Web Application Detections—February 2025

In February, Qualys Web Application Scanning released QIDs targeting vulnerabilities in several widely used software products and frameworks, including, Bootstrap, CKEditor, DOMPurify, jQuery, SeaCMS, Cacti, WordPress, Devika AI, YesWiki, YouDian CMS, Zimbra, Ollama, Adobe Magento, Roundcube Webmail, Flowise, Cockpit, ClassCMS, LiteLLM, Nginx UI, Backdrop CMS, Prometheus, Apache Ambari, Ivanti Cloud Services Application (CSA), Ivanti Connect Secure (ICS), GraphQL, Fortinet FortiOS, GitLab CE/EE, Progress Telerik Report Server, Trimble Cityworks, JetBrains TeamCity, Palo Alto Networks PAN-OS, Werkzeug, Apache OFBiz, Kibana, XWiki, Craft CMS, Mattermost.

The following table lists the QIDs released in February 2025.

QID Title
151043 Bootstrap Cross-Site Scripting (XSS) Vulnerability (CVE-2024-6485)
151044 Bootstrap Cross-Site Scripting (XSS) Vulnerability (CVE-2024-6484)
151045 CKEditor Cross-Site Scripting (XSS) Vulnerability (CVE-2024-43407)
151046 CKEditor Cross-Site Scripting (XSS) Vulnerability (CVE-2024-43411)
151047 CKEditor Cross-Site Scripting (XSS) Vulnerability (CVE-2024-24815)
151048 CKEditor Cross-Site Scripting (XSS) Vulnerability (CVE-2024-24816)
151049 DOMPurify Prototype Pollution Vulnerability (CVE-2024-48910)
151050 DOMPurify Cross-Site Scripting (XSS) Vulnerability (CVE-2024-47875)
151051 jQuery Cross-Site Scripting (XSS) Vulnerability (CVE-2020-11023)
152687 SeaCMS Incorrect Access Control Vulnerability (CVE-2024-54879)
152697 Cacti Remote Code Execution (RCE) Vulnerabilities (CVE-2025-22604,CVE-2025-24367)
152698 Cacti SQL Injection Vulnerabilities (CVE-2024-54145,CVE-2024-54146)
152699 Cacti SQL Injection Vulnerability (CVE-2025-24368)
152700 Cacti Local File Inclusion (LFI) Vulnerability (CVE-2024-45598)
152701 WordPress Premium Packages Plugin: SQL Injection Vulnerability (CVE-2025-24659)
152702 WordPress Shipping for Nova Poshta Plugin: SQL Injection Vulnerability (CVE-2025-24612)
152703 Devika AI Local File Inclusion (LFI) Vulnerability (CVE-2024-5334)
152704 WordPress iControlWP Plugin: PHP Object Injection Vulnerability (CVE-2024-13742)
152705 YesWiki DOM-based Cross-site Scripting (XSS) Vulnerability (CVE-2025-24017)
152706 WordPress WooCommerce Wishlist Plugin: Insecure Direct Object Reference Vulnerability (CVE-2024-13694)
152707 Devika AI Path Traversal Vulnerability (CVE-2024-40422)
152708 WordPress Bulk Me Now Plugin: Reflected Cross Site Scripting Vulnerability (CVE-2024-12638)
152709 WordPress Flexible Wishlist for WooCommerce Plugin: Stored Cross Site Scripting Vulnerability (CVE-2024-13696)
152710 WordPress Single-user-chat Plugin: Unauthorized Modification of Data Vulnerability (CVE-2024-13646)
152711 WordPress MWB HubSpot for WooCommerce Plugin: Unauthorized Modification of Data Vulnerability (CVE-2024-10591)
152712 YouDian CMS Session ID Privilege Escalation Vulnerability (CVE-2024-57052)
152713 Zimbra SQL Injection Vulnerability (CVE-2025-25064)
152714 Zimbra Server-Side Request Forgery (SSRF) Vulnerability (CVE-2025-25065)
152715 WordPress MultiVendorX Plugin: Local File Inclusion Vulnerability (CVE-2025-0493)
152716 Ollama Multiple Denial of Service Vulnerabilities
152717 WordPress JupiterX Core Plugin: Local File Inclusion Vulnerability (CVE-2025-0366)
152718 Adobe Magento Server-Side Request Forgery (SSRF) Vulnerability (CVE-2024-49521)
152719 WordPress ELEX WordPress HelpDesk and Customer Ticketing System Plugin: Privilege Escalation Vulnerability (CVE-2024-12171)
152720 Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability (CVE-2024-57004)
152721 WordPress Post/Page Copying Tool Plugin: Code Injection Vulnerability (CVE-2025-24677)
152722 Flowise Authentication Bypass vulnerability (CVE-2024-8181)
152723 Cockpit – Content Platform Arbitrary File Upload Vulnerability (CVE-2025-1025)
152724 WordPress VikBooking Plugin: Cross-Site Request Forgery Vulnerability (CVE-2024-11641)
152725 WordPress WP Image Uploader Plugin: Arbitrary File Deletion Vulnerability (CVE-2024-13720)
152726 WordPress WP Image Uploader Plugin: Cross-Site Request Forgery Vulnerability (CVE-2024-13707)
152728 ClassCMS Code Execution Vulnerability (CVE-2024-57099)
152729 Ollama Model Detected
152730 LiteLLM Information Disclosure Vulnerability (CVE-2025-0330)
152731 WordPress Taxi Booking Manager for WooCommerce Plugin: PHP Object Injection Vulnerability (CVE-2025-24661)
152732 Nginx UI Arbitrary Command Execution Vulnerability (CVE-2024-49368)
152733 WordPress Contact Manager Plugin: Arbitrary File Upload Vulnerability (CVE-2025-1028)
152734 Backdrop CMS Stored Cross-Site-Scripting (XSS) Vulnerability (CVE-2025-25062)
152735 Backdrop CMS SVG Cross-Site-Scripting (XSS) Vulnerability (CVE-2025-25063)
152736 Prometheus Metrics Detected
152737 Prometheus Config Detected
152738 Prometheus Targets Detected
152739 Prometheus Flags Detected
152740 WordPress Solidres – Hotel Booking Plugin: Reflected Cross-Site Scripting Vulnerability (CVE-2024-13329)
152741 WordPress Justrows Free Plugin: Reflected Cross-Site Scripting Vulnerability (CVE-2024-13330)
152742 Apache Ambari Remote Code Injection Vulnerability (CVE-2024-51941)
152743 Apache Ambari XML External Entity (XXE) Vulnerability (CVE-2025-23195)
152744 Ivanti Cloud Services Application (CSA) OS Command Injection Vulnerability (CVE-2024-47908)
152745 Ivanti Cloud Services Application (CSA) Path Traversal Vulnerability (CVE-2024-11771)
152746 Adobe Magento Multiple Vulnerabilities (APSB25-08)
152747 Ivanti Connect Secure (ICS) Arbitrary File Write Vulnerability (CVE-2024-38657)
152748 Ivanti Connect Secure (ICS) Stack-based Buffer Overflow Vulnerability (CVE-2025-22467)
152749 Ivanti Connect Secure (ICS) Code injection Vulnerability (CVE-2024-10644)
152750 GraphQL Field Suggestions
152751 Fortinet FortiOS Authentication Bypass Vulnerability (CVE-2025-24472)
152752 Ivanti Connect Secure (ICS) Arbitrary File Read Vulnerability (CVE-2024-12058)
152756 WordPress All-Images.ai Plugin: Arbitrary File Upload Vulnerability (CVE-2024-13714)
152757 GitLab CE/EE Unauthorized Pipeline Triggering Vulnerability (CVE-2024-7102)
152758 GitLab CE/EE Cross-Site Scripting (XSS) Vulnerability (CVE-2025-0376)
152760 Progress Telerik Report Server Cleartext Transmission of Sensitive Information Vulnerability (CVE-2025-0556)
152761 Ivanti Connect Secure (ICS) Reflected XSS Vulnerability (CVE-2024-13830)
152762 Ivanti Connect Secure (ICS) Hardcoded Key Vulnerability (CVE-2024-13842)
152763 Ivanti Connect Secure (ICS) Sensitive Information Disclosure Vulnerability (CVE-2024-13843)
152764 WordPress Security and Malware scan by CleanTalk Plugin: Arbitrary File Upload Vulnerability (CVE-2024-13365)
152765 GitLab CE/EE Denial of Service (DoS) Vulnerability (CVE-2024-9631)
152766 Trimble Cityworks Insecure Deserialization Vulnerability (CVE-2025-0994)
152767 WordPress Brizy – Page Builder Plugin: Arbitrary File Upload Vulnerability (CVE-2024-10960)
152768 WordPress Keap Official Opt-in Forms Plugin: Local File Inclusion Vulnerability (CVE-2024-13725)
152769 WordPress Option Editor Plugin: Cross-Site Request Forgery Vulnerability (CVE-2024-13852)
152770 WordPress LTL Freight Quotes – FreightQuote Edition Plugin: SQL Injection Vulnerability (CVE-2025-22290)
152771 JetBrains TeamCity Sensitive Resource Exposure Vulnerability (CVE-2025-26492)
152772 JetBrains TeamCity DOM-based Cross-Site Scripting (XSS) Vulnerability (CVE-2025-26493)
152773 WordPress Shared Files Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-13504)
152774 WordPress Permalink Finder Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2025-0809)
152775 Palo Alto Networks PAN-OS Authentication Bypass Vulnerability (CVE-2025-0108)
152776 Werkzeug Remote Code Execution (RCE) Vulnerability (CVE-2024-34069)
152777 Werkzeug Path Traversal Vulnerability (CVE-2024-49766)
152778 Werkzeug File Parsing Resource Exhaustion Vulnerability (CVE-2024-49767)
152779 Apache OFBiz Forced Browsing Vulnerability (CVE-2024-45195)
152780 Kibana Server-Side Request Forgery Vulnerability (CVE-2024-43710)
152781 Kibana Server-Side Request Forgery Vulnerability (CVE-2024-43707)
152782 XWiki Remote Code Execution (RCE) Vulnerability (CVE-2025-24893)
152783 Craft CMS Remote Code Execution (RCE) Vulnerability (CVE-2025-23209)
152784 Mattermost Multiple Path Traversal Vulnerabilities (CVE-2025-25279,CVE-2025-20051)
152785 Mattermost SQL Injection Vulnerability (CVE-2025-24490)
152787 WordPress Simplified Plugin: Arbitrary File Upload Vulnerability (CVE-2025-22654)
152788 Apache Ambari Code Injection Vulnerability (CVE-2025-23196)
152790 WordPress Ravpage Plugin: PHP Object Injection Vulnerability (CVE-2024-13789)
152792 WordPress Responsive Addons for Elementor Plugin: Local File Inclusion Vulnerability (CVE-2024-13353)
152793 WordPress GetBookingsWp Plugin: Privilege Escalation Vulnerability (CVE-2024-13677)

Qualys Notification Link: Web Application Detections Published in February 2025