Web Application Detections—June 2024
In June, the Qualys Web Application Scanning (WAS) team issued a critical security signatures update. This update expands the scope to detect vulnerabilities in several widely used software applications, including WordPress, Cacti, Apache HugeGraph-Server, Check Point Security Gateway, Casgate, PHP, Apache OFBiz, Progress Telerik Report Server, SolarWinds Serv-U, JetBrains TeamCity, OpenCMS and Apache ActiveMQ.
The following table lists the new QIDs.
QID | Title |
150911 | WordPress Bold Page Builder Plugin Vulnerable to Stored Cross-Site Scripting (CVE-2024-2735) |
150913 | WordPress Thim Elementor Kit Plugin: Stored Cross-Site Scripting(CVE-2024-4329) |
150914 | WordPress Spectra Pro Plugin: Privilege Escalation(CVE-2024-3828) |
150921 | WordPress Kognetiks Chatbot Plugin: Unautheticated Arbitrary File Upload(CVE-2024-4329) |
150923 | WordPress Plugin Hotel Booking Lite : PHP Object Injection (CVE-2024-4413) |
150924 | WordPress Plugin Unlimited Elements For Elementor: SQL Injection (CVE-2024-3055) |
150925 | WordPress Plugin Unlimited Elements For Elementor : Command Injection (CVE-2024-2662) |
150926 | WordPress LMS Plugin : Unauthenticated Time-Based SQL Injection (CVE-2024-4434) |
150927 | WordPress LMS Plugin: Arbitrary File Upload Vulnerability ( CVE-2024-4397) |
150932 | WordPress user_login Column SQL Truncation Vulnerability (CVE-2008-4106) |
150933 | Shortcodes WordPress Plugin Vulnerable Stored XSS (CVE-2024-2583) |
150943 | Cacti Command Injection Vulnerability (CVE-2024-29895) |
150944 | WordPress HTML5 Video Player Plugin: Unauthenticated SQL Injection Vulnerability (CVE-2024-1061) |
150945 | WordPress HTML5 Video Player Plugin: Unauthenticated SQL Injection Vulnerability (CVE-2024-5522) |
150946 | Apache HugeGraph-Server Command Execution Vulnerability (CVE-2024-27348) |
150947 | Check Point Security Gateway Information Disclosure Vulnerability (CVE-2024-24919) |
150948 | WordPress Business Card Plugin: Cross-Site Request Forgery Vulnerability (CVE-2024-4530) |
150949 | WordPress KKProgressbar2 Plugin: SQL Injection Vulnerability (CVE-2024-4533) |
150950 | WordPress Kognetiks Chatbot Plugin: Arbitrary File Upload Vulnerability (CVE-2024-32700) |
150952 | WordPress Contact Form Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-4709) |
150953 | Casgate Improper Authorization Vulnerability (CVE-2024-36108) |
150954 | PHP CGI Argument Injection Vulnerability (CVE-2024-4577) |
150956 | Apache OFBiz Path Traversal Vulnerability (CVE-2024-36104) |
150957 | WordPress Open Graph Plugin: Sensitive Information Exposure Vulnerability (CVE-2024-5615) |
150959 | WordPress Prime Slider Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-5640) |
150960 | WordPress Market Explorer Plugin: Unauthorized Loss of Data Vulnerability (CVE-2024-5637) |
150963 | WordPress Gamipress – Link Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-5536) |
150964 | SolarWinds Serv-U Directory Transversal Vulnerability (CVE-2024-28995) |
150965 | WordPress XStore Theme: SQL Injection Vulnerability (CVE-2024-33559) |
150966 | Progress Telerik Report Server Authentication Bypass Vulnerability (CVE-2024-4358) |
150967 | JetBrains TeamCity Multiple Cross-Site Scripting (XSS) Vulnerabilities |
150968 | JetBrains TeamCity Access Control Vulnerabilities (CVE-2024-36362, CVE-2024-36365) |
150969 | JetBrains TeamCity Stored Cross-Site Scripting (XSS) Vulnerability (CVE-2024-36371) |
150970 | JetBrains TeamCity Reflected Cross-Site Scripting (XSS) Vulnerability (CVE-2024-36372) |
150971 | JetBrains TeamCity Multiple Stored Cross-Site Scripting (XSS) Vulnerabilities (CVE-2024-36373, CVE-2024-36374) |
150972 | JetBrains TeamCity User Permissions Vulnerabilities (CVE-2024-36376, CVE-2024-36377) |
150973 | JetBrains TeamCity Denial of Service (DoS) Vulnerability (CVE-2024-36378) |
150974 | JetBrains TeamCity Authentication Bypass Vulnerability (CVE-2024-36470) |
150975 | JetBrains TeamCity Improper Access Control Vulnerability (CVE-2024-36364) |
150976 | WordPress Master Addons Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-5542) |
150977 | WordPress Photo Gallery by 10Web Plugin: Path Traversal Vulnerability (CVE-2024-5481) |
150978 | WordPress WP-Recall Plugin: SQL Injection Vulnerability (CVE-2024-32709) |
150979 | JetBrains TeamCity Information Exposure Vulnerability (CVE-2024-36375) |
150984 | WordPress Custom Font Uploader Plugin: Unauthorized Loss of Data Vulnerability (CVE-2024-5489) |
150985 | WordPress Tutor LMS Plugin: Insecure Direct Object Reference(IDOR) Vulnerability (CVE-2024-5438) |
150987 | WordPress Dark Mode Plugin: Unauthorized modification of Data Vulnerability (CVE-2024-5449) |
150988 | WordPress Yoast SEO Plugin: Reflected Cross-Site Scripting (XSS) Vulnerability (CVE-2024-4041) |
150989 | WordPress ePoll Plugin: Arbitrary File Upload Vulnerability (CVE-2024-32514) |
150990 | OpenCMS Cross-Site Scripting (XSS) Vulnerabilities (CVE-2024-5520, CVE-2024-5521) |
150991 | Apache ActiveMQ Insecure Web API Configuration Vulnerability (CVE-2024-32114) |
Qualys Notification Link: Web Application Detections Published in June 2024.