Web Application Detections—June 2024

In June, the Qualys Web Application Scanning (WAS) team issued a critical security signatures update. This update expands the scope to detect vulnerabilities in several widely used software applications, including WordPress, Cacti, Apache HugeGraph-Server, Check Point Security Gateway, Casgate, PHP, Apache OFBiz, Progress Telerik Report Server, SolarWinds Serv-U, JetBrains TeamCity, OpenCMS and Apache ActiveMQ.

The following table lists the new QIDs. 

QID Title
150911 WordPress Bold Page Builder Plugin Vulnerable to Stored Cross-Site Scripting (CVE-2024-2735)
150913 WordPress Thim Elementor Kit Plugin: Stored Cross-Site Scripting(CVE-2024-4329)
150914 WordPress Spectra Pro Plugin: Privilege Escalation(CVE-2024-3828)
150921 WordPress Kognetiks Chatbot Plugin: Unautheticated Arbitrary File Upload(CVE-2024-4329)
150923 WordPress Plugin Hotel Booking Lite : PHP Object Injection (CVE-2024-4413)
150924 WordPress Plugin Unlimited Elements For Elementor: SQL Injection (CVE-2024-3055)
150925 WordPress Plugin Unlimited Elements For Elementor : Command Injection (CVE-2024-2662)
150926 WordPress LMS Plugin : Unauthenticated Time-Based SQL Injection (CVE-2024-4434)
150927 WordPress LMS Plugin: Arbitrary File Upload Vulnerability ( CVE-2024-4397)
150932 WordPress user_login Column SQL Truncation Vulnerability (CVE-2008-4106)
150933 Shortcodes WordPress Plugin Vulnerable Stored XSS (CVE-2024-2583)
150943 Cacti Command Injection Vulnerability (CVE-2024-29895)
150944 WordPress HTML5 Video Player Plugin: Unauthenticated SQL Injection Vulnerability (CVE-2024-1061)
150945 WordPress HTML5 Video Player Plugin: Unauthenticated SQL Injection Vulnerability (CVE-2024-5522)
150946 Apache HugeGraph-Server Command Execution Vulnerability (CVE-2024-27348)
150947 Check Point Security Gateway Information Disclosure Vulnerability (CVE-2024-24919)
150948 WordPress Business Card Plugin: Cross-Site Request Forgery Vulnerability (CVE-2024-4530)
150949 WordPress KKProgressbar2 Plugin: SQL Injection Vulnerability (CVE-2024-4533)
150950 WordPress Kognetiks Chatbot Plugin: Arbitrary File Upload Vulnerability (CVE-2024-32700)
150952 WordPress Contact Form Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-4709)
150953 Casgate Improper Authorization Vulnerability (CVE-2024-36108)
150954 PHP CGI Argument Injection Vulnerability (CVE-2024-4577)
150956 Apache OFBiz Path Traversal Vulnerability (CVE-2024-36104)
150957 WordPress Open Graph Plugin: Sensitive Information Exposure Vulnerability (CVE-2024-5615)
150959 WordPress Prime Slider Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-5640)
150960 WordPress Market Explorer Plugin: Unauthorized Loss of Data Vulnerability (CVE-2024-5637)
150963 WordPress Gamipress – Link Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-5536)
150964 SolarWinds Serv-U Directory Transversal Vulnerability (CVE-2024-28995)
150965 WordPress XStore Theme: SQL Injection Vulnerability (CVE-2024-33559)
150966 Progress Telerik Report Server Authentication Bypass Vulnerability (CVE-2024-4358)
150967 JetBrains TeamCity Multiple Cross-Site Scripting (XSS) Vulnerabilities
150968 JetBrains TeamCity Access Control Vulnerabilities (CVE-2024-36362, CVE-2024-36365)
150969 JetBrains TeamCity Stored Cross-Site Scripting (XSS) Vulnerability (CVE-2024-36371)
150970 JetBrains TeamCity Reflected Cross-Site Scripting (XSS) Vulnerability (CVE-2024-36372)
150971 JetBrains TeamCity Multiple Stored Cross-Site Scripting (XSS) Vulnerabilities (CVE-2024-36373, CVE-2024-36374)
150972 JetBrains TeamCity User Permissions Vulnerabilities (CVE-2024-36376, CVE-2024-36377)
150973 JetBrains TeamCity Denial of Service (DoS) Vulnerability (CVE-2024-36378)
150974 JetBrains TeamCity Authentication Bypass Vulnerability (CVE-2024-36470)
150975 JetBrains TeamCity Improper Access Control Vulnerability (CVE-2024-36364)
150976 WordPress Master Addons Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-5542)
150977 WordPress Photo Gallery by 10Web Plugin: Path Traversal Vulnerability (CVE-2024-5481)
150978 WordPress WP-Recall Plugin: SQL Injection Vulnerability (CVE-2024-32709)
150979 JetBrains TeamCity Information Exposure Vulnerability (CVE-2024-36375)
150984 WordPress Custom Font Uploader Plugin: Unauthorized Loss of Data Vulnerability (CVE-2024-5489)
150985 WordPress Tutor LMS Plugin: Insecure Direct Object Reference(IDOR) Vulnerability (CVE-2024-5438)
150987 WordPress Dark Mode Plugin: Unauthorized modification of Data Vulnerability (CVE-2024-5449)
150988 WordPress Yoast SEO Plugin: Reflected Cross-Site Scripting (XSS) Vulnerability (CVE-2024-4041)
150989 WordPress ePoll Plugin: Arbitrary File Upload Vulnerability (CVE-2024-32514)
150990 OpenCMS Cross-Site Scripting (XSS) Vulnerabilities (CVE-2024-5520, CVE-2024-5521)
150991 Apache ActiveMQ Insecure Web API Configuration Vulnerability (CVE-2024-32114)

Qualys Notification Link: Web Application Detections Published in June 2024