Qualys Web Application Scanning Engine 8.22 has been released to all Qualys platforms including private cloud platforms. This release is part of our ongoing effort to continuously improve the scanning engine in Qualys Web Application Scanning.
This update includes the following changes, features, and improvements:
- New Potential Vulnerability – QID 150568 for Blind SQL with improved content based detection. Time based Blind SQL vulnerabilities will continue to be reported only in QID 150012. Additionally, QID 150012 will be renamed to “Time-based Blind SQL Injection”.
- New Potential Vulnerability – QID 150622 (Suspected Path Manipulation Vulnerability) introduced to report potential path based vulnerabilities.
- New IG – QID 150497 (Progressive scan completely crawled and tested the website) will report when progressive scanning has covered the whole scope of the web application and finished all test phases.
- False positive reduction for both Path Based QIDs 150004 (Path-Based Vulnerability) and 150174 (Path Traversal Vulnerability).
- Improvements to cookie reporting to take in to account configuration settings.
- Smart testing of cookies to improve scan efficiency and reduce overall scan time.
- Improved regular expressions for determining server authentication.
- Improvements to detections related to CMS identification in the application being scanned
New vulnerabilities with this product release:
- QID 150586 – Apache Commons Text Remote Code Execution (RCE) Vulnerability (Text4Shell) (CVE-2022-42889)
- QID 150587 – Django Debug Mode Enabled
- QID 150588 – Oracle WebLogic Server Multiple Vulnerabilities (CPUOCT2022)
- QID 150589 – WordPress Form Maker Plugin: Authenticated SQL Injection Vulnerability (CVE-2022-3300)
- QID 150590 – Apache Tomcat HTTP Request Smuggling Vulnerability (CVE-2022-42252)
- QID 150592 – Zabbix Reflected Cross Site Scripting Vulnerability (CVE-2022-35230)
- QID 150593 – Zabbix Reflected Cross Site Scripting (XSS) Vulnerability (CVE-2022-35229)
- QID 150594 – Spring Boot Misconfiguration: Actuator Endpoint Security Disabled
- QID 150595 – PHP Insufficient Input Validation Vulnerability (CVE-2022-31630)
- QID 150596 – Atlassian Bitbucket Server and Data Center: Command Injection Vulnerability (CVE-2022-43781)
- QID 150597 – WordPress Booster for Woocommerce Plugin: Multiple Vulnerabilities (CVE-2022-41805,CVE-2022-3763,CVE-2022-3762)
- QID 150598 – WordPress LoginPress Plugin: Broken Access Control Vulnerability (CVE-2022-41839)
- QID 150599 – WordPress Easy WP SMTP Plugin: PHP Object Injection Vulnerability (CVE-2022-3334)
- QID 150600 – WordPress WP-Polls Plugin: Race Condition Vulnerability (CVE-2022-40130)
- QID 150623 – ForgeRock Access Management Remote Code Execution Vulnerability
- QID 150624 – WordPress Easy WP SMTP Plugin: Multiple Vulnerabilities (CVE-2022-42699,CVE-2022-45833,CVE-2022-45829)
- QID 154126 – Drupal Core: CKEditor Library Multiple Vulnerabilities (CVE-2022-24728,CVE-2022-24729)
- QID 154127 – WordPress Multiple Vulnerabilities : Security Update 6.0.3 (CVE-2022-43497,CVE-2022-43500,CVE-2022-43504)
As always, if you encounter any problems in your WAS scans, please open a support ticket by selecting Help > Contact Support while logged into the platform. Feel free to post a question on Qualys Community as well.