Web Application Detections—December 2024
In December, Qualys released QIDs targeting vulnerabilities in several widely used software products, including Adobe ColdFusion, Adobe Connect, Apache Airflow, Apache Heartbeat, Apache HugeGraph, Apache Kylin, Apache Nifi, Apache Ozone, Apache Struts, Apache Superset, Apache Tomcat, Atlassian Confluence, BoidCMS, Cambium Networks cnMaestro, ChurchCRM, Cleo, ClipBucket V5, Drupal, GitLab, Ivanti CSA, Ivanti ICS, Ivanti IPS, JetBrains YouTrack, Liferay, Metabase, Mitel MiCollab, Moodle, OpenSSL, OpenWebUI, Pandora FMS, PHP, ProjectSend, SolarWinds Web Help Desk, Splunk Secure Gateway, SuiteCRM, Traefik, Trellix Enterprise Security Manager, Veeam Service Provider Console, Webmin, Winter CMS, WordPress, XWiki, ZenML.
The following table lists the new QIDs released in December 2024.
| QID | Title |
|---|---|
| 152462 | ProjectSend Improper Authorization Vulnerability (CVE-2024-11680) |
| 152463 | WordPress Total Upkeep Plugin: Remote Code Execution Vulnerability (CVE-2024-9461) |
| 152464 | WordPress Widget and Block Control Plugin: Remote Code Execution Vulnerability (CVE-2024-8672) |
| 152465 | Traefik Open Redirect Vulnerability (CVE-2024-52003) |
| 152466 | Apache Kylin Session Fixation Vulnerability (CVE-2024-23590) |
| 152467 | Atlassian Confluence Data Center and Server Security Misconfiguration Vulnerability (CVE-2024-21703) |
| 152468 | Apache Nifi Cross-site Scripting Vulnerability (CVE-2024-45477) |
| 152469 | WordPress My Geo Posts Free Plugin: PHP Object Injection Vulnerability (CVE-2024-52433) |
| 152470 | WordPress AJAX Random Posts Plugin: PHP Object Injection Vulnerability (CVE-2024-52409) |
| 152471 | Metabase Remote Code Execution (RCE) Vulnerability (CVE-2023-38646) |
| 152472 | WordPress B-Banner Slider Plugin: Arbitrary File Upload Vulnerability (CVE-2024-52405) |
| 152473 | GitLab CE/EE Privilege Escalation Vulnerability (CVE-2024-8114) |
| 152474 | GitLab CE/EE Denial of Service Vulnerability (CVE-2024-11828) |
| 152475 | WordPress Popup by Supsystic Plugin: Code Injection Vulnerability (CVE-2024-52434) |
| 152476 | Trellix Enterprise Security Manager Path Traversal Vulnerability (CVE-2024-11481) |
| 152477 | Trellix Enterprise Security Manager Command Injection Vulnerability (CVE-2024-11482) |
| 152478 | WordPress BasePress Migration Tools Plugin: Arbitrary File Upload Vulnerability (CVE-2024-52407) |
| 152479 | SuiteCRM SQL Injection Vulnerability (CVE-2024-36412) |
| 152480 | Apache Kylin Console – Default Login |
| 152481 | Pandora FMS Remote Code Execution (RCE) Vulnerability (CVE-2024-11320) |
| 152482 | Veeam Service Provider Console Remote Code Execution (RCE) Vulnerability (CVE-2024-42448) |
| 152483 | Veeam Service Provider Console Information Disclosure Vulnerability (CVE-2024-42449) |
| 152484 | BoidCMS Cross-site Scripting (XSS) Vulnerability (CVE-2024-53255) |
| 152485 | Apache Ozone Improper Authentication Vulnerability (CVE-2024-45106) |
| 152486 | Apache Airflow Sensitive Information Disclosure Vulnerability (CVE-2024-45784) |
| 152487 | ZenML Account Takeover Vulnerability (CVE-2024-4311) |
| 152488 | Open WebUI Insecure Direct Object Reference Vulnerability (CVE-2024-7048) |
| 152490 | WordPress Chartify Plugin: Local File Inclusion Vulnerability (CVE-2024-10571) |
| 152491 | WordPress UserPro Plugin: Unauthorized Access of Data Vulnerability (CVE-2023-2448) |
| 152492 | JetBrains YouTrack Path Traversal Vulnerability (CVE-2024-54154) |
| 152493 | JetBrains YouTrack Prototype Pollution Vulnerability (CVE-2024-54156) |
| 152494 | JetBrains YouTrack Regular Expression Denial of Service (ReDoS) Vulnerability (CVE-2024-54157) |
| 152495 | JetBrains YouTrack Unauthorized Data Access Vulnerabilities (CVE-2024-54153, CVE-2024-54155) |
| 152496 | JetBrains YouTrack Punycode Encoding Spoofing Vulnerability (CVE-2024-54158) |
| 152497 | WordPress Beaver Builder – Page Builder Plugin: DOM-Based Reflected Cross-Site Scripting Vulnerability (CVE-2024-1038) |
| 152498 | ChurchCRM SQL Injection Vulnerability (CVE-2024-53438) |
| 152499 | Moodle Lesson Activity Password Bypass Vulnerability (CVE-2024-45691) |
| 152500 | Moodle Dynamic Tables Information Disclosure Vulnerability (CVE-2024-45689) |
| 152501 | Moodle Insecure Direct Object Reference (IDOR) Vulnerability (CVE-2024-48899) |
| 152502 | Mitel MiCollab Authentication Bypass Vulnerability (CVE-2024-41713) |
| 152503 | WordPress Post Grid Gutenberg Blocks and WordPress Blog Plugin: Missing Authorization Vulnerability (CVE-2024-10728) |
| 152504 | Apache Superset SQL Injection Vulnerability (CVE-2024-53947) |
| 152505 | Apache Superset Sensitive Information Disclosure Vulnerability (CVE-2024-53948) |
| 152506 | Apache Superset Improper Authorization Vulnerability (CVE-2024-53949) |
| 152507 | WordPress Kaswara Modern VC Addons Plugin: Arbitrary File Upload Vulnerability (CVE-2024-24284) |
| 152508 | SolarWinds Web Help Desk Local File Read Vulnerability (CVE-2024-45709) |
| 152509 | Splunk Secure Gateway Deserialization of Untrusted Data Vulnerability (CVE-2024-53247) |
| 152510 | Cambium Networks cnMaestro SQL Injection Vulnerability (CVE-2022-1361) |
| 152511 | WordPress GamiPress Plugin: Arbitrary Shortcode Execution Vulnerability (CVE-2024-11036) |
| 152512 | WordPress WP Umbrella Plugin: Local File Inclusion Vulnerability (CVE-2024-12209) |
| 152513 | Ivanti Cloud Services Application (CSA) Authentication Bypass Vulnerability (CVE-2024-11639) |
| 152514 | Ivanti Cloud Services Application (CSA) Command Injection Vulnerability (CVE-2024-11772) |
| 152515 | Ivanti Cloud Services Application (CSA) SQL Injection Vulnerability (CVE-2024-11773) |
| 152516 | Adobe Connect Multiple Cross-site Scripting Vulnerabilities (APSB24-99) |
| 152517 | WordPress SV100 Companion Plugin: Unauthorized Modification of Data Vulnerability (CVE-2024-12155) |
| 152518 | WordPress WPForms Plugin: Unauthorized Modification of Data Vulnerability (CVE-2024-11205) |
| 152519 | WordPress AI Quiz Plugin: Unauthorized Modification of Data Vulnerability (CVE-2024-11323) |
| 152520 | WordPress Sign In With Google Plugin: Authentication Bypass Vulnerability (CVE-2024-11015) |
| 152521 | XWiki Incorrect Authorization Vulnerability (CVE-2024-55662) |
| 152522 | XWiki Code Injection Vulnerability (CVE-2024-55877) |
| 152523 | Apache Superset Improper Authorization Vulnerability (CVE-2024-55633) |
| 152524 | WordPress Gallery Plugin: PHP Object Injection Vulnerability (CVE-2024-11501) |
| 152525 | WordPress Import Export for WooCommerce Plugin: Arbitrary File Upload Vulnerability (CVE-2024-54262) |
| 152526 | WordPress Vayu Blocks Plugin: Missing Authorization Vulnerability (CVE-2024-10124) |
| 152527 | WordPress Funnelforms Plugin: PHP Object Injection Vulnerability (CVE-2024-10587) |
| 152528 | Apache Struts2 Remote Code Execution (RCE) Vulnerability (CVE-2024-53677) (Intrusive Check) |
| 152529 | Cleo Products Remote Code Execution (RCE) Vulnerability (CVE-2024-50623) |
| 152530 | Cleo Products Remote Code Execution (RCE) Vulnerability (CVE-2024-55956) |
| 152531 | ClipBucket V5 PHP Deserialization Vulnerability (CVE-2024-54135) |
| 152532 | ClipBucket V5 PHP Deserialization Vulnerability (CVE-2024-54136) |
| 152533 | WordPress Video and Photo Gallery for Ultimate Member Plugin: Arbitrary File Upload Vulnerability (CVE-2024-54370) |
| 152534 | WordPress de:branding Plugin: Unauthorized Modification of Data Vulnerability (CVE-2024-11443) |
| 152535 | WordPress Print Science Designer Plugin: PHP Object Injection Vulnerability (CVE-2024-12312) |
| 152536 | Apache Tomcat Remote Code Execution (RCE) Vulnerability (CVE-2024-50379) |
| 152537 | Apache Tomcat Denial of Service (DoS) Vulnerability (CVE-2024-54677) |
| 152539 | Apache Tomcat Remote Code Execution (RCE) Vulnerability (CVE-2024-56337) |
| 152540 | Apache HertzBeat SQL Injection Vulnerability (CVE-2024-42361) |
| 152541 | WordPress Beaver Builder – Page Builder Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-0896) |
| 152542 | WordPress Beaver Builder – Page Builder Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-0897) |
| 152543 | WordPress Collapsing Categories Plugin: SQL Injection Vulnerability (CVE-2024-12025) |
| 152544 | WordPress RepairBuddy Plugin: Missing Authorization Vulnerability (CVE-2024-12259) |
| 152545 | WordPress WPC Shop as a Customer Plugin: Authentication Bypass Vulnerability (CVE-2024-12432) |
| 152546 | Ivanti Connect Secure (ICS) Argument Injection Vulnerability (CVE-2024-11633) |
| 152547 | Ivanti Connect Secure (ICS) Command Injection Vulnerability (CVE-2024-11634) |
| 152548 | Ivanti Policy Secure (IPS) Command Injection Vulnerability (CVE-2024-11634) |
| 152549 | WordPress Affiliate-Toolkit Plugin: Unauthorized Access Vulnerability (CVE-2024-1851) |
| 152550 | WinterCMS Modules Twig Sandbox Bypass Vulnerability (CVE-2024-54149) |
| 152551 | WordPress eCommerce Product Catalog Plugin: Cross-Site Request Forgery Vulnerability (CVE-2024-12771) |
| 152552 | WordPress SMSA Shipping Plugin: Arbitrary File Deletion Vulnerability (CVE-2024-12066) |
| 152553 | WordPress AutomatorWP Plugin: Reflected Cross-Site Scripting Vulnerability (CVE-2024-12626) |
| 152554 | WordPress Beaver Builder – Page Builder Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-3923) |
| 152555 | WordPress Flexible Woocommerce Checkout Field Editor Plugin: Missing Authorization Vulnerability (CVE-2023-49817) |
| 152556 | WordPress Store Locator Plugin: Reflected Cross-Site Scripting Vulnerability (CVE-2024-12571) |
| 152557 | WordPress Duplicator – Backups and Migration Plugin: Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2023-51681) |
| 152558 | Adobe ColdFusion Path Traversal Vulnerability (CVE-2024-53961) |
| 152559 | WordPress WP Job Portal Plugin: SQL Injection Vulnerability (CVE-2024-11711) |
| 152560 | WordPress Fluent Forms Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-10646) |
| 152561 | Apache HugeGraph-Server Authentication Bypass Vulnerability (CVE-2024-43441) |
| 154167 | Drupal PHP Object Injection vulnerability (CVE-2024-55637) |
| 154168 | Drupal PHP Object Injection vulnerability (CVE-2024-55638) |
| 154169 | Drupal Denial of Service vulnerability (CVE-2024-11941) |
| 520036 | PHP Out-of-bounds Write Vulnerability (CVE-2024-11236) |
| 520037 | PHP CRLF Injection Vulnerability (CVE-2024-11234) |
| 520038 | Open Secure Sockets Layer (OpenSSL) Use After Free Vulnerability (CVE-2024-4741) |
| 520039 | Liferay Portal Incorrect Authorization Vulnerability (CVE-2024-38002) |
| 520040 | Liferay Portal Cross-site request forgery (CSRF) Vulnerability (CVE-2024-26273) |
| 520041 | Liferay Portal Cross-site request forgery (CSRF) Vulnerability (CVE-2024-26272) |
| 520042 | Open Secure Sockets Layer (OpenSSL) Buffer Overread Vulnerability (CVE-2024-5535) |
| 520043 | Webmin Privilege Escalation Vulnerability (CVE-2024-12828) |
Qualys Notification Link: Web Application Detections Published in December 2024