Web Application Detections Published in April 2024

Hitesh Kadu

In April, the Qualys Web Application Scanning (WAS) team issued a critical security signatures update. This update expands the scope to detect vulnerabilities in several widely-used software applications, including GeoServer, Grafana, WordPress, Apache HTTP Server, Varnish, JetBrains TeamCity, pgAdmin, Traefik, PHP, Oracle WebLogic Server, Cacti, and CrushFTP VFS. Additionally, WAS has introduced new QIDs for identifying Expression Language Injection, Profanity, and Java-based applications.

It’s crucial to recognize that leaving these vulnerabilities unaddressed can lead to significant security risks, such as data breaches, unauthorized access, and various malicious activities. To safeguard their networks and systems, organizations should conduct comprehensive security assessments and promptly remediate any identified vulnerabilities.

QIDTitle
150797Expression Language Injection
150851GeoServer – WMS OpenLayers Format Stored Cross-Site Scripting (XSS) Vulnerability (CVE-2024-23818)
150852GeoServer – GWC Seed Form Stored Cross-Site Scripting (XSS) Vulnerability (CVE-2024-23643)
150853GeoServer Multiple Stored Cross-Site Scripting (XSS) Vulnerabilities (CVE-2023-51445, CVE-2024-23640)
150854GeoServer Arbitrary File Upload Vulnerability (CVE-2023-51444)
150855GeoServer Log File Path Traversal Vulnerability (CVE-2023-41877)
150856GeoServer Arbitrary File Renaming Vulnerability (CVE-2024-23634)
150857Grafana Authorization Bypass Vulnerability (CVE-2024-1313)
150859WordPress ElementsKit Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-2803)
150860WordPress WP-Members Membership Plugin: Unauthenticated Stored Cross-Site Scripting Vulnerability (CVE-2024-1852)
150862WordPress Compress – Image Optimizer Plugin: Directory Traversal Vulnerability (CVE-2023-6699)
150863Apache HTTP Server Prior to 2.4.59 Multiple Security Vulnerabilities
150864WordPress Malware Scanner and Web Application Firewall Plugins: Unauthenticated Privilege Escalation Vulnerability (CVE-2024-2172)
150865Profanity Detected in Website Content
150867Varnish Reverse Proxy Detected
150868WordPress LayerSlider Plugin: Unauthenticated SQL Injection Vulnerability (CVE-2024-2879)
150869JetBrains TeamCity Security Vulnerability (CVE-2024-29880)
150870 pgAdmin Remote Code Execution (RCE) Vulnerability (CVE-2024-3116)
150871WordPress Metform Elementor Contact Form Builder Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-2791)
150872WordPress MasterStudy LMS Plugin: Unauthenticated Local File Inclusion Vulnerability (CVE-2024-3136)
150873Traefik Reverse Proxy Dashboard Detected
150874PHP Command Injection Vulnerability (CVE-2024-1874)
150875JetBrains TeamCity Multiple Security Vulnerabilities
150876PHP Cookie Input Validation Vulnerability (CVE-2024-2756)
150878Oracle WebLogic Server Multiple Vulnerabilities (CPUAPR2024)
150883Cacti 1.2.25 Multiple Security Vulnerabilities
150884CrushFTP VFS Sandbox Escape Vulnerability (CVE-2024-4040)
150891Java Application Detected
150892JavaServer Pages Detected
150893JavaServer Faces Detected
150894Java Servlet Detected
150895Javadoc Detected
150896Java Stack Trace Disclosure
150897Spring Boot Default Error Page Detected
150898Java Binary Detected
150899ZK Framework Detected
154154WordPress Core: Remote Code Execution via Plugin Upload (CVE-2024-31210)
154155WordPress Remote Code Execution Vulnerability (CVE-2024-31211)
520015Atlassian Bitbucket Denial of Service Vulnerability (CVE-2024-21634)

QID 150797: Expression Language Injection

Description:

Expression Language (EL) injection is a type of security vulnerability that occurs when an application allows user input to be directly included in dynamically generated expressions.

An attacker can read server-side data, such as the content of server-side variables, and some other inner configuration details. This is a quite dangerous vulnerability because developers assume their server-side code would not be read by anyone outside, so they may place sensitive information such as passwords, connection strings, database queries, etc. It can also be used for bypassing HttpOnly protection. To prevent this, validate inputs to ensure they don’t contain special characters like “${” or “#{” used in expressions.

QID 150851: GeoServer – WMS OpenLayers Format Stored Cross-Site Scripting (XSS) Vulnerability (CVE-2024-23818)

CVE-IDCVE-2024-23818
SeverityLevel 3
CVSS 3.14.8
CWE-ID79
Affected VersionsGeoServer Versions prior to version 2.23.3
GeoServer Versions prior to version 2.24.1

Description:

GeoServer is an open-source software server written in Java that allows users to share and edit geospatial data.

A Stored Cross-Site Scripting (XSS) Vulnerability exists in GeoServer that enables an authenticated administrator with workspace-level privileges to store a JavaScript payload in the GeoServer catalog that will execute in the context of another user’s browser when viewed in the WMS GetMap OpenLayers Output Format.

The successful exploitation of this vulnerability could grant an attacker the ability to execute arbitrary JavaScript code within the interface’s context or gain access to sensitive, browser-based information.

Customers are advised to upgrade to the latest version of GeoServer to remediate this vulnerability.

For more information pertaining to this vulnerability, please refer to the GitHub Security Advisory.

For information regarding GeoServer releases, please refer to the GeoServer Blog.

QID 150852: GeoServer – GWC Seed Form Stored Cross-Site Scripting (XSS) Vulnerability (CVE-2024-23643)

CVE-IDCVE-2024-23643
SeverityLevel 3
CVSS 3.14.8
CWE-ID79
Affected VersionsGeoServer Versions prior to version 2.23.2
GeoServer Versions prior to version 2.24.1

Description:

GeoServer is an open-source software server written in Java that allows users to share and edit geospatial data.

A Stored Cross-Site Scripting (XSS) Vulnerability exists in GeoServer that enables an authenticated administrator with workspace-level privileges to store a JavaScript payload in the GeoServer catalog that will execute in the context of another administrator’s browser when viewed in the GWC Seed Form.

The successful exploitation of this vulnerability could grant an attacker the ability to execute arbitrary JavaScript code within the interface’s context or gain access to sensitive, browser-based information.

Customers are advised to upgrade to the latest version of GeoServer to remediate this vulnerability.

For more information pertaining to this vulnerability, please refer to the GitHub Security Advisory.

For information regarding GeoServer releases, please refer to the GeoServer Blog.

QID 150853: GeoServer Multiple Stored Cross-Site Scripting (XSS) Vulnerabilities (CVE-2023-51445, CVE-2024-23640)

CVE-IDCVE-2023-51445, CVE-2024-23640
SeverityLevel 3
CVSS 3.14.8
CWE-ID79
Affected VersionsGeoServer Versions prior to version 2.23.3

Description:

GeoServer is an open-source software server written in Java that allows users to share and edit geospatial data.

Multiple Stored Cross-Site Scripting (XSS) Vulnerabilities have been identified in GeoServer:
CVE-2023-51445: Stored Cross-Site Scripting (XSS) vulnerability in REST Resources API.
CVE-2024-23640: Stored Cross-Site Scripting (XSS) vulnerability in Style Publisher.

The successful exploitation of this vulnerability could grant an attacker the ability to execute arbitrary JavaScript code within the interface’s context or gain access to sensitive, browser-based information.

Customers are advised to upgrade to the latest version of GeoServer to remediate these vulnerabilities.

For more information pertaining to these vulnerabilities, please refer to the following Security Advisories:
CVE-2023-51445
CVE-2024-23640

For information regarding GeoServer releases, please refer to the GeoServer Blog.

QID 150854: GeoServer Arbitrary File Upload Vulnerability (CVE-2023-51444)

CVE-IDCVE-2023-51444
SeverityLevel 4
CVSS 3.17.2
CWE-ID20,434
Affected VersionsGeoServer Versions prior to version 2.23.4
GeoServer Versions prior to version 2.24.1

Description:

GeoServer is an open-source software server written in Java that allows users to share and edit geospatial data.

An Arbitrary File Upload Vulnerability in GeoServer enables an authenticated administrator with permissions to modify coverage stores through the REST Coverage Store API to upload arbitrary file contents to arbitrary file locations, which can lead to remote code execution. Successful exploitation of this vulnerability can lead to executing arbitrary code and could allow an administrator with limited privileges to overwrite GeoServer security files and obtain full Administrator privileges.

Customers are advised to upgrade to the latest version of GeoServer to remediate this vulnerability.

For more information pertaining to this vulnerability, please refer to the GitHub Security Advisory.

For information regarding GeoServer releases, please refer to the GeoServer Blog.

QID 150855: GeoServer Log File Path Traversal Vulnerability (CVE-2023-41877)

CVE-IDCVE-2023-41877
SeverityLevel 4
CVSS 3.17.2
CWE-ID22
Affected VersionsGeoServer Versions up to version 2.23.4

Description:

GeoServer is an open-source software server written in Java that allows users to share and edit geospatial data.

A Path Traversal Vulnerability exists in GeoServer, which requires a GeoServer Administrator with access to the admin console to misconfigure the Global Settings for log file location to an arbitrary location, where the admin console GeoServer Logs page provides a preview of file contents.

Successful exploitation of this vulnerability could allow reading files via the admin console GeoServer Logs page. Additionally, it could also lead to Remote Code Execution (RCE) or cause Denial of Service (DoS) by overwriting key GeoServer files.

Customers are advised to upgrade to the latest version of GeoServer to remediate this vulnerability.

For more information pertaining to this vulnerability, please refer to the GitHub Security Advisory.

For information regarding GeoServer releases, please refer to the GeoServer Blog.

QID 150856: GeoServer Arbitrary File Renaming Vulnerability (CVE-2024-23634)

CVE-IDCVE-2024-23634
SeverityLevel 3
CVSS 3.16.0
CWE-ID20,73
Affected VersionsGeoServer Versions prior to version 2.23.5
GeoServer Versions prior to version 2.24.2

Description:

GeoServer is an open-source software server written in Java that allows users to share and edit geospatial data.

An Arbitrary File Renaming vulnerability exists in GeoServer that enables an authenticated administrator with permissions to modify stores through the REST Coverage Store or Data Store API to rename arbitrary files and directories with a name that does not end in ‘.zip’.

Successful exploitation of this vulnerability could lead to critical outcomes. Renaming GeoServer files may result in a Denial of Service (DoS) condition, either by completely preventing GeoServer from running or effectively deleting specific resources such as workspaces, layers, or styles.
Customers are advised to upgrade to the latest version of GeoServer to remediate this vulnerability.

For more information pertaining to this vulnerability, please refer to the GitHub Security Advisory.

For information regarding GeoServer releases, please refer to the GeoServer Blog.

QID 150857: Grafana Authorization Bypass Vulnerability (CVE-2024-1313)

CVE-IDCVE-2024-1313
SeverityLevel 3
CVSS 3.16.5
CWE-ID639
Affected VersionsGrafana from 9.5.0 before 9.5.18
Grafana from 10.0.0 before 10.0.13
Grafana from 10.1.0 before 10.1.9
Grafana from 10.2.0 before 10.2.6
Grafana from 10.3.0 before 10.3.5

Description:

Grafana is a multi-platform open-source analytics and interactive visualization web application. It provides charts, graphs, and alerts for the web when connected to supported data sources.

It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/ using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized.

Successful exploitation of this vulnerability may allow a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/ using its view key.

Customers are advised to upgrade Grafana to the latest version to remediate this vulnerability. For more information regarding this vulnerability, please refer to the Grafana Advisory.

QID 150859: WordPress ElementsKit Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-2803)

CVE-IDCVE-2024-2803
SeverityLevel 3
CVSS 3.16.4
CWE-ID79
Affected VersionsWordPress Elements Kit Plugin before 3.1.0

Description:

Elements Kit is an all-in-one advanced addon built to enhance the page builder with widgets and features.

The ElementsKit Elementor addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the countdown widget due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Successful exploitation of this vulnerability could allow an unauthenticated attacker to inject arbitrary JavaScript code in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Customers are advised to upgrade to Elements Kit 3.1.0 or a later version to remediate this vulnerability.

QID 150860: WordPress WP-Members Membership Plugin: Unauthenticated Stored Cross-Site Scripting Vulnerability (CVE-2024-1852)

CVE-IDCVE-2024-1852
SeverityLevel 3
CVSS 3.17.2
CWE-ID79
Affected VersionsWordPress WP-Members Membership Plugin before 3.4.9.3

Description:

WP-Members is a free WordPress membership plugin offered by RocketGeek that is built to create and manage membership websites.

The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the X-Forwarded-For header due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page which is the edit users page. This vulnerability was partially patched in version 3.4.9.2 and was fully patched in 3.4.9.3.

Successful exploitation of this vulnerability could allow an unauthenticated attacker to inject arbitrary JavaScript code in pages that execute if they can successfully trick a user into performing an action such as clicking on a link

Customers are advised to upgrade to WP-Members 3.4.9.3 or a later version to remediate this vulnerability.

QID 150862: WordPress Compress – Image Optimizer Plugin: Directory Traversal Vulnerability (CVE-2023-6699)

CVE-IDCVE-2023-6699
SeverityLevel 3
CVSS 3.17.5
CWE-ID22
Affected VersionsWP Compress-Image Optimizer Plugin before 6.10.34

Description:

The WP Compress Image Optimizer plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 6.10.33 via the css parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.

Successful exploitation of this vulnerability could allow a remote attacker to read the contents of arbitrary files on the target system.

Customers are advised to upgrade to WordPress Compress-Image Optimizer 6.10.34 or a later version to remediate this vulnerability.

QID 150863: Apache HTTP Server Prior to 2.4.59 Multiple Security Vulnerabilities

CVE-IDCVE-2024-24795 ,CVE-2023-38709, CVE-2024-27316
SeverityLevel 4
CVSS 3.17.3
CWE-ID113
Affected VersionsApache HTTP Server version from 2.4.0 to 2.4.58

Description:

The Apache HTTP Server, colloquially called Apache, is a free and open-source cross-platform web server software.

Affected versions of Apache HTTP Server have multiple vulnerabilities:

HTTP response splitting (CVE-2023-38709): Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses.

HTTP Response Splitting in multiple modules (CVE-2024-24795): HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack.

HTTP/2 DoS by memory exhaustion on endless continuation frames (CVE-2024-27316): HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.

Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.

Customers are advised to upgrade to the latest version of Apache HTTP Server to remediate this vulnerability. For more information related to this vulnerability, please refer to Apache’s Security advisory.

QID 150864: WordPress Malware Scanner and Web Application Firewall Plugins: Unauthenticated Privilege Escalation Vulnerability (CVE-2024-2172)

CVE-IDCVE-2024-2172
SeverityLevel 5
CVSS 3.19.8
CWE-ID287
Affected VersionsWordPress Malware Scanner plugin before 4.7.3
WordPress Web Application Firewall plugin before 2.1.2

Description:

Miniorange offers essential WordPress security with two powerful plugins: the WordPress Malware Scanner and the Web Application Firewall. Scan for malware across your WordPress files and plugins, while the firewall defends against cyber attacks.

The Malware Scanner plugin and the Web Application Firewall plugin for WordPress (both by MiniOrange) are vulnerable to privilege escalation due to a missing capability check on the mo_wpns_init() function. This makes it possible for unauthenticated attackers to escalate their privileges to that of an administrator. Successful exploitation of this vulnerability could allow unauthenticated attackers to take over sites by resetting one of its administrators password.

Customers are advised to upgrade to Malware Scanner 4.7.3, Web Application Firewall 2.1.2 or a later version to remediate this vulnerability.

QID 150865: Profanity Detected in Website Content

Description:

Profanity refers to language or words that are considered socially taboo, offensive, or vulgar. Profanity can include swear words, curses, or vulgar expressions that are used to express anger, frustration, emphasis, or to insult someone.

Qualys Web Application Scanning (WAS) has released this QID to help identify profanity in web applications.

QID 150867: Varnish Reverse Proxy Detected

Varnish is a reverse caching proxy used as an HTTP accelerator for content-heavy dynamic websites as well as APIs.

Qualys Web Application Scanning (WAS) has released this QID to help identify the presence of Varnish.

QID 150868: WordPress LayerSlider Plugin: Unauthenticated SQL Injection Vulnerability (CVE-2024-2879)

CVE-IDCVE-2024-2879
SeverityLevel 5
CVSS 3.17.5
CWE-ID89
Affected VersionsWordPress LayerSlider Plugin 7.9.11 – 7.10.0

Description:

LayerSlider is a premium multi-purpose slider for creating image galleries, content sliders, and slideshows.

The LayerSlider plugin for WordPress is vulnerable to SQL Injection via the ls_get_popup_markup action due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary SQL queries on the target system.

Customers are advised to upgrade to LayerSlider 7.10.1 or a later version to remediate this vulnerability. For more information, please refer to the LayerSlider Release logs.

Qualys released the technical analysis blog for CVE-2024-2879.

QID 150869: JetBrains TeamCity Security Vulnerability (CVE-2024-29880)

CVE-IDCVE-2024-29880
SeverityLevel 3
CVSS 3.14.2
CWE-ID749
Affected VersionsJetBrains TeamCity prior to version 2023.11

Description:

TeamCity is a general-purpose CI/CD software platform that allows for flexible workflows, collaboration, and development practices.

In JetBrains TeamCity before 2023.11, users with access to the agent machine might obtain the permissions of the user running the agent process. Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access with elevated privileges.

Customers are advised to upgrade TeamCity to the latest version to remediate this vulnerability. For more information, please refer to the JetBrains Security Bulletin.

QID 150870: pgAdmin Remote Code Execution (RCE) Vulnerability (CVE-2024-3116)

CVE-IDCVE-2024-3116
SeverityLevel 4
CVSS 3.17.4
CWE-ID1352
Affected VersionspgAdmin up to version 8.4

Description:

pgAdmin4 is a graphical management tool for the open-source database PostgreSQL.

A Remote Code Execution (RCE) vulnerability exists in pgAdmin through the validate binary path API. This vulnerability allows attackers to execute arbitrary code on the server hosting pgAdmin, posing a severe risk to the database management system’s integrity and the security of the underlying data.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.

Customers are advised to upgrade pgAdmin to version 8.5 or later to remediate this vulnerability.

For more information pertaining to this vulnerability, please refer pgAdmin.

QID 150871: WordPress Metform Elementor Contact Form Builder Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-2791)

CVE-IDCVE-2024-2791
SeverityLevel 3
CVSS 3.16.4
CWE-ID79
Affected VersionsMetform Elementor Contact Form Builder plugin before 3.8.6

Description:

The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s widgets.

The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s widgets due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Successful exploitation of this vulnerability makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Customers are advised to upgrade to Metform Elementor Contact Form Builder plugin 3.8.6 or a later version to remediate this vulnerability.

QID 150872: WordPress MasterStudy LMS Plugin: Unauthenticated Local File Inclusion Vulnerability (CVE-2024-3136)

CVE-IDCVE-2024-3136
SeverityLevel 4
CVSS 3.18.5
CWE-ID22
Affected VersionsWordPress MasterStudy LMS Plugin before 3.3.4

Description:

MasterStudy is a WordPress LMS plugin that is an all-in-one tool for any e-learning business.

The MasterStudy LMS plugin for WordPress is vulnerable to Local File Inclusion via the template parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files.

Successful exploitation of the vulnerability may allow remote attackers to read sensitive files on the target server.

Customers are advised to upgrade to MasterStudy LMS 3.3.4 or a later version to remediate this vulnerability.

QID 150873: Traefik Reverse Proxy Dashboard Detected

Traefik is a dynamic reverse proxy and load balancer that automatically routes incoming traffic to backend services based on their configuration, making it easy to deploy microservices with minimal setup.

Qualys Web Application Scanning (WAS) has released this QID to help identify the presence of Traefik.

QID 150874: PHP Command Injection Vulnerability (CVE-2024-1874)

CVE-IDCVE-2024-1874
SeverityLevel 5
CVSS 3.19.4
CWE-ID77
Affected VersionsPHP versions before 8.1.28
PHP versions before 8.2.18
PHP versions before 8.3.5

Description:

PHP is a programming language originally designed for use in web-based applications with HTML content. PHP supports a wide variety of platforms and is used by numerous web-based software applications.

Due to the improper handling of command line arguments on Windows, maliciously crafted arguments can inject arbitrary commands even if the bypass_shell option is enabled. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the target system.

Customers are advised to upgrade to the latest version of PHP.

QID 150875: JetBrains TeamCity Multiple Security Vulnerabilities

CVE-IDCVE-2024-31134,CVE-2024-31135,CVE-2024-31136,CVE-2024-31137,CVE-2024-31138,CVE-2024-31139,CVE-2024-31140
SeverityLevel 4
CVSS 3.17.4
CWE-ID863,601,1288,79,611
Affected VersionsJetBrains TeamCity prior to version 2024.03

Description:

TeamCity is a general-purpose CI/CD software platform that allows for flexible workflows, collaboration, and development practices.

JetBrains TeamCity is affected by Multiple Vulnerabilities:

CVE-2024-31134: Authenticated users without administrative permissions could register other users when self-registration was disabled.
CVE-2024-31135: Open redirect was possible on the login page.
CVE-2024-31136: 2FA could be bypassed by providing a special URL parameter.
CVE-2024-31137: Reflected XSS was possible via Space connection configuration.
CVE-2024-31138: XSS was possible via Agent Distribution settings.
CVE-2024-31139: XXE was possible in the Maven build steps detector.
CVE-2024-31140: Server administrators could remove arbitrary files from the server by installing tools.

Successful exploitation of this vulnerability could compromise the Confidentiality, Integrity, and Availability of the target system.

Customers are advised to upgrade TeamCity to the latest version to remediate this vulnerability. For more information, please refer to the JetBrains Security Bulletin.

QID 150876: PHP Cookie Input Validation Vulnerability (CVE-2024-2756)

CVE-IDCVE-2024-2756
SeverityLevel 3
CVSS 3.16.5
CWE-ID20
Affected VersionsPHP versions from 8.1.11 before 8.1.28
PHP versions before 8.2.18
PHP versions before 8.3.5

Description:

PHP is a programming language originally designed for use in web-based applications with HTML content. PHP supports a wide variety of platforms and is used by numerous web-based software applications.

Due to an incomplete fix to CVE-2022-31629, network and same-site attackers can set a standard insecure cookie in the victim’s browser which is treated as a __Host- or __Secure- cookie by PHP applications.

This vulnerability enables network and same-site attackers to set a standard insecure cookie in the victim’s browser which is treated as a `__Host-` or `__Secure-` cookie by PHP applications

Customers are advised to upgrade to the latest version of PHP.

QID 150878: Oracle WebLogic Server Multiple Vulnerabilities (CPUAPR2024)

CVE-IDCVE-2021-23369,CVE-2023-5072,CVE-2023-52428,CVE-2023-44487,CVE-2024-21006,CVE-2024-21007,CVE-2023-2976,CVE-2024-23635,CVE-2024-26308,CVE-2023-33201
SeverityLevel 5
CVSS 3.19.8
CWE-ID1352
Affected VersionsOracle WebLogic Server version 12.2.1.4.0
Oracle WebLogic Server version 14.1.1.0.0

Description:

Oracle WebLogic Server, used by businesses for their applications, has some security issues in specific versions: 12.2.1.4.0 and 14.1.1.0.0.

If these vulnerabilities are exploited, it’s serious. An attacker could take over the entire server, accessing sensitive information and disrupting business applications. To stay safe,

Oracle has released patches to fix these issues. If you’re using Oracle WebLogic Server, update it with these patches. You can find more details about the patches in the Oracle – CPUAPR2024.

QID 150883: Cacti 1.2.25 Multiple Security Vulnerabilities

CVE-IDCVE-2023-50250,CVE-2023-49084,CVE-2023-49085,CVE-2023-49086,CVE-2023-49088,CVE-2023-51448
SeverityLevel 5
CVSS 3.18.8
CWE-ID79,89,98
Affected VersionsCacti 1.2.25

Description:

Cacti is an open-source, web-based network monitoring and graphing tool designed as a front-end application for the open-source, industry-standard data logging tool RRDtool.

Affected versions of Cacti have multiple vulnerabilities:

CVE-2023-50250: Cross-Site Scripting (XSS) Vulnerability during template file imports.
CVE-2023-49084: Remote Code Execution (RCE) Vulnerability in link management functionality.
CVE-2023-49085: SQL Injection vulnerability in poller device management.
CVE-2023-49086: XSS vulnerability when adding new devices.
CVE-2023-49088: XSS vulnerability when viewing data sources in debug mode.
CVE-2023-51448: SQL Injection vulnerability in SNMP Notification Receiver management.

These vulnerabilities could be exploited by malicious actors to execute arbitrary code, steal sensitive information, or manipulate the Cacti application and its data.

Customers are advised to upgrade to Cacti 1.2.26 or later to remediate these vulnerabilities. For more information, please refer to the Cacti.

QID 150884: CrushFTP VFS Sandbox Escape Vulnerability (CVE-2024-4040)

CVE-IDCVE-2024-4040
SeverityLevel 4
CVSS 3.110
CWE-ID20
Affected VersionsCrushFTP before 10.7.1 and 11.1.0

Description:

CrushFTP is a file transfer protocol software designed to help enterprises manage file transfers and monitor activity across networks.

VFS Sandbox Escape in CrushFTP allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.

Successful exploitation of the vulnerability may allow remote attackers to read sensitive files from the filesystem outside of VFS Sandbox.

Customers are advised to upgrade to v11.1.0, v10.7.1 or a later version to remediate this vulnerability.

QID 150891: Java Application Detected

Description:

Java is a cross-platform framework that is used to build applications that run across smartphones and other small-screen devices.

Qualys Web Application Scanning (WAS) has released this QID to help identify the presence of Java-based web applications.

QID 150892: JavaServer Pages Detected

Description:

JavaServer Pages (JSP) is a Java-based technology that provides a simplified, fast way to create dynamic web content.

Qualys Web Application Scanning (WAS) has released this QID to help identify the presence of JavaServer pages.

QID 150893: JavaServer Faces Detected

JavaServer Faces (JSF) is a Java standard technology for building component-based, event-oriented web interfaces.

Qualys Web Application Scanning (WAS) has released this QID to help identify the presence of JavaServer Faces (JSF).

QID 150894: Java Servlet Detected

Java Servlet technology provides Web developers with a simple, consistent mechanism for extending the functionality of a Web server.

Qualys Web Application Scanning (WAS) releases this QID to recognize the presence of Java Servlet.

QID 150895: Javadoc Detected

Javadoc is a documentation generator tool used to generate standard documentation in HTML format from Java source code.

Qualys Web Application Scanning (WAS) identifies the presence of Javadoc with this QID.

QID 150896: Java Stack Trace Disclosure

Java Stack Traces are generated as part of error messages within the web application.

Qualys Web Application Scanning (WAS) has released this QID to help identify the presence of Java Stack Traces.

QID 150897: Spring Boot Default Error Page Detected

Spring Boot is a Java-based framework that simplifies the development of standalone, production-grade Spring applications.

Qualys Web Application Scanning (WAS) has released this QID to help identify the presence of Spring Boot Default pages.

QID 150898: Java Binary Detected

This QID identifies the presence of Java binary files, including compiled Java classes and JAR files, within the target web application. Exposed binaries could facilitate attackers in analyzing and gaining insights about the web application. It’s essential to verify that access to these files is permitted. If necessary, consider removing them or applying access controls.

QID 150899: ZK Framework Detected

ZK Framework is an open-source Java-based Web framework for building enterprise Web and mobile applications.

Qualys Web Application Scanning (WAS) has released this QID to help identify the presence of ZK framework.

QID 154154: WordPress Core: Remote Code Execution via Plugin Upload (CVE-2024-31210)

CVE-IDCVE-2024-31210
SeverityLevel 4
CVSS 3.17.5
CWE-ID434
Affected VersionsWordPress below 4.1.39
WordPress from 4.2 to 4.2.36
WordPress from 4.3 to 4.3.32
WordPress from 4.4 to 4.4.31
WordPress from 4.5 to 4.5.30
WordPress from 4.6 to 4.6.27
WordPress from 4.7 to 4.7.27
WordPress from 4.8 to 4.8.23
WordPress from 4.9 to 4.9.24
WordPress from 5.0 to 5.0.20
WordPress from 5.1 to 5.1.17
WordPress from 5.2 to 5.2.19
WordPress from 5.3 to 5.3.16
WordPress from 5.4 to 5.4.14
WordPress from 5.5 to 5.5.13
WordPress from 5.6 to 5.6.12
WordPress from 5.7 to 5.7.10
WordPress from 5.8 to 5.8.8
WordPress from 5.9 to 5.9.8
WordPress from 6.0 to 6.0.6
WordPress from 6.1 to 6.1.4
WordPress from 6.2 to 6.2.3
WordPress from 6.3 to 6.3.2
WordPress from 6.4 to 6.4.2

Description:

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database.

It’s possible for a file of a type other than a zip file to be submitted as a new plugin by an administrative user on the Plugins -> Add New -> Upload Plugin screen in WordPress. If FTP credentials are requested for installation, the uploaded file remains temporarily available in the Media Library despite it not being allowed.

If the DISALLOW_FILE_EDIT constant is set to true on the site and FTP credentials are required when uploading a new theme or plugin, then this technically allows an RCE (Remote Code Execution) when the user would otherwise have no means of executing arbitrary PHP code. This issue only affects Administrator-level users on single-site installations and Super Admin-level users on Multisite installations, where it’s otherwise expected that the user does not have permission to upload or execute arbitrary PHP code.

Successful exploitation of this vulnerability could allow administrator-level users on single-site installations and Super Admin-level users on Multisite installations to execute arbitrary PHP code.

Customers are advised to upgrade to 6.4.3, 6.3.3, 6.2.4, 6.1.5, 6.0.7, 5.9.9, 5.8.9, 5.7.11, 5.6.13, 5.5.14, 5.4.15, 5.3.17, 5.2.20, 5.1.18, 5.0.21, 4.9.25, 4.8.24, 4.7.28, 4.6.28, 4.5.31, 4.4.32, 4.3.33, 4.2.37, 4.1.40 or latest version of WordPress to remediate these vulnerabilities. For more information regarding these vulnerabilities, please visit the Github Advisory.

QID 154155: WordPress Remote Code Execution Vulnerability (CVE-2024-31211)

CVE-IDCVE-2024-31210
SeverityLevel 4
CVSS 3.15.5
CWE-ID502
Affected VersionsWordPress from 6.4 to 6.4.1

Description:

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database.

The vulnerability allows for remote code execution via the __destruct() magic method of the WP_HTML_Token class when instances of this class are unserialized. An attacker could exploit this vulnerability to execute arbitrary code on the target system.

Successful exploitation of this vulnerability could allow an unauthenticated attacker to execute arbitrary code on the target system.

Customers are advised to upgrade to 6.4.2 or the latest version of WordPress to remediate these vulnerabilities. For more information regarding these vulnerabilities, please visit the Github Advisory.

QID 520015: Atlassian Bitbucket Denial of Service Vulnerability (CVE-2024-21634)

CVE-IDCVE-2024-21634
SeverityLevel 3
CVSS 3.17.5
CWE-ID770
Affected VersionsAtlassian Bitbucket Server and Data Center version from 7.21.0 to 7.21.21
Atlassian Bitbucket Server and Data Center version from 8.0.0 to 8.8.7
Atlassian Bitbucket Server and Data Center version from 8.9.0 to 8.9.9
Atlassian Bitbucket Server and Data Center version from 8.10.0 to 8.10.6
Atlassian Bitbucket Server and Data Center version from 8.11.0 to 8.11.6
Atlassian Bitbucket Server and Data Center version from 8.12.0 to 8.12.6
Atlassian Bitbucket Server and Data Center version from 8.13.0 to 8.13.5
Atlassian Bitbucket Server and Data Center version from 8.14.0 to 8.14.4
Atlassian Bitbucket Server and Data Center version from 8.15.0 to 8.15.3
Atlassian Bitbucket Server and Data Center version from 8.16.0 to 8.16.2
Atlassian Bitbucket Server and Data Center version from 8.17.0 to 8.17.1
Atlassian Bitbucket Server and Data Center version 8.18.0

Description:

Bitbucket is a Git-based source code repository hosting service owned by Atlassian.

The software.amazon.ion:ion-java Dependency vulnerability was introduced in Bitbucket Data Center and Server.
This software.amazon.ion:ion-java Dependency vulnerability allows an unauthenticated attacker to expose assets in your environment susceptible to exploitation, which has no impact on confidentiality, no impact to integrity, a high impact on availability, and requires no user interaction.

Successful exploitation of the vulnerability can allow an attacker to trigger a Denial of Service attack. The vendor has released a fix for this vulnerability. Customers are advised to refer to BSERV-19291 for more information pertaining to this vulnerability.

Share your Comments

Comments

Your email address will not be published. Required fields are marked *