Web Application Detections—February 2025
In February, Qualys Web Application Scanning released QIDs targeting vulnerabilities in several widely used software products and frameworks, including, Bootstrap, CKEditor, DOMPurify, jQuery, SeaCMS, Cacti, WordPress, Devika AI, YesWiki, YouDian CMS, Zimbra, Ollama, Adobe Magento, Roundcube Webmail, Flowise, Cockpit, ClassCMS, LiteLLM, Nginx UI, Backdrop CMS, Prometheus, Apache Ambari, Ivanti Cloud Services Application (CSA), Ivanti Connect Secure (ICS), GraphQL, Fortinet FortiOS, GitLab CE/EE, Progress Telerik Report Server, Trimble Cityworks, JetBrains TeamCity, Palo Alto Networks PAN-OS, Werkzeug, Apache OFBiz, Kibana, XWiki, Craft CMS, Mattermost.
The following table lists the QIDs released in February 2025.
| QID | Title |
|---|---|
| 151043 | Bootstrap Cross-Site Scripting (XSS) Vulnerability (CVE-2024-6485) |
| 151044 | Bootstrap Cross-Site Scripting (XSS) Vulnerability (CVE-2024-6484) |
| 151045 | CKEditor Cross-Site Scripting (XSS) Vulnerability (CVE-2024-43407) |
| 151046 | CKEditor Cross-Site Scripting (XSS) Vulnerability (CVE-2024-43411) |
| 151047 | CKEditor Cross-Site Scripting (XSS) Vulnerability (CVE-2024-24815) |
| 151048 | CKEditor Cross-Site Scripting (XSS) Vulnerability (CVE-2024-24816) |
| 151049 | DOMPurify Prototype Pollution Vulnerability (CVE-2024-48910) |
| 151050 | DOMPurify Cross-Site Scripting (XSS) Vulnerability (CVE-2024-47875) |
| 151051 | jQuery Cross-Site Scripting (XSS) Vulnerability (CVE-2020-11023) |
| 152687 | SeaCMS Incorrect Access Control Vulnerability (CVE-2024-54879) |
| 152697 | Cacti Remote Code Execution (RCE) Vulnerabilities (CVE-2025-22604,CVE-2025-24367) |
| 152698 | Cacti SQL Injection Vulnerabilities (CVE-2024-54145,CVE-2024-54146) |
| 152699 | Cacti SQL Injection Vulnerability (CVE-2025-24368) |
| 152700 | Cacti Local File Inclusion (LFI) Vulnerability (CVE-2024-45598) |
| 152701 | WordPress Premium Packages Plugin: SQL Injection Vulnerability (CVE-2025-24659) |
| 152702 | WordPress Shipping for Nova Poshta Plugin: SQL Injection Vulnerability (CVE-2025-24612) |
| 152703 | Devika AI Local File Inclusion (LFI) Vulnerability (CVE-2024-5334) |
| 152704 | WordPress iControlWP Plugin: PHP Object Injection Vulnerability (CVE-2024-13742) |
| 152705 | YesWiki DOM-based Cross-site Scripting (XSS) Vulnerability (CVE-2025-24017) |
| 152706 | WordPress WooCommerce Wishlist Plugin: Insecure Direct Object Reference Vulnerability (CVE-2024-13694) |
| 152707 | Devika AI Path Traversal Vulnerability (CVE-2024-40422) |
| 152708 | WordPress Bulk Me Now Plugin: Reflected Cross Site Scripting Vulnerability (CVE-2024-12638) |
| 152709 | WordPress Flexible Wishlist for WooCommerce Plugin: Stored Cross Site Scripting Vulnerability (CVE-2024-13696) |
| 152710 | WordPress Single-user-chat Plugin: Unauthorized Modification of Data Vulnerability (CVE-2024-13646) |
| 152711 | WordPress MWB HubSpot for WooCommerce Plugin: Unauthorized Modification of Data Vulnerability (CVE-2024-10591) |
| 152712 | YouDian CMS Session ID Privilege Escalation Vulnerability (CVE-2024-57052) |
| 152713 | Zimbra SQL Injection Vulnerability (CVE-2025-25064) |
| 152714 | Zimbra Server-Side Request Forgery (SSRF) Vulnerability (CVE-2025-25065) |
| 152715 | WordPress MultiVendorX Plugin: Local File Inclusion Vulnerability (CVE-2025-0493) |
| 152716 | Ollama Multiple Denial of Service Vulnerabilities |
| 152717 | WordPress JupiterX Core Plugin: Local File Inclusion Vulnerability (CVE-2025-0366) |
| 152718 | Adobe Magento Server-Side Request Forgery (SSRF) Vulnerability (CVE-2024-49521) |
| 152719 | WordPress ELEX WordPress HelpDesk and Customer Ticketing System Plugin: Privilege Escalation Vulnerability (CVE-2024-12171) |
| 152720 | Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability (CVE-2024-57004) |
| 152721 | WordPress Post/Page Copying Tool Plugin: Code Injection Vulnerability (CVE-2025-24677) |
| 152722 | Flowise Authentication Bypass vulnerability (CVE-2024-8181) |
| 152723 | Cockpit – Content Platform Arbitrary File Upload Vulnerability (CVE-2025-1025) |
| 152724 | WordPress VikBooking Plugin: Cross-Site Request Forgery Vulnerability (CVE-2024-11641) |
| 152725 | WordPress WP Image Uploader Plugin: Arbitrary File Deletion Vulnerability (CVE-2024-13720) |
| 152726 | WordPress WP Image Uploader Plugin: Cross-Site Request Forgery Vulnerability (CVE-2024-13707) |
| 152728 | ClassCMS Code Execution Vulnerability (CVE-2024-57099) |
| 152729 | Ollama Model Detected |
| 152730 | LiteLLM Information Disclosure Vulnerability (CVE-2025-0330) |
| 152731 | WordPress Taxi Booking Manager for WooCommerce Plugin: PHP Object Injection Vulnerability (CVE-2025-24661) |
| 152732 | Nginx UI Arbitrary Command Execution Vulnerability (CVE-2024-49368) |
| 152733 | WordPress Contact Manager Plugin: Arbitrary File Upload Vulnerability (CVE-2025-1028) |
| 152734 | Backdrop CMS Stored Cross-Site-Scripting (XSS) Vulnerability (CVE-2025-25062) |
| 152735 | Backdrop CMS SVG Cross-Site-Scripting (XSS) Vulnerability (CVE-2025-25063) |
| 152736 | Prometheus Metrics Detected |
| 152737 | Prometheus Config Detected |
| 152738 | Prometheus Targets Detected |
| 152739 | Prometheus Flags Detected |
| 152740 | WordPress Solidres – Hotel Booking Plugin: Reflected Cross-Site Scripting Vulnerability (CVE-2024-13329) |
| 152741 | WordPress Justrows Free Plugin: Reflected Cross-Site Scripting Vulnerability (CVE-2024-13330) |
| 152742 | Apache Ambari Remote Code Injection Vulnerability (CVE-2024-51941) |
| 152743 | Apache Ambari XML External Entity (XXE) Vulnerability (CVE-2025-23195) |
| 152744 | Ivanti Cloud Services Application (CSA) OS Command Injection Vulnerability (CVE-2024-47908) |
| 152745 | Ivanti Cloud Services Application (CSA) Path Traversal Vulnerability (CVE-2024-11771) |
| 152746 | Adobe Magento Multiple Vulnerabilities (APSB25-08) |
| 152747 | Ivanti Connect Secure (ICS) Arbitrary File Write Vulnerability (CVE-2024-38657) |
| 152748 | Ivanti Connect Secure (ICS) Stack-based Buffer Overflow Vulnerability (CVE-2025-22467) |
| 152749 | Ivanti Connect Secure (ICS) Code injection Vulnerability (CVE-2024-10644) |
| 152750 | GraphQL Field Suggestions |
| 152751 | Fortinet FortiOS Authentication Bypass Vulnerability (CVE-2025-24472) |
| 152752 | Ivanti Connect Secure (ICS) Arbitrary File Read Vulnerability (CVE-2024-12058) |
| 152756 | WordPress All-Images.ai Plugin: Arbitrary File Upload Vulnerability (CVE-2024-13714) |
| 152757 | GitLab CE/EE Unauthorized Pipeline Triggering Vulnerability (CVE-2024-7102) |
| 152758 | GitLab CE/EE Cross-Site Scripting (XSS) Vulnerability (CVE-2025-0376) |
| 152760 | Progress Telerik Report Server Cleartext Transmission of Sensitive Information Vulnerability (CVE-2025-0556) |
| 152761 | Ivanti Connect Secure (ICS) Reflected XSS Vulnerability (CVE-2024-13830) |
| 152762 | Ivanti Connect Secure (ICS) Hardcoded Key Vulnerability (CVE-2024-13842) |
| 152763 | Ivanti Connect Secure (ICS) Sensitive Information Disclosure Vulnerability (CVE-2024-13843) |
| 152764 | WordPress Security and Malware scan by CleanTalk Plugin: Arbitrary File Upload Vulnerability (CVE-2024-13365) |
| 152765 | GitLab CE/EE Denial of Service (DoS) Vulnerability (CVE-2024-9631) |
| 152766 | Trimble Cityworks Insecure Deserialization Vulnerability (CVE-2025-0994) |
| 152767 | WordPress Brizy – Page Builder Plugin: Arbitrary File Upload Vulnerability (CVE-2024-10960) |
| 152768 | WordPress Keap Official Opt-in Forms Plugin: Local File Inclusion Vulnerability (CVE-2024-13725) |
| 152769 | WordPress Option Editor Plugin: Cross-Site Request Forgery Vulnerability (CVE-2024-13852) |
| 152770 | WordPress LTL Freight Quotes – FreightQuote Edition Plugin: SQL Injection Vulnerability (CVE-2025-22290) |
| 152771 | JetBrains TeamCity Sensitive Resource Exposure Vulnerability (CVE-2025-26492) |
| 152772 | JetBrains TeamCity DOM-based Cross-Site Scripting (XSS) Vulnerability (CVE-2025-26493) |
| 152773 | WordPress Shared Files Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-13504) |
| 152774 | WordPress Permalink Finder Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2025-0809) |
| 152775 | Palo Alto Networks PAN-OS Authentication Bypass Vulnerability (CVE-2025-0108) |
| 152776 | Werkzeug Remote Code Execution (RCE) Vulnerability (CVE-2024-34069) |
| 152777 | Werkzeug Path Traversal Vulnerability (CVE-2024-49766) |
| 152778 | Werkzeug File Parsing Resource Exhaustion Vulnerability (CVE-2024-49767) |
| 152779 | Apache OFBiz Forced Browsing Vulnerability (CVE-2024-45195) |
| 152780 | Kibana Server-Side Request Forgery Vulnerability (CVE-2024-43710) |
| 152781 | Kibana Server-Side Request Forgery Vulnerability (CVE-2024-43707) |
| 152782 | XWiki Remote Code Execution (RCE) Vulnerability (CVE-2025-24893) |
| 152783 | Craft CMS Remote Code Execution (RCE) Vulnerability (CVE-2025-23209) |
| 152784 | Mattermost Multiple Path Traversal Vulnerabilities (CVE-2025-25279,CVE-2025-20051) |
| 152785 | Mattermost SQL Injection Vulnerability (CVE-2025-24490) |
| 152787 | WordPress Simplified Plugin: Arbitrary File Upload Vulnerability (CVE-2025-22654) |
| 152788 | Apache Ambari Code Injection Vulnerability (CVE-2025-23196) |
| 152790 | WordPress Ravpage Plugin: PHP Object Injection Vulnerability (CVE-2024-13789) |
| 152792 | WordPress Responsive Addons for Elementor Plugin: Local File Inclusion Vulnerability (CVE-2024-13353) |
| 152793 | WordPress GetBookingsWp Plugin: Privilege Escalation Vulnerability (CVE-2024-13677) |
Qualys Notification Link: Web Application Detections Published in February 2025