Last updated on: May 25, 2022
Qualys Web Application Scanning Engine 8.17 has been released to all Qualys platforms including private cloud platforms. This release is part of our ongoing effort to continuously improve the scanning engine in Qualys Web Application Scanning.
This update includes the following changes:
- API Testing now supports OpenAPI Specification and Swagger files in the YAML format. OAS/Swagger YAML files can now be directly uploaded or used in the target URL of the web application configuration.
- Cookies issued without user consent (formerly Information Gathered QID 150099) will now be reported as a Vulnerability (QID QID 150476) in accordance with GDPR guidelines.
- Added detection for identifying Cache Control and Permission’s Policy headers in scans.
- File upload tests will report web application response in scan results.
- SOAP API WSDL improvements.
The following Vulnerability QIDs have been released:
- QID 150476 Cookies issued without user consent (replacement to Information Gathered QID 150099)
- QID 150491 phpMyAdmin Authentication bypass Vulnerability (CVE-2022-23807)
- QID 150494 Spring Cloud Function Remote Code Execution(RCE) Vulnerability
- QID 150495 Spring Core Remote Code Execution (RCE) Vulnerability (Spring4Shell)
- QID 150499 WordPress AnyComment Plugin: Comment Rating Increase/Decrease via Race Condition Vulnerability (CVE-2022-0279)
- QID 150500 Oracle WebLogic Server Multiple Vulnerabilities (JAN2022)
- QID 150501 WordPress Download Manager Plugin: Authenticated SQL Injection to Reflected XSS Vulnerability (CVE-2021-25069)
- QID 150502 WordPress LoginPress Plugin: Reflected Cross-Site Scripting(XSS) Vulnerability (CVE-2022-0347)
- QID 154106 Drupal Core Cross-Site Scripting (XSS) Vulnerability (SA-CORE-2021-011)
The following Information Gathered QIDs have been released:
- QID 150248 – Permissions Policy Header
- QID 150249 – Misconfigured header: Cache Control
As always, if you encounter any problems in your WAS scans, please open a support ticket by selecting Help > Contact Support while logged into the platform. Feel free to post a question on Qualys Community as well.