Hello all -
Qualys WAS now includes two new vulnerability detections:
QID 150252 has been released for a cryptographic flaw in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Progress Sitefinity before v10.0.6412.0. This vulnerability could allow remote attackers to defeat cryptographic protection mechanisms and lead to a MachineKey leak, arbitrary file uploads/downloads, cross-site scripting (XSS), or ASP.NET ViewState compromise. The CVE ID is CVE-2017-9248 and the QID severity rating is 4.
QID 150253 has been released for a file upload vulnerability in Blueimp jQuery-File-Upload widget before v9.22.1. This vulnerability allows for remote code execution by unauthenticated attackers because malicious files such as web shells, backdoors, etc. can be uploaded to the server. The CVE ID is CVE-2018-9206 and the QID severity rating is 4.
To scan for these vulnerabilities with WAS, make sure your scan's option profile includes these QIDs via a custom search list. The QIDs are not included in core detection scope or any of the categories at this time.