this vulnerability.

QID 150838: WordPress WP Statistics Plugin: Stored Cross-Site Scripting (XSS) Vulnerability (CVE-2024-2194)

CVE-IDCVE-2024-2194
SeverityLevel 4
CVSS 3.17.2
CWE-ID79
Affected VersionsWP Statistics prior to version 14.5.1

Description:

WP Statistics is a WordPress plugin for understanding the traffic and user data of websites. It provides detailed information about the browser, search engine, and most popular content (categorized by tags, categories, and authors) of the website’s visitors.

The WP Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL search parameter due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Successful exploitation of this vulnerability could allow an unauthenticated attacker to inject arbitrary JavaScript code in pages that will execute whenever a user accesses an injected page.

Customers are advised to upgrade WP Statistics to version 14.5.1 or later to remediate this vulnerability. For more information pertaining to this vulnerability, please refer to the Wordfence Advisory.

QID 150839: WordPress Contact Form 7 Plugin: Reflected Cross-Site Scripting (XSS) Vulnerability (CVE-2024-2242)

CVE-IDCVE-2024-2242
SeverityLevel 3
CVSS 3.16.1
CWE-ID79
Affected VersionsContact Form 7 prior to version 5.9.2

Description:

Contact Form 7 is a WordPress plugin that allows users to customize and manage multiple contact forms along with mail facility.

The Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘active-tab’ parameter due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Successful exploitation of this vulnerability could allow an unauthenticated attacker to inject arbitrary JavaScript code in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Customers are advised to upgrade Contact Form 7 to version 5.9.2 or later to remediate this vulnerability. For more information pertaining to this vulnerability, please refer to the Contact Form 7 release notes and Wordfence Advisory.

QID 150840: WordPress Essential Blocks Plugin: Local File Inclusion Vulnerability (CVE-2023-6623)

CVE-IDCVE-2023-6623
SeverityLevel 4
CVSS 3.19.8
CWE-ID22
Affected VersionsWordPress Essential Blocks Plugin before 4.4.3

Description:

Essential Blocks is the ultimate Gutenberg blocks library for WordPress to add power to the block editor and create stunning websites.

The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Local File Inclusion via the /wp-json/essential-blocks/v1/queries REST API endpoint. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. 

If this vulnerability is successfully exploited, it could enable an attacker to read arbitrary files on the target system. To address this vulnerability, customers are strongly advised to upgrade to Essential Blocks version 4.4.3 or later. For further information, please refer to Essential Blocks documentation or resources.

QID 150841: Default IIS Web Server Page Found

Description:

Qualys Web Application Scanning (WAS) has issued a QID to identify default pages associated with IIS Web Server. These default pages are common and may show documentation or important paths for configuration. It’s important to find and fix these default pages to avoid showing sensitive information or causing security problems.

When common default pages are exposed, version information about servers can be revealed. Attackers use this information to identify any known weaknesses and exploit them.

QID 150842: Default Web Page for Apache Web Server Found

Description:

Qualys Web Application Scanning (WAS) has issued a QID to identify default pages associated with Apache Web Server. These default pages are common and may show documentation or important paths for configuration. It’s important to find and fix these default pages to avoid showing sensitive information or causing security problems.

When common default pages are exposed, version information about servers can be revealed. Attackers use this information to identify any known weaknesses and exploit them.

QID 150848: WordPress ProfilePress Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-1806)

CVE-IDCVE-2024-1806
SeverityLevel 3
CVSS 3.16.4
CWE-ID79
Affected VersionsWordPress The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile abd Restrict Content ProfilePress Plugin before 4.15.2

Description:

ProfilePress is a powerful ecommerce and paid membership plugin for accepting one-time and recurring payments, selling subscriptions and digital products or digital downloads (downloadable files) via Bank Transfer, Stripe, PayPal, RazorPay, Mollie, and Paystack, paywall and restricting content and control user access.

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s shortcode(s) due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Successful exploitation of this vulnerability could allow an unauthenticated attacker to inject arbitrary JavaScript code in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Customers are advised to upgrade to ProfilePress 4.15.2 or later version to remediate this vulnerability.

QID 150849: WordPress Ultimate Member Plugin: Unauthenticated Stored Cross-Site Scripting Vulnerability (CVE-2024-2123)

CVE-IDCVE-2024-2123
SeverityLevel 3
CVSS 3.17.2
CWE-ID79
Affected VersionsWordPress Ultimate Member Plugin before 2.8.4

Description:

Ultimate Member is a free user profile WordPress plugin that makes it easy to create powerful online communities and membership sites with WordPress.

The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Successful exploitation of this vulnerability could allow an unauthenticated attacker to inject arbitrary JavaScript code in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Customers are advised to upgrade to Ultimate Member 2.8.4 or a later version to remediate this vulnerability.

QID 150850: GeoServer Multiple Stored Cross-Site Scripting (XSS) Vulnerabilities (CVE-2024-23642, CVE-2024-23819, CVE-2024-23821)

CVE-IDCVE-2024-23642, CVE-2024-23819, CVE-2024-23821
SeverityLevel 4
CVSS 3.14.8
CWE-ID79
Affected VersionsGeoServer Versions prior to version 2.23.4
GeoServer Versions prior to version 2.24.1

Description:

GeoServer is an open-source software server written in Java that allows users to share and edit geospatial data.

Multiple Stored Cross-Site Scripting (XSS) Vulnerabilities have been identified in GeoServer:
CVE-2024-23642: Stored Cross-Site Scripting (XSS) vulnerability in GWC Seed Form.
CVE-2024-23819: Stored Cross-Site Scripting (XSS) vulnerability in MapML HTML Page.
CVE-2024-23821: Stored Cross-Site Scripting (XSS) vulnerability in GWC Demos Page.

Successful exploitation could allow an attacker to execute arbitrary JavaScript code in the context of the interface or allow the attacker to access sensitive, browser-based information.

Customers are advised to upgrade to relevant patched versions of GeoServer:

GeoServer 2.23.3 or later releases
GeoServer 2.24.1 or later releases

For more information pertaining to these vulnerabilities, please refer to the following Security Advisories:
CVE-2024-23642
CVE-2024-23819
CVE-2024-23821

For more information regarding releases, please refer GeoServer 2.23.4 and GeoServer 2.24.1

QID 154149: Joomla! Core Cross-Site Scripting (XSS) Vulnerability (CVE-2024-21724)

CVE-IDCVE-2024-21724
SeverityLevel 3
CVSS 3.16.5
CWE-ID79
Affected VersionsJoomla! CMS versions 1.6.0 – 3.10.14-elts
Joomla! CMS versions 4.0.0 – 4.4.2
Joomla! CMS versions 5.0.0 – 5.0.2

Description:

Joomla! is a free and open-source content management system for publishing web content on websites.

Inadequate input validation for media selection fields leads to XSS vulnerabilities in various extensions. Successful exploitation could allow an attacker to execute arbitrary JavaScript code in the context of the interface or allow the attacker to access sensitive, browser-based information.

Customers are advised to install the latest Joomla version.
For more information visit:
Joomla security advisory [20240203].

QID 154150: Joomla! Core Cross-Site Scripting (XSS) Vulnerability (CVE-2024-21726)

CVE-IDCVE-2024-21726
SeverityLevel 3
CVSS 3.16.1
CWE-ID79
Affected VersionsJoomla! CMS versions 3.7.0 – 3.10.14-elts
Joomla! CMS versions 4.0.0 – 4.4.2
Joomla! CMS versions 5.0.0 – 5.0.2

Description:

Joomla! is a free and open-source content management system for publishing web content on websites.

Inadequate content filtering leads to XSS vulnerabilities in various components. Successful exploitation could allow an attacker to execute arbitrary JavaScript code in the context of the interface or allow the attacker to access sensitive, browser-based information.

Customers are advised to install the latest Joomla version.
For more information visit:
Joomla security advisory [20240205].

QID 154151: Joomla! Core Cross-Site Scripting (XSS) Vulnerability (CVE-2024-21725)

CVE-IDCVE-2024-21725
SeverityLevel 3
CVSS 3.16.1
CWE-ID79
Affected VersionsJoomla! CMS versions 4.0.0 – 4.4.2
Joomla! CMS versions 5.0.0 – 5.0.2

Description:

Joomla! is a free and open-source content management system for publishing web content on websites.

Inadequate escaping of mail addresses leads to XSS vulnerabilities in various components. Successful exploitation could allow an attacker to execute arbitrary JavaScript code in the context of the interface or allow the attacker to access sensitive, browser-based information.

Customers are advised to install the latest Joomla version.
For more information visit:
Joomla security advisory [20240204].

QID 154152: Joomla! Core Open Redirect Vulnerability (CVE-2024-21723)

CVE-IDCVE-2024-21723
SeverityLevel 3
CVSS 3.16.1
CWE-ID601
Affected VersionsJoomla! CMS versions 1.5.0 – 3.10.14-elts Joomla! CMS versions 4.0.0 – 4.4.2
Joomla! CMS versions 5.0.0 – 5.0.2

Description:

Joomla! is a free and open-source content management system for publishing web content on websites.

Inadequate parsing of URLs could result in an open redirect. Successful exploitation could allow attackers to trick a user into visiting a specially crafted link, which would redirect them to an arbitrary malicious external URL.

Customers are advised to install the latest Joomla version.
For more information visit:
Joomla security advisory [20240202].

QID 154153: Joomla! Core Insufficient Session Expiration Vulnerability (CVE-2024-21722)

CVE-IDCVE-2024-21722
SeverityLevel 3
CVSS 3.17.3
CWE-ID613
Affected VersionsJoomla! CMS versions 3.2.0 – 3.10.14-elts
Joomla! CMS versions 4.0.0 – 4.4.2
Joomla! CMS versions 5.0.0 – 5.0.2

Description:

Joomla! is a free and open-source content management system for publishing web content on websites.

The MFA management features did not properly terminate existing user sessions when a user’s MFA methods have been modified. Insufficient session expiration vulnerability can lead to unauthorized access, data exposure, and exploitation risks, compromising user privacy, and system integrity.

Customers are advised to install the latest Joomla version.
For more information, visit:
Joomla security advisory [20240201].

Share your Comments

Comments

Your email address will not be published. Required fields are marked *