New Detections Rolling Out for Vulnerable CMSs and CMS Plugins

Document created by Dave Ferguson Employee on Jan 18, 2018Last modified by Dave Ferguson Employee on Feb 2, 2018
Version 7Show Document
  • View in full screen mode
In a previous post, we described how Qualys WAS added new informational QIDs to report CMS versions and CMS plugins found on your scanned web applications.  Now, as part of the continuous improvement of the scanning engine, new tests have been implemented to report known-vulnerable versions of CMSs, CMS plugins, and other web platforms.

 

The new tests are based on the Blind Elephant project, which uses a fingerprinting technique.  As of today, Qualys WAS can identify and report outdated and vulnerable versions of the following:

 

  • WordPress
  • Joomla!
  • Drupal

 

The Qualys Vulnerability Management ("VM") module includes these tests already as part of its scanning capabilities.  The tests are essentially being duplicated in WAS.  Having the checks in both places allows more flexibility for customers who are using both modules while providing valuable new functionality for WAS customers who are not using VM.

 

Please note that WAS is using existing QIDs for these tests rather than introducing new ones.  As of today, WAS includes tests for the following QIDs:

 

WordPressJoomla!Drupal
11499
11504
11505
11526
11552
11565
11573
11641
11689
11763
11774
11758
11769
11805
11813
11825
11826
11861
11878
12751
12851
13012
13075
13133
11710
11741
11742
11800
11808
11842
11843
11862
11863
12726
12727
12729
12731
12734
12736
12742
12780
12857
12858
12859
12860
12862
12863
12866
12867
12877
12878
12879
12880
105519
105592
10773
11511
11540
11580
11582
11616
11649
11733
11776
11794
11836
11852
12786
12789
12791
12794
12796
12797
12799
12800
12801
12820
12932
13013
13054
13062
13073
13074
13119
13124
13125

 

More vulnerability tests are coming soon for other popular web platforms such as Moodle.  The post will be updated as more of these types of vulnerability tests are implemented in WAS and released.

Attachments

    Outcomes