Web Application Detections Published in May 2024
In May, the Qualys Web Application Scanning (WAS) team issued a critical security signatures update. This update expands the scope to detect vulnerabilities in several widely-used software applications, including WordPress, NEOSDiscovery, Zabbix, CData, BIG-IP Next Central Manager, Apache OFBiz, Apache Superset, jQuery, Cacti, Ivanti Endpoint Manager Mobile (EPMM), Nexus Repository 3, JetBrains TeamCity, Atlassian Confluence Data Center and Server, Next.js, OpenSSL and Tinyproxy. Additionally, WAS has introduced new QIDs for identifying weak Cookies, Server Side Request Forgery, Presence of Privacy Policy Information, HTTP Method Tampering, Source code disclosure, Pixel or web beacon tracking technology, HTTP TRACE method and Cross Site Tracing.
| QID | Title |
| 150319 | Weak Cookies in Use |
| 150743 | Potential SSRF |
| 150796 | Presence of Privacy Policy Information |
| 150798 | HTTP Method Tampering |
| 150811 | Source Code Disclosure |
| 150814 | Pixel or Web Beacon Tracking Technology Found |
| 150823 | HTTP TRACE Method Detected |
| 150844 | Cross-Site Tracing Found |
| 150879 | WordPress All in One SEO Pack Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-3368) |
| 150881 | NEOSDiscovery Reverse Tabnabbing Vulnerability (CVE-2022-4927) |
| 150889 | Zabbix Cross-Site Scripting Vulnerability (CVE-2024-22119) |
| 150890 | WordPress Forminator Plugin: File Upload Vulnerability (CVE-2024-28890) |
| 150901 | WordPress Forminator Plugin: SQL injection Vulnerability (CVE-2024-31077) |
| 150902 | WordPress Forminator Plugin: Cross-Site Scripting (XSS) Vulnerability (CVE-2024-31857) |
| 150903 | WordPress Essential Addons for Elementor Plugin: Information Exposure Vulnerability (CVE-2024-3733) |
| 150904 | WordPress KingComposer Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2021-25048) |
| 150906 | CData Multiple Products Path Traversal Vulnerability |
| 150909 | WordPress User Meta Plugin: Sensitive Information Exposure Vulnerability (CVE-2024-33575) |
| 150915 | BIG-IP Next Central Manager SQL Injection vulnerability (CVE-2024-26026) |
| 150916 | Apache OFBiz Path Traversal Vulnerability (CVE-2024-32113) |
| 150917 | Apache Superset Incorrect Authorization Vulnerability (CVE-2024-28148) |
| 150918 | jQuery Validation Plugin Regular Expression Denial of Service (ReDoS) Vulnerability (CVE-2021-21252) |
| 150919 | jQuery Validation Plugin Regular Expression Denial of Service (ReDoS) Vulnerability (CVE-2021-43306) |
| 150920 | jQuery Validation Plugin Regular Expression Denial of Service (ReDoS) Vulnerability (CVE-2022-31147) |
| 150935 | Zabbix SQL Injection Vulnerability (CVE-2024-22120) |
| 150936 | Cacti Prior to 1.2.27 Multiple Security Vulnerabilities |
| 150937 | Ivanti Endpoint Manager Mobile (EPMM) Multiple Vulnerabilities |
| 150939 | Nexus Repository 3 Path Traversal Vulnerability (CVE-2024-4956) |
| 150940 | WordPress Country State City Dropdown CF7 Plugin: Unauthenticated SQL Injection Vulnerability (CVE-2024-3495) |
| 150941 | JetBrains TeamCity Multiple Vulnerabilities (CVE-2024-35300, CVE-2024-35301) |
| 150942 | Atlassian Confluence Data Center and Server Remote Code Execution (RCE) Vulnerability (CVE-2024-21683) |
| 151028 | Vulnerable JavaScript Library Detected – Next.js |
| 154156 | WordPress Core Stored Cross-Site Scripting Vulnerability (CVE-2024-4439) |
| 520016 | Open Secure Sockets Layer (OpenSSL) Uncontrolled Resource Consumption (CVE-2024-2511) |
| 520017 | Tinyproxy HTTP Connection Headers Use After Free Vulnerability (CVE-2023-49606) |
QID 150319: Weak Cookies in Use
Cookies are data stored on a client’s browser that are used to maintain session state, track user preferences, and more. When cookies are weakly implemented or managed, several risks emerge:
- Session Hijacking
- Information Leakage
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
Qualys Web Application Scanning (WAS) has released this QID to help identify the use of weak cookies in web applications.
QID 150743: Potential SSRF
In a Server-Side Request Forgery (SSRF) attack, an attacker exploits server functionality to access internal resources or perform actions on behalf of the server. This is typically achieved by manipulating URLs used by the server to fetch or submit data. For instance, an attacker might alter URLs intended for data import or publication or manipulate how URLs are constructed (such as through path traversal techniques).
Once the manipulated request reaches the server, the manipulated URL is processed, potentially leading to unauthorized access to sensitive information or services not intended to be exposed externally.
Qualys Web Application Scanning (WAS) has released this QID to help identify SSRF in web applications.
For more information on mitigating SSRF, please visit the Server-Side Request Forgery Prevention Cheat Sheet.
QID 150796: Presence of Privacy Policy Information
A Privacy Policy is a statement that explains how your business collects, handles, and processes the data of your customers and visitors. It’s a critical piece of documentation that tells users what information you gather, why you collect it, how you use it, and who has access to it. The policy should also outline the measures taken to protect users’ data.
Privacy policies can be defined into the following categories:
- Privacy Agreement
- Privacy Clause
- Privacy Notice
- Privacy Page
- Privacy Policy.
Not having a privacy policy clarity on your website could result in the violation of some laws. Having a privacy policy is a requirement under the following laws:
- General Data Privacy Regulation (GDPR)
- California Consumer Privacy Act (CCPA)
- California Online Privacy Protection Act (CalOPPA)
- Children’s Online Privacy Protection Act (COPPA)
- Privacy policy helps maintain trust and transparency in your business environment.
Ensure the privacy page provides
– Information collected on your website.
– Storage the information collected on the website
– Processing of the information collected on the website
– Details on when the policy was updated.
QID 150798: HTTP Method Tampering
HTTP tampering refers to the unauthorized modification of HTTP requests or responses exchanged between a client (e.g., browser) and a server.
This QID specifically tests for TRACE and HEAD methods. For example, improper configuration of DELETE may allow attackers to maliciously delete data. Exploiting such vulnerabilities could potentially bypass authentication and access sensitive information.
QID 150811: Source Code Disclosure
Source Code Disclosure occurs when sensitive or proprietary source code is unintentionally exposed to unauthorized parties. This exposure can happen through various means, including misconfigured web servers, insecure coding practices, or insufficient access controls. Exposure of source code in external-facing information can lead to information leakage related to a web application. The information can result in the potential use of data by attackers to exploit the application. The exploits can include SQLI, RCE, LFI, etc.
Avoid the exposure of source code from the web application by changing the access to the content or removing the source code from content accessible from the website.
QID 150814: Pixel or Web Beacon Tracking Technology Detected
A tracking pixel is also known as a web beacon. When pixel technology is used, there is room for information to be leaked without the consent of the user. Under the GDPR, tracking pixels can only be used if the user gives consent. Tracking pixels retrieves analytic details. The tracking or marketing pixels allow cross-platform marketing, tracking the website visitors from one website or a social network to another one and presenting the targeted advertisement on different platforms, devices, or websites.
QID 150823: HTTP TRACE Method Detected
The HTTP TRACE method is used to echo the received request back to the client, which is primarily useful for debugging or troubleshooting purposes. However, if this method is enabled on a web server and not properly secured, it can be exploited in certain situations like cross-site tracing (XST) attacks.
To prevent this vulnerability, web servers should either turn off the TRACE method completely or set up protections to stop it from being misused for harm. This usually involves configuring the server to deny TRACE requests or using tools and settings that stop sensitive information from being exposed through this method.
QID 150844: Cross-Site Tracing Detected
Cross-Site Tracking (XST) combines Cross-Site Scripting (XSS) with HTTP TRACE or TRACK methods. TRACE enables clients to view what the server receives, which is useful for testing or diagnostics. Exploiting XST could involve stealing user cookies via XSS. Disabling the TRACE HTTP method mitigates this risk effectively.
QID 150879: WordPress All in One SEO Pack Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-3368)
| CVE-ID | CVE-2024-3368 |
| Severity | Level 3 |
| CVSS 3.1 | 6.4 |
| CWE-ID | 79 |
| Affected Versions | All in One SEO (AIOSEO) before 4.6.1.1 |
Description:
All in One SEO (AIOSEO) is a WordPress plugin that helps website owners optimize their WordPress websites for search engines and social media. With over 3 million downloads, the plugin has encountered a security issue. The plugin fails to validate and escape certain Post fields before outputting them, potentially enabling contributors and higher roles to execute Stored Cross-Site Scripting attacks. Successful exploitation could allow an attacker to execute arbitrary JavaScript code in the context of the interface or allow the attacker to access sensitive, browser-based information.
Customers are advised to upgrade to the All in One SEO version 4.6.1.1 or later to remediate these vulnerabilities. For more information, please visit All in One SEO.
QID 150881: NEOSDiscovery Reverse Tabnabbing Vulnerability (CVE-2022-4927)
| CVE-ID | CVE-2022-4927 |
| Severity | Level 3 |
| CVSS 3.1 | 6.1 |
| CWE-ID | 1022 |
| Affected Versions | NEOSDiscovery 1.0.70 |
Description:
NEOSDiscovery was a discovery platform that allowed users to search for library materials from the NEOS library consortium.
A vulnerability has been discovered in ualbertalib NEOSDiscovery 1.0.70, classified as problematic. This issue affects the processing of the file app/views/bookmarks/_refworks.html.erb, where manipulation can lead to the use of a web link to an untrusted target with access to window.opener. This vulnerability could be exploited remotely.
Updating to version 1.0.71 resolves this vulnerability.
QID 150889: Zabbix Cross-Site Scripting Vulnerability (CVE-2024-22119)
| CVE-ID | CVE-2024-22119 |
| Severity | Level 3 |
| CVSS 3.1 | 5.4 |
| CWE-ID | 79 |
| Affected Versions | Zabbix version from 5.0.0 to 5.0.40 Zabbix version from 6.0.0 to 6.0.24 Zabbix version from 6.4.0 to 6.4.9 |
Description:
Zabbix is an open-source software tool to monitor IT infrastructure such as networks, servers, virtual machines, and cloud services.
A Stored XSS vulnerability has been identified in the graph items select form of Zabbix. If exploited successfully, this vulnerability could allow an unauthenticated attacker to inject arbitrary JavaScript code into pages that execute when a user performs actions such as clicking on a link.
Customers are advised to upgrade Zabbix to a new version to remediate this vulnerability. For more information, please refer to ZBX-24070.
QID 150890: WordPress Forminator Plugin: File Upload Vulnerability (CVE-2024-28890)
| CVE-ID | CVE-2024-28890 |
| Severity | Level 5 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 434 |
| Affected Versions | Forminator prior to version 1.29.0 |
Description:
Forminator is a WordPress plugin that enables a drag-and-drop visual builder, simplifying the process of setting up and adding forms to WordPress websites. The plugin has been downloaded over 500,000 times.
The affected version of the Forminator plugin is vulnerable to an Unrestricted File Upload Vulnerability. Exploiting this vulnerability successfully could allow a remote attacker to access sensitive information by compromising files on the server, manipulate the affected site, and potentially cause a Denial-of-Service (DoS) condition.
Customers are advised to upgrade Forminator to version 1.29.0 or later to remediate this vulnerability.
QID 150901: WordPress Forminator Plugin: SQL injection Vulnerability (CVE-2024-31077)
| CVE-ID | CVE-2024-31077 |
| Severity | Level 4 |
| CVSS 3.1 | 7.2 |
| CWE-ID | 89 |
| Affected Versions | Forminator prior to version 1.29.3 |
Description:
Forminator is a WordPress plugin that enables a drag-and-drop visual builder, simplifying the process of setting up and adding forms to WordPress websites. The plugin has over 500,000 downloads.
An affected version of the Forminator plugin contains a SQL injection vulnerability. This vulnerability allows remote attackers with admin privileges to execute arbitrary SQL queries. Successful exploitation could enable a remote attacker to alter any information in the database and potentially cause a Denial-of-Service (DoS) condition.
Customers are advised to upgrade Forminator to version 1.29.3 or later to remediate this vulnerability.
QID 150902: WordPress Forminator Plugin: Cross-Site Scripting (XSS) Vulnerability (CVE-2024-31857)
| CVE-ID | CVE-2024-31857 |
| Severity | Level 3 |
| CVSS 3.1 | 6.1 |
| CWE-ID | 79 |
| Affected Versions | Forminator prior to version 1.15.4 |
Description:
Forminator is a WordPress plugin that allows a drag-and-drop visual builder, which makes it easy to set up and add forms to a WordPress website.
A vulnerability in certain versions of Forminator allows for Cross-Site Scripting (XSS). If exploited, this could let a remote attacker inject arbitrary HTML and JavaScript code into a user’s browser.
Customers are advised to upgrade Forminator to version 1.15.4 or later to remediate this vulnerability.
QID 150903: WordPress Essential Addons for Elementor Plugin: Information Exposure Vulnerability (CVE-2024-3733)
| CVE-ID | CVE-2024-3733 |
| Severity | Level 3 |
| CVSS 3.1 | 5.3 |
| CWE-ID | 200 |
| Affected Versions | Essential Addons for Elementor Plugin before 5.9.16 |
Description:
Essential Addons for Elementor is a powerful plugin that enhances the functionality of the Elementor page builder, with over 2 million downloads.
The Essential Addons for Elementor Best Elementor Templates, Widgets, Kits, and WooCommerce Builders plugin for WordPress are vulnerable to Sensitive Information Exposure via the ajax_load_more() , eael_woo_pagination_product_ajax(), and ajax_eael_product_gallery() functions. This makes it possible for unauthenticated attackers to extract posts that may be in private or draft status.
Successful exploitation of this vulnerability could allow an unauthorized attacker to gain Sensitive Information.
Customers are advised to upgrade to Essential Addons for Elementor 5.9.16 or a later version to remediate this vulnerability.
QID 150904: WordPress KingComposer Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2021-25048)
| CVE-ID | CVE-2021-25048 |
| Severity | Level 3 |
| CVSS 3.1 | 5.4 |
| CWE-ID | 79 |
| Affected Versions | KingComposer All Versions |
KingComposer Free Drag and Drop page builder by King-Theme. The plugin does not have authorization, CSRF and sanitization or escaping when creating a profile, allowing any authenticated users to create arbitrary ones, with Cross-Site Scripting payloads in them.
Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary HTML and JavaScript code into a user’s browser.
The plugin has been closed as of February 2, 2022, so there are no updates. Customers are advised to remove the plugin.
QID 150906: CData Multiple Products Path Traversal Vulnerability
| CVE-ID | CVE-2024-31848, CVE-2024-31849, CVE-2024-31850, CVE-2024-31851 |
| Severity | Level 5 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 22 |
| Affected Versions | CData API Server prior to version 23.4.8844 CData Connect prior to version 23.4.8846 CData Arc prior to version 23.4.8839 CData Sync prior to version 23.4.8843 |
Description:
CData is a Data access and connectivity solution provider.
Multiple CData products, including CData API Server, CData Connect (On-prem), CData Arc (ArcESB), and CData Sync, are affected by a Path Traversal Vulnerability when the Java Edition of these products is used with Jetty (the default embedded Web Server).
Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to gain complete administrative access to the application.
Customers are advised to upgrade relevant applications to the latest release:
CData API Server version: 23.4.8844 or later
CData Connect version: 23.4.8846 or later
CData Arc (ArcESB) version: 23.4.8839 or later
CData Sync version: 23.4.8843 or later
For more information pertaining to remediating this vulnerability, please refer to the CData Security Advisory.
QID 150909: WordPress User Meta Plugin: Sensitive Information Exposure Vulnerability (CVE-2024-33575)
| CVE-ID | CVE-2024-33575 |
| Severity | Level 3 |
| CVSS 3.1 | 5.3 |
| CWE-ID | 200 |
| Affected Versions | User Meta up to version 3.0 |
Description:
User Meta is a WordPress plugin that offers user profile and management functionalities, including user login, password reset, profile updates, and user registration.
The affected version of the User Meta plugin is vulnerable to a Sensitive Information Exposure Vulnerability. If exploited successfully, this vulnerability could allow an unauthenticated attacker to extract sensitive configuration data by accessing the phpinfo file.
Customers are advised to upgrade User Meta to version 3.1 or later to remediate this vulnerability. For more information, please refer to the Wordfence Advisory.
QID 150915: BIG-IP Next Central Manager SQL Injection vulnerability (CVE-2024-26026)
| CVE-ID | CVE-2024-26026 |
| Severity | Level 4 |
| CVSS 3.1 | 5.3 |
| CWE-ID | 200, 89 |
| Affected Versions | BIG-IP Next Central Manager 20.0.1 – 20.1.0 |
Description:
BIG-IP Next Central Manager enables centralized control of all BIG-IP Next instances and services via a unified management user interface.
An SQL injection vulnerability has been discovered in the BIG-IP Next Central Manager API (URI). This vulnerability allows an unauthenticated attacker to execute malicious SQL statements through the API.
The vendor has released a patch to address this vulnerability. Customers are advised to upgrade to BIG-IP Next Central Manager 20.2.0 or later. For further details, please refer to K000138733.
QID 150916: Apache OFBiz Path Traversal Vulnerability (CVE-2024-32113)
| CVE-ID | CVE-2024-32113 |
| Severity | Level 4 |
| CVSS 3.1 | 7.5 |
| CWE-ID | 22 |
| Affected Versions | Apache OFBiz: before 18.12.13. |
Description:
Apache OFBiz is an open-source enterprise resource planning system. It provides a suite of enterprise applications that integrate and automate many of the business processes of an enterprise.
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in Apache OFBiz. Successful exploitation of the vulnerability may allow remote attackers to read sensitive files on the target server. Also, path traversal can lead to a remote code execution vulnerability.
Customers are advised to upgrade Apache OFBiz to the latest version to remediate this vulnerability. For more information regarding this vulnerability, please refer to the Apache OFBiz Advisory.
QID 150917: Apache Superset Incorrect Authorization Vulnerability (CVE-2024-28148)
| CVE-ID | CVE-2024-28148 |
| Severity | Level 3 |
| CVSS 3.1 | 4.3 |
| CWE-ID | 863 |
| Affected Versions | Apache Superset before 4.0.0 |
Description:
Apache Superset is an open-source software application for data exploration and data visualization that is able to handle data at petabyte scale.
An authenticated user could potentially access metadata for a datasource they are not authorized to view by submitting a targeted REST API request. An authenticated user could potentially access metadata for a datasource they are not authorized to view by submitting a targeted REST API request.
Customers are advised to upgrade Apache Superset to the latest version to remediate this vulnerability. For more information regarding this vulnerability, please refer to Apache Superset.
QID 150918: jQuery Validation Plugin Regular Expression Denial of Service (ReDoS) Vulnerability (CVE-2021-21252)
| CVE-ID | CVE-2021-21252 |
| Severity | Level 3 |
| CVSS 3.1 | 7.5 |
| CWE-ID | 400 |
| Affected Versions | jQuery Validation Plugin prior to version 1.19.3 |
Description:
jQuery Validation is a jQuery plugin that provides drop-in validation for forms.
The affected version of the jQuery Validation Plugin is vulnerable to a Regular Expression Denial of Service (ReDoS) Vulnerability. Successful exploitation of this vulnerability could result in a Denial of Service (DoS) attack.
Customers are advised to upgrade to the latest versions of jQuery Validation Plugin to remediate this vulnerability. For more information, please refer to the jQuery Validation Security Advisory.
QID 150919: jQuery Validation Plugin Regular Expression Denial of Service (ReDoS) Vulnerability (CVE-2021-43306)
| CVE-ID | CVE-2021-43306 |
| Severity | Level 3 |
| CVSS 3.1 | 7.5 |
| CWE-ID | 1333 |
| Affected Versions | jQuery Validation Plugin prior to version 1.19.4 |
Description:
jQuery Validation is a jQuery plugin that provides drop-in validation for forms.
The affected version of jQuery Validation Plugin is vulnerable to a Regular Expression Denial of Service (ReDoS) Vulnerability, when an attacker is able to supply arbitrary input to the url2 method. Successful exploitation of this vulnerability could result in a Denial of Service (DoS) attack.
Customers are advised to upgrade to the latest versions of jQuery Validation Plugin to remediate this vulnerability. For more information, please refer to jQuery Validation.
QID 150920: jQuery Validation Plugin Regular Expression Denial of Service (ReDoS) Vulnerability (CVE-2022-31147)
| CVE-ID | CVE-2022-31147 |
| Severity | Level 3 |
| CVSS 3.1 | 7.5 |
| CWE-ID | 1333 |
| Affected Versions | jQuery Validation Plugin prior to version 1.19.5 |
Description:
jQuery Validation is a jQuery plugin that provides drop-in validation for forms.
The affected version of jQuery Validation Plugin is vulnerable to a Regular Expression Denial of Service (ReDoS) Vulnerability, when an attacker is able to supply arbitrary input to the url2 method. Successful exploitation of this vulnerability could result in a Denial of Service (DoS) attack.
Customers are advised to upgrade to the latest versions of jQuery Validation Plugin to remediate this vulnerability. For more information, please refer to jQuery Validation Security Advisory.
QID 150935: Zabbix SQL Injection Vulnerability (CVE-2024-22120)
| CVE-ID | CVE-2024-22120 |
| Severity | Level 4 |
| CVSS 3.1 | 9.1 |
| CWE-ID | 89 |
| Affected Versions | Zabbix version from 6.0.0 to 6.0.27 Zabbix version from 6.4.0 to 6.4.12 Zabbix version 7.0.0alpha1 – 7.0.0beta1 |
Description:
Zabbix is an open-source software tool to monitor IT infrastructure such as networks, servers, virtual machines, and cloud services.
Zabbix server can perform command execution for configured scripts. After command is executed, the audit entry is added to “Audit Log”. Due to “clientip” field is not sanitized, it is possible to injection SQL into “clientip” and exploit time-based blind SQL injection.
Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary SQL queries on the target system. Customers are advised to upgrade Zabbix to a new version to remediate this vulnerability. For more information, please refer to ZBX-24505.
QID 150936: Cacti Prior to 1.2.27 Multiple Security Vulnerabilities
| CVE-ID | CVE-2024-31444,CVE-2024-31458,CVE-2024-27082,CVE-2024-31460,CVE-2024-31443,CVE-2024-25641,CVE-2024-29894,CVE-2024-31445,CVE-2024-34340,CVE-2024-31459 |
| Severity | Level 5 |
| CVSS 3.1 | 9.1 |
| CWE-ID | 79,89,98,20,116,287,697 |
| Affected Versions | Cacti before 1.2.27 |
Description:
Cacti is an open-source, web-based network monitoring and graphing tool designed as a front-end application for the open-source, industry-standard data logging tool RRDtool.
Affected versions of Cacti have multiple vulnerabilities:
CVE-2024-31444: XSS vulnerability when reading tree rules with Automation API.
CVE-2024-31458: SQL Injection vulnerability when using form templates.
CVE-2024-27082: XSS vulnerability when managing trees
CVE-2024-31460: SQL Injection vulnerability when using tree rules through Automation API
CVE-2024-31443: XSS vulnerability when managing data queries.
CVE-2024-25641: RCE vulnerability when importing packages.
CVE-2024-29894: XSS vulnerability when using JavaScript based messaging API
CVE-2024-31445: SQL Injection vulnerability when retrieving graphs using Automation API
CVE-2024-34340: Authentication bypass when using older password hashes
CVE-2024-31459: RCE vulnerability when plugins include files
These vulnerabilities could be exploited by malicious actors to execute arbitrary code, steal sensitive information, or manipulate the Cacti application and its data.
Customers are advised to upgrade to Cacti 1.2.27 or later to remediate these vulnerabilities. For more information, please refer to the Cacti.
QID 150937: Ivanti Endpoint Manager Mobile (EPMM) Multiple Vulnerabilities
| CVE-ID | CVE-2023-46806, CVE-2023-46807, CVE-2024-22026 |
| Severity | Level 3 |
| CVSS 3.1 | 6.7 |
| CWE-ID | 89 |
| Affected Versions | Ivanti EPMM prior to version 12.1.0.0 |
Description:
Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core, is a mobile management software engine that enables IT to set policies for mobile devices, applications, and content.
Multiple vulnerabilities have been identified in Ivanti EPMM:
CVE-2023-46806: An SQL Injection vulnerability in a web component of EPMM allows an authenticated user with appropriate privilege to access or modify data in the underlying database.
CVE-2023-46807: An SQL Injection vulnerability in the web component of EPMM allows an authenticated user with appropriate privilege to access or modify data in the underlying database.
CVE-2024-22026: A local privilege escalation vulnerability in EPMM allows an authenticated local user to bypass shell restriction and execute arbitrary commands on the appliance.
Successful exploitation of these vulnerabilities could allow an authenticated attacker to modify data in database or elevate privileges.
Customers are advised to update Ivanti EPMM to version 12.1.0.0 or later to remediate these vulnerabilities. For more information please refer to Ivanti Security Advisory.
QID 150939: Nexus Repository 3 Path Traversal Vulnerability (CVE-2024-4956)
| CVE-ID | CVE-2024-4956 |
| Severity | Level 4 |
| CVSS 3.1 | 7.5 |
| CWE-ID | 22 |
| Affected Versions | All previous Sonatype Nexus Repository 3.x OSS/Pro versions up to and including 3.68.0 |
Description:
Sonatype Nexus Repository 3. Manage components, binaries and build artifacts across your entire software supply chain.
Path Traversal in Sonatype Nexus Repository 3 allows an unauthenticated attacker to read system files. Successful exploitation of this vulnerability could allow an attacker to read arbitrary files on the target system.
Customers are advised to upgrade Sonatype Nexus Repository OSS/Pro version 3.68.1 or later to remediate this vulnerability. For more information, please refer to Security Advisory.
QID 150940: WordPress Country State City Dropdown CF7 Plugin: Unauthenticated SQL Injection Vulnerability (CVE-2024-3495)
| CVE-ID | CVE-2024-3495 |
| Severity | Level 5 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 89 |
| Affected Versions | WordPress Country State City Dropdown CF7 Plugin before 2.7.3 |
Description:
Country State City Dropdown CF7 plugin is an add-on of the Contact Form 7 plugin to show country, state, and city dropdowns.
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the cnt and sid parameters due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary SQL queries on the target system. Customers are advised to upgrade to Country State City Dropdown CF7 2.7.3 or a later version to remediate this vulnerability.
QID 150941: JetBrains TeamCity Multiple Vulnerabilities (CVE-2024-35300, CVE-2024-35301)
| CVE-ID | CVE-2024-35300, CVE-2024-35301 |
| Severity | Level 3 |
| CVSS 3.1 | 5.5 |
| CWE-ID | 79,280 |
| Affected Versions | JetBrains TeamCity prior to version 2024.03.1 |
Description:
TeamCity is a general-purpose CI/CD software platform that allows for flexible workflows, collaboration, and development practices.
JetBrains TeamCity is affected by Multiple Vulnerabilities:
CVE-2024-35300: Several Stored Cross-Site Scripting (XSS) in the available updates page were possible.
CVE-2024-35301: Commit status publisher didn’t check the project scope of the GitHub App token.
Successful exploitation of this vulnerability could compromise the Confidentiality and Integrity of the target system.
Customers are advised to upgrade TeamCity to the latest version to remediate this vulnerability. For more information, please refer to the JetBrains Security Bulletin.
QID 150942: Atlassian Confluence Data Center and Server Remote Code Execution (RCE) Vulnerability (CVE-2024-21683)
| CVE-ID | CVE-2024-21683 |
| Severity | Level 4 |
| CVSS 3.1 | 9 |
| CWE-ID | 78 |
| Affected Versions | Confluence Data Center and Server 5.2.0 to 7.17.5 Confluence Data Center and Server 7.18.0 to 7.18.3 Confluence Data Center and Server 7.19.0 to 7.19.21 Confluence Data Center and Server 7.20.0 to 7.20.3 Confluence Data Center and Server 8.0.0 to 8.0.4 Confluence Data Center and Server 8.1.0 to 8.1.4 Confluence Data Center and Server 8.2.0 to 8.2.3 Confluence Data Center and Server 8.3.0 to 8.3.4 Confluence Data Center and Server 8.4.0 to 8.4.5 Confluence Data Center and Server 8.5.0 to 8.5.8 Confluence Data Center and Server 8.6.0 to 8.6.2 Confluence Data Center and Server 8.7.0 to 8.7.2 Confluence Data Center and Server 8.8.0 to 8.8.1 Confluence Data Center and Server 8.9.0 |
Description:
Confluence is a team collaboration software written in Java and mainly used in corporate environments; it is developed and marketed by Atlassian.
Confluence is affected by a Remote Code Execution (RCE) Vulnerability. Successful exploitation of this vulnerability could allow an authenticated attacker to execute arbitrary code to the target Confluence instance.
Atlassian has released patches for multiple versions to address this issue. Customers are advised to refer CONFSERVER-95832 for information pertaining to remediating this vulnerability.
QID 151028: Vulnerable JavaScript Library Detected – Next.js
Next.js is a flexible React framework that gives you building blocks to create fast web applications.
CVE-2024-34351: Next.js had an SSRF vulnerability in Server Actions where modifying the Host header allowed attackers to make requests appear to come from the server. Fixed in Next.js 14.1.1, affecting self-hosted setups using Server Actions with redirects to relative paths starting with /.
CVE-2024-34350: Next.js is a React framework that can provide building blocks to create web applications. Prior to 13.5.1, an inconsistent interpretation of a crafted HTTP request meant that requests were treated as both a single request, and two separate requests by Next.js, leading to desynchronized responses. This led to a response queue poisoning vulnerability in the affected Next.js versions. For a request to be exploitable, the affected route also had to make use of the [rewrites](https://nextjs.org/docs/app/api-reference/next-config-js/rewrites) feature in Next.js. The vulnerability is resolved in Next.js `13.5.1` and newer.
QID 154156: WordPress Core Stored Cross-Site Scripting Vulnerability (CVE-2024-4439)
| CVE-ID | CVE-2024-4439 |
| Severity | Level 3 |
| CVSS 3.1 | 7.2 |
| CWE-ID | 79 |
| Affected Versions | WordPress from 6.0 to 6.0.7 WordPress from 6.1 to 6.1.5 WordPress from 6.2 to 6.2.4 WordPress from 6.3 to 6.3.3 WordPress from 6.4 to 6.4.3 WordPress from 6.5 to 6.5.1 |
Description:
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database.
WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. In addition, it also makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that have the comment block present and display the comment author’s avatar.
Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary HTML and script code into a user’s browser.
Customers are advised to upgrade to 6.0.8, 6.1.6, 6.2.5, 6.3.4, 6.4.4, 6.5.2, or the latest version of WordPress to remediate these vulnerabilities. For more information regarding these vulnerabilities, please visit WordPress.
QID 520016: Open Secure Sockets Layer (OpenSSL) Uncontrolled Resource Consumption (CVE-2024-2511)
| CVE-ID | CVE-2024-2511 |
| Severity | Level 2 |
| CVSS 3.1 | 3.7 |
| CWE-ID | 400 |
| Affected Versions | OpenSSL 3.2, 3.1, 3.0, 1.1.1 are vulnerable to this issue. |
Description:
OpenSSL is a software library for applications that secures communications over computer networks against eavesdropping or the need to identify the party at the other end.
Affected versions of this package are vulnerable to Uncontrolled Resource Consumption (‘Resource Exhaustion’) due to the session cache entering an incorrect state and failing to flush properly as it fills, leading to uncontrolled memory consumption. This condition is triggered under certain server configurations when processing TLSv1.3 sessions. Specifically, this occurs if the non-default SSL_OP_NO_TICKET option is enabled, but not if early_data support is configured along with the default anti-replay protection. A malicious client could deliberately create this scenario to force a service disruption. It may also occur accidentally in normal operation.
This issue is only exploitable if the server supports TLSv1.3 and is configured with the SSL_OP_NO_TICKET option enabled
An attacker may exploit certain server configurations to trigger unbounded memory growth that would lead to a Denial of Service. The vendor has released a patch to address these vulnerabilities. Customers are advised to refer to OpenSSL Security Advisory for more information pertaining to these vulnerabilities.
QID 520017: Tinyproxy HTTP Connection Headers Use After Free Vulnerability (CVE-2023-49606)
| CVE-ID | CVE-2023-49606 |
| Severity | Level 5 |
| CVSS 3.1 | 9.8 |
| CWE-ID | 416 |
| Affected Versions | Tinyproxy version 1.11.1 Tinyproxy version 1.10.0 |
Description:
Tinyproxy is a lightweight HTTP/HTTPS proxy daemon for POSIX operating systems.
A use-after-free vulnerability exists in the HTTP Connection Headers parsing. A specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution. An attacker needs to make an unauthenticated HTTP request to trigger this vulnerability.
Successful exploitation of the vulnerability may result in memory corruption and could lead to remote code execution. There are no patches for the vulnerability. Customers are advised to disable the tinyproxy service. For more information regarding the vulnerability, please refer to the TALOS-2023-1889.