Qualys Web Application Scanning Engine 8.18 has been released to all Qualys platforms including private cloud platforms. This release is part of our ongoing effort to continuously improve the scanning engine in Qualys Web Application Scanning.
This update includes the following changes:
- Various authorization improvements to include JSON Web Token (JWT) auto-refresh during scans.
- Information Gathered QIDs for Certificate Based Authentication (QIDs 150505 and 150506).
- Information Gathered QID for all URLs that redirect to third party/external URLs (QID 150516).
- Scan Configuration Suggestions (QID 150454) now reports when Postman Collections or Swagger/OpenAPI Specification files are found and dedicated API scanning is recommended.
- Scan Configuration Suggestions (QID 150454) now reports when AJAX links are found when SmartScan support is disabled.
- Support for crawling postman collection using Browser.
- Reporting improvement for Open Redirect when meta tag is commented.
Additional QIDs released:
- QID 150533 Apache Tomcat Information Disclosure Vulnerability (CVE-2021-24122)
- QID 150534 Lighttpd server Denial of service (DoS) Vulnerability (CVE-2022-30780)
- QID 150532 Apache Tomcat Request Mix-Up Vulnerability (CVE-2022-25762)
- QID 150531 Apache Tomcat EncryptInterceptor DoS Vulnerability (CVE-2022-29885)
- QID 150530 WordPress GDPR Cookie Consent Plugin: Improper Access Controls Vulnerability (CVE-2020-20633)
- QID 150529 WordPress Elementor Plugin: DOM-based Reflected Cross-Site Scripting (XSS) Vulnerability (CVE-2022-29455)
- QID 150527 WordPress Photo Gallery Plugin: Reflected Cross-Site Scripting Vulnerability (CVE-2022-1282)
- QID 150526 WordPress WP Maintenance Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2021-36828)
- QID 150525 PHP Input Validation Vulnerability (CVE-2021-21708)
- QID 150523 Atlassian Confluence Server and Data Center OGNL Injection Remote Code Execution (RCE) Vulnerability (CVE-2022-26134)
- QID 150522 EOL/Obsolete Software: PHP 5.x Detected
- QID 150519 WordPress Photo Gallery Plugin: Unauthenticated SQL Injection Vulnerability (CVE-2022-1281)
As always, if you encounter any problems in your WAS scans, please open a support ticket by selecting Help > Contact Support while logged into the platform. Feel free to post a question on Qualys Community as well.