Web Application Detections—September 2024
In September, Qualys released QIDs targeting vulnerabilities in several widely-used software products, including WordPress, Tiki Wiki CMS, Apache HTTP Server, XWiki, Apache OFBiz, Lunary-ai, GitLab, Adobe ColdFusion, Moodle CMS, Zimbra, JBoss EAP, Kibana, Drupal, Ivanti Endpoint Manager (EPM), Apache Tomcat, Joomla!, Nginx, Open Secure Sockets Layer (OpenSSL).
The following table lists the new QIDs released in September 2024.
| QID | Title |
|---|---|
| 152148 | WordPress WPML Plugin: Remote Code Execution Vulnerability (CVE-2024-6386) |
| 152150 | WordPress Bit Form Plugin: SQL Injection Vulnerability (CVE-2024-7702) |
| 152151 | WordPress Bit Form Plugin: Arbitrary File Read And Delete Vulnerability (CVE-2024-7777) |
| 152157 | WordPress LiquidPoll Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-7134) |
| 152158 | WordPress GEO my WP Plugin: Local File Inclusion Vulnerability (CVE-2024-6330) |
| 152159 | WordPress AI Engine Plugin: Remote Code Execution Vulnerability (CVE-2024-6451) |
| 152162 | Tiki Wiki CMS Groupware PHP Object Injection Vulnerability (CVE-2023-22850) |
| 152163 | WordPress Appointment Booking Calendar and Scheduling Plugin: Authentication Bypass Vulnerability (CVE-2024-7350) |
| 152164 | WordPress Unite Gallery Lite Plugin: SQL Injection Vulnerability (CVE-2024-43207) |
| 152166 | WordPress Zephyr Project Manager Plugin: Limited Privilege Escalation Vulnerability (CVE-2024-7624) |
| 152167 | WordPress Chatbot with ChatGPT Plugin: SQL Injection Vulnerability (CVE-2024-6847) |
| 152168 | Apache HTTP Server Denial of Service Vulnerability (CVE-2024-27316) |
| 152169 | WordPress Ninja Forms Plugin: Reflected Cross-Site Scripting Vulnerability (CVE-2024-7354) |
| 152171 | XWiki Improper Privilege Management Vulnerability (CVE-2024-43401) |
| 152172 | WordPress Woffice Theme: Unauthenticated Privilege Escalation Vulnerability (CVE-2024-43153) |
| 152173 | WordPress AdRotate Plugin: Arbitrary File Upload Vulnerability (CVE-2022-1206) |
| 152174 | WordPress Theme Editor Plugin: PHAR Deserialization Vulnerability (CVE-2022-2440) |
| 152175 | WordPress Funnelforms Plugin: Arbitrary File Upload Vulnerability (CVE-2024-6311) |
| 152176 | WordPress MP3 Audio Player Plugin: Unauthorized Arbitrary File Deletion Vulnerability (CVE-2024-7856) |
| 152177 | WordPress Media Library Folders Plugin: Second Order SQL Injection Vulnerability (CVE-2024-7857) |
| 152178 | Apache OFBiz Forced Browsing Vulnerability (CVE-2024-45195) |
| 152179 | Lunary-ai Cross-Site Scripting Vulnerability (CVE-2024-5478) |
| 152180 | WordPress Clean Login Plugin: Local File Inclusion Vulnerability (CVE-2024-8252) |
| 152181 | WordPress Ultimate Store Kit Plugin: PHP Object Injection Vulnerability (CVE-2024-8030) |
| 152182 | WordPress Events Calendar Pro Plugin: PHP Object Injection Vulnerability (CVE-2024-8016) |
| 152183 | WordPress Web Directory Free Plugin: Local File Inclusion Vulnerability (CVE-2024-3673) |
| 152184 | WordPress LiteSpeed Cache Plugin: Unauthenticated Account Takeover Vulnerability (CVE-2024-44000) |
| 152185 | Tiki Wiki CMS Groupware PHP Object Injection Vulnerability (CVE-2023-22851) |
| 152186 | Tiki Wiki CMS Groupware PHP Object Injection Vulnerability (CVE-2023-22853) |
| 152187 | WordPress Attire Theme: PHP Object Injection Vulnerability (CVE-2024-7435) |
| 152188 | WordPress WP Events Manager Plugin: Time-based SQL Injection Vulnerability (CVE-2024-7717) |
| 152189 | GitLab Command Injection Vulnerability (CVE-2024-8640) |
| 152190 | GitLab Authentication Bypass Vulnerability (CVE-2024-6678) |
| 152191 | GitLab Server Side Request Forgery Vulnerability (CVE-2024-8635) |
| 152192 | GitLab Denial of Service Vulnerability (CVE-2024-8124) |
| 152193 | WordPress Adicon Server Plugin: SQL Injection Vulnerability (CVE-2024-7766) |
| 152194 | Adobe ColdFusion Improper Authentication Vulnerability (CVE-2024-45113) |
| 152195 | Adobe ColdFusion Arbitrary Code Execution Vulnerability (CVE-2024-41874) |
| 152196 | WordPress Betheme Theme: PHP Object Injection Vulnerability (CVE-2024-2694) |
| 152197 | WordPress Tutor LMS Pro Plugin: Missing Authorization Vulnerability (CVE-2024-5784) |
| 152198 | WordPress Login with Phone Number Plugin: Privilege Escalation Vulnerability (CVE-2024-6482) |
| 152199 | WordPress Stream Plugin: Cross-Site Request Forgery Vulnerability (CVE-2024-7423) |
| 152200 | WordPress Backuply Plugin: SQL Injection Vulnerability (CVE-2024-8669) |
| 152203 | WordPress BuddyForms Plugin: Privilege Escalation Vulnerability (CVE-2024-8246) |
| 152204 | WordPress FOX Currency Switcher Plugin: Arbitrary Shortcode Execution Vulnerability (CVE-2024-8271) |
| 152205 | Moodle Calculated Questions Remote Code Execution (CVE-2024-43425) |
| 152208 | WordPress TrueBooker Plugin: SQL Injection Vulnerability (CVE-2024-6924) |
| 152210 | WordPress Share This Image Plugin: Open Redirect Vulnerability (CVE-2024-8761) |
| 152211 | Zimbra Cross-Site Scripting (XSS) Vulnerability (CVE-2024-33533) |
| 152212 | Zimbra Local File Inclusion Vulnerability (CVE-2024-33535) |
| 152213 | Default Web Page for JBoss EAP |
| 152214 | WordPress MStore API Plugin: Unauthorized User Registration Vulnerability (CVE-2024-8269) |
| 152217 | WordPress Frontend Dashboard Plugin: Unauthorized Code Execution Vulnerability (CVE-2024-8268) |
| 152218 | WordPress Post Grid and Gutenberg Blocks Plugin: Privilege Escalation Vulnerability (CVE-2024-8253) |
| 152219 | WordPress Affiliate Super Assistent Plugin: Arbitrary Shortcode Execution Vulnerability (CVE-2024-8478) |
| 152220 | WordPress Slider Comparison Image Before and After Plugin: Cross-Site Scripting Vulnerability (CVE-2024-8543) |
| 152221 | WordPress Webo-facto Plugin: Privilege Escalation Vulnerability (CVE-2024-8853) |
| 152222 | WordPress LearnPress Plugin: SQL Injection Vulnerability (CVE-2024-8522) |
| 152223 | WordPress LearnPress Plugin: SQL Injection Vulnerability (CVE-2024-8529) |
| 152225 | WordPress Essential Addons for Elementor Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-8440) |
| 152226 | Kibana YAML Deserialization Vulnerability (CVE-2024-37285) |
| 152227 | Kibana YAML Deserialization Vulnerability (CVE-2024-37288) |
| 152228 | Drupal Full Path Disclosure Vulnerability (CVE-2024-45440) |
| 152229 | Ivanti Endpoint Manager (EPM) Remote Code Execution via SQL Injection Vulnerability (CVE-2024-29824) |
| 152230 | Apache Tomcat Denial of Service Vulnerability (CVE-2024-38286) |
| 152231 | WordPress BA Book Everything Plugin: Cross-Site Request Forgery Vulnerability (CVE-2024-8795) |
| 152234 | WordPress REST API TO MiniProgram Plugin: Privilege Escalation Vulnerability (CVE-2024-8485) |
| 152235 | WordPress HTML Sitemap Plugin: SQL Injection Vulnerability (CVE-2024-7385) |
| 152236 | WordPress WC Frontend Manager(WCFM) Plugin: Insecure Direct Object Reference Vulnerability (CVE-2024-8290) |
| 152237 | WordPress Meta Data and Taxonomies Filter Plugin: SQL Injection Vulnerability (CVE-2024-8624) |
| 152238 | WordPress Special Text Boxes Plugin: Arbitrary Shortcode Execution Vulnerability (CVE-2024-8481) |
| 152239 | WordPress Pixel Cat Plugin: Reflected Cross-Site Scripting Vulnerability (CVE-2024-8544) |
| 152240 | WordPress Koko Analytics Plugin: Reflected Cross-Site Scripting Vulnerability (CVE-2024-8662) |
| 152258 | Ivanti Endpoint Manager (EPM) Web Console 2.0 Detected |
| 152242 | WordPress Daily Prayer Time Plugin: SQL Injection Vulnerability (CVE-2024-8621) |
| 152243 | WordPress WP Easy Gallery Plugin: SQL Injection Vulnerability (CVE-2024-8436) |
| 152244 | WordPress Charitable Plugin: Privilege Escalation Vulnerability (CVE-2024-8791) |
| 152245 | WordPress Prisna GWT Plugin: PHP Object Injection Vulnerability (CVE-2024-8514) |
| 152246 | WordPress Events Calendar Plugin: SQL Injection Vulnerability (CVE-2024-8275) |
| 154158 | Joomla! Core Self Cross-Site Scripting Vulnerability (CVE-2024-21730) |
| 154159 | Joomla! Core Cross-Site Scripting Vulnerability (CVE-2024-21731) |
| 520029 | Nginx Buffer overread in the ngx_http_mp4_module (CVE-2024-7347) |
| 520030 | Open Secure Sockets Layer (OpenSSL) Type Confusion Vulnerability (CVE-2024-6119) |
Qualys Notification Link: Web Application Detections Published in September 2024