KnowledgeBase 
Download

For API version information, refer to the API Version History section. 

V2.0|V3.0

V2.0

GET POST/api/2.0/fo/knowledge_base/vuln/?action=list

Download vulnerability data from the Qualys KnowledgeBase. Authorized users have permission to use this API. Please contact Qualys Support or your Sales Representative if you would like to obtain authorization for your subscription.

Permissions - Managers, Unit Managers, Scanners and Readers have permission to download vulnerability data from the KnowledgeBase. 

Input ParametersInput Parameters

Parameter

Required/Optional

Data Type

Description

action=list

Required

String

Specify action to list and download the knowledgebase.

echo_request={0|1}

Optional

Integer 

Specify 1 to view (echo) input parameters in the XML output. By default these are not included.

details={Basic|All|None}

Optional

Boolean

Show the requested amount of information for each vulnerability in the XML output. A valid value is: Basic (default), All, or None. Basic includes basic elements plus CVSS Base and Temporal scores. All includes all vulnerability details, including the Basic details.

ids={value}

Optional

Integer

Used to filter the XML output to include only vulnerabilities that have QID numbers matching the QID numbers you specify.

id_min={value}

Optional

Integer 

Used to filter the XML output to show only vulnerabilities that have a QID number greater than or equal to a QID number you specify.

id_max={value}

Optional

Integer 

Used to filter the XML output to show only vulnerabilities that have a QID number less than or equal to a QID number you specify.

is_patchable={0|1}

Optional

Integer 

Used to filter the XML output to show only vulnerabilities that are patchable or not patchable. A vulnerability is considered patchable when a patch exists for it. When 1 is specified, only vulnerabilities that are patchable will be included in the output. When 0 is specified, only vulnerabilities that are not patchable will be included in the output. When unspecified, patchable and unpatchable vulnerabilities will be included in the output.

last_modified_after={date}

Optional

Integer 

Used to filter the XML output to show only vulnerabilities last modified after a certain date and time. When specified vulnerabilities last modified by a user or by the service will be shown. The date/time is specified in YYYY-MM-DD[THH:MM:SSZ] format (UTC/GMT).

last_modified_before={date}

Optional

Integer 

Used to filter the XML output to show only vulnerabilities last modified before a certain date and time. When specified vulnerabilities last modified by a user or by the service will be shown. The date/time is specified in YYYY-MM-DD[THH:MM:SSZ] format (UTC/GMT).

last_modified_by_user_after={date}

Optional

Integer 

Used to filter the XML output to show only vulnerabilities last modified by a user after a certain date and time. The date/time is specified in YYYY-MM-DD[THH:MM:SSZ] format (UTC/GMT).

last_modified_by_user_before={date}

Optional

Integer 

Used to filter the XML output to show only vulnerabilities last modified by a user before a certain date and time. The date/time is specified in YYYY-MM-DD[THH:MM:SSZ] format (UTC/GMT).

last_modified_by_service_after={date}

Optional

Integer 

Used to filter the XML output to show only vulnerabilities last modified by the service after a certain date and time. The date/time is specified in YYYY-MM-DD[THH:MM:SSZ] format (UTC/GMT).

last_modified_by_service_before={date}

Optional

Integer 

Used to filter the XML output to show only vulnerabilities last modified by the service before a certain date and time. The date/time is specified in YYYY-MM-DD[THH:MM:SSZ] format (UTC/GMT).

published_after={date}

Optional

Integer 

Used to filter the XML output to show only vulnerabilities published after a certain date and time. The date/time is specified in YYYY-MM-DD[THH:MM:SSZ] format (UTC/GMT).

published_before={date}

Optional

Integer 

Used to filter the XML output to show only vulnerabilities published before a certain date and time. The date/time is specified in YYYY-MM-DD[THH:MM:SSZ] format (UTC/GMT).

discovery_method={value}

Optional

Integer

Used to filter the XML output to show only vulnerabilities assigned a certain discovery method. A valid value is: Remote, Authenticated, RemoteOnly, AuthenticatedOnly, or RemoteAndAuthenticated.

When “Authenticated” is specified, the service shows vulnerabilities that have at least one associated authentication type. Vulnerabilities that have at least one authentication type can be detected in two ways: 1) Remotely without using authentication, and
2) Using authentication.

discovery_auth_types={value}

Optional

Integer 

Used to filter the XML output to show only vulnerabilities having one or more authentication types. For example: Windows, Oracle, Unix, SNMP, DB2, HTTP, MySQL, VMware. Multiple values should be comma-separated.

show_pci_reasons={0|1}

Optional

Integer 

Used to filter the XML output to show reasons for passing or failing PCI compliance (when the CVSS Scoring feature is turned on in the user’s subscription). Specify 1 to view the reasons in the XML output. When unspecified, the reasons are not included in the XML output.

show_supported_modules_info={0|1}

Optional

Integer 

Used to filter the XML output to show Qualys modules that can be used to detect each vulnerability. Specify 1 to view supported modules in the XML output. When unspecified, supported modules are not included in the XML output.

show_disabled_flag={0|1}

Optional

Integer 

Specify 1 to include the disabled flag for each vulnerability in the XML output.

show_qid_change_log={0|1}

Optional

Integer 

Specify 1 to include QID changes for each vulnerability in the XML output.

code_modified_after={date} Optional Integer Used to filter the XML output. This shows only the QIDs modified after a certain date and time. The supported date format is YYYY-MM-DD [THH:MM:SSZ] format (UTC/GMT).
code_modified_before={date} Optional Integer Used to filter the XML output. This shows only the QIDs modified before a certain date and time. The supported date format is YYYY-MM-DD [THH:MM:SSZ] format (UTC/GMT).

Real-Time Threat Indicators (RTIs)Real-Time Threat Indicators (RTIs)

The KnowledgeBase list output includes Real-Time Threat Indicators (RTIs) associated with each vulnerability. RTIs appear as part of vulnerability details under THREAT_INTELLIGENCE. Please note that RTIs are only visible when Threat Protection is enabled for the subscription.

Real-Time Threat Indicators are described below.

RTI (ID)

Description

Zero_Day (1)

Active attack has been observed in the wild and there is no patch from the vendor. An active attack is a prerequisite for this RTI in addition to no patch from the vendor. If a vulnerability is not actively attacked this RTI will not be set (even if there is no patch from the vendor). If a patch becomes available Qualys will remove the Zero Day RTI attribute which helps users to focus only on vulnerabilities that are actively exploited and there is no official patch.

Exploit_Public (2)

Exploit knowledge is well known and a working exploitation code is publicly available. Potential of active attacks is very high. This attribute is set for example when PoC exploit code is available from Exploit-DB, Metasploit, Core, Immunity or other exploit vendors. This RTI does not necessarily indicate that active attacks have been observed in the wild.

Active_Attacks (3)

Active attacks have been observed in the wild. This information is derived from Malware, Exploit Kits, acknowledgment from vendors, US-CERT and similar trusted sources. If there are no patches, Qualys will mark it as Zero Day, in addition, to actively attacked.

High_Lateral_Movement (4)

After a successful compromise, the attacker has high potential to compromise other machines in the network.

Easy_Exploit (5)

The attack can be carried out easily and requires little skills or does not require additional information.

High_Data_Loss (6)

Successful exploitation will result in massive data loss on the host.

Denial_of_Service (7)

Successful exploitation will result in denial of service.

No_Patch (8)

The vendor has not provided an official fix.

Malware (9)

Malware has been associated with the vulnerability.

Exploit_Kit (10)

Exploit Kit has been associated with this vulnerability. Exploit Kits are usually cloud based toolkits that help malware writers in identifying vulnerable browsers/plugins and install malware. Users can also search on Exploit Kit name like Angler, Nuclear, Rig and others.

Wormable (11)

Wormable has been associated with this vulnerability. The vulnerability can be used in "worms" - malware that spreads itself without user interaction.

Predicted_High_Risk (12)

Predicted High Risk has been associated with this vulnerability. Qualys Machine Learning Model predicted this vulnerability as a High Risk based on various data sources including NVD, Social network, Dark web, Security Blogs, Code repository, Exploits, etc.

Privilege_Escalation (13)

Successful exploitation allows an attacker to gain elevated privileges.

Unauthenticated_Exploitation (14)

Exploitation of this vulnerability does not require authentication.

Remote_Code_Execution (15)

Successful exploitation allows an attacker to execute arbitrary commands or code on a targeted system or in a target process.

Ransomware (16)

This vulnerability has been exploited in attack vectors where ransomware has been deployed. In other words, this vulnerability is associated with known ransomware.

Solorigate_Sunburst (17)

Solorigate Sunburst has been associated with all the CVEs, used by FireEye's Red Team tools to test the security of their client environments and compromised versions of SolarWinds Orion.

CISA Known Exploited Vulnerabilities (18)

CISA maintains a catalog of the top publicly known vulnerabilities being exploited in the wild and organizations (referred as CISA Known Exploitable Vulnerabilities) are advised to patch affected systems on priority. This RTI indicates that the vulnerability is associated with the CISA catalog and with CVE mappings to respective QIDs. We will add the CISA Known Exploited Vulnerabilities to QIDs within 24hrs of CISA catalog updates with new CVEs.

The CISA Directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting.

The timelines are available in CISA's Catalog for each of the CVEs.

Sample - Request All Vulnerabilities, Basic DetailsSample - Request All Vulnerabilities, Basic Details

API Request

curl -u "user:password" -H "X-Requested-With: Curl" -X "POST"-d "action=list" "https://<qualys_base_url>/api/2.0/fo/knowledge_base/vuln/" >

Sample - Patchable VulnerabilitiesSample - Patchable Vulnerabilities

Vulnerabilities with certain QIDs that are patchable.

API Request

curl -u "user:password" -H "X-Requested-With: Curl" -X "POST"-d "action=list&ids=1-200&is_patchable=1&details=All"  "https://<qualys_base_url>/api/2.0/fo/knowledge_base/vuln/" >

Sample - Vulnerabilities Modified After DateSample - Vulnerabilities Modified After Date

Vulnerabilities modified by the service after July 20, 2017 and that have discovery method "remote and authenticated".

API Request

curl -u "user:password" -H "X-Requested-With: Curl" -X "POST"-d "action=list&last_modified_by_service_after=2011-07-20&discovery_method=RemoteAndAuthenticated"  "https://<qualys_base_url>/api/2.0/fo/knowledge_base/vuln/"

Output

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE KNOWLEDGE_BASE_VULN_LIST_OUTPUT SYSTEM
"https://<qualys_base_url>/api/2.0/fo/knowledge_base/vuln/knowledge_base_vu
ln_list_output.dtd">
<KNOWLEDGE_BASE_VULN_LIST_OUTPUT>
 <RESPONSE>
 <DATETIME>2023-11-29T07:27:37Z</DATETIME>
 <VULN_LIST>
    <VULN>
    <QID>994430</QID>
    <VULN_TYPE>Vulnerability</VULN_TYPE>
    <SEVERITY_LEVEL>5</SEVERITY_LEVEL>
    <TITLE>
    <![CDATA[Python (Pip) Security Update for cobbler (GHSA96hw-v598-jvgh)]]>
    </TITLE>
    <CATEGORY>SCA</CATEGORY>
    <TECHNOLOGY>
    <![CDATA[JAVA 8,Python 3.11]]>
    </TECHNOLOGY>
    <LAST_SERVICE_MODIFICATION_DATETIME>2023-10-
   27T05:33:30Z</LAST_SERVICE_MODIFICATION_DATETIME>
    <PUBLISHED_DATETIME>2023-07-
   27T13:31:29Z</PUBLISHED_DATETIME>
    <CODE_MODIFIED_DATETIME>2023-07-
   27T13:31:29Z</CODE_MODIFIED_DATETIME>
    <PATCHABLE>1</PATCHABLE>
    <SOFTWARE_LIST>
    <SOFTWARE>
    <PRODUCT>
    <![CDATA[pip]]>
    </PRODUCT>
    <VENDOR>
    <![CDATA[pip]]>
    </VENDOR>
    </SOFTWARE>
    </SOFTWARE_LIST>
    <VENDOR_REFERENCE_LIST>
    <VENDOR_REFERENCE>
    <ID>
    <![CDATA[GHSA-96hw-v598-jvgh]]>
    </ID>
    <URL>
    <![CDATA[https://github.com/advisories/GHSA96hw-v598-jvgh]]>
    </URL>
    </VENDOR_REFERENCE>
    </VENDOR_REFERENCE_LIST>
    <CVE_LIST>
    <CVE>
    <ID>
    <![CDATA[CVE-2017-1000469]]>
    </ID>
    <URL>
    <![CDATA[http://cve.mitre.org/cgibin/cvename.cgi?name=CVE-2017-1000469]]>
</URL>
</CVE>
</CVE_LIST>
</VULN>
</VULN_LIST>
</RESPONSE>
</KNOWLEDGE_BASE_VULN_LIST_OUTPUT>

Sample - List all the QIDs for the code modified before and after a specific dateSample - List all the QIDs for the code modified before and after a specific date

API Request

curl --location 'https://qualys_base_url/api/2.0/fo/knowledge_base/vuln/?ids=12136&code_modified_before=2000-01-02&action=list&code_modified_after=2023-08-26' \
--header 'X-Requested-With: curl' \
--header 'Authorization: Basic <encoded username:password string>'

Output

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE KNOWLEDGE_BASE_VULN_LIST_OUTPUT SYSTEM "https://qualys_base_url/api/2.0/fo/knowledge_base/vuln/knowledge_base_vuln_list_output.dtd">
<KNOWLEDGE_BASE_VULN_LIST_OUTPUT>
    <RESPONSE>
        <DATETIME>2023-11-29T07:27:37Z</DATETIME>
        <VULN_LIST>
            <VULN>
                <QID>994430</QID>
                <VULN_TYPE>Vulnerability</VULN_TYPE>
                <SEVERITY_LEVEL>5</SEVERITY_LEVEL>
                <TITLE>
                    <![CDATA[Python (Pip) Security Update for cobbler (GHSA-96hw-v598-jvgh)]]>
                </TITLE>
                <CATEGORY>SCA</CATEGORY>
                <TECHNOLOGY>
                    <![CDATA[JAVA 8,Python 3.11]]>
                </TECHNOLOGY>                <LAST_SERVICE_MODIFICATION_DATETIME>2023-10-27T05:33:30Z</LAST_SERVICE_MODIFICATION_DATETIME>
                <PUBLISHED_DATETIME>2023-07-27T13:31:29Z</PUBLISHED_DATETIME>
                <CODE_MODIFIED_DATETIME>2023-07-27T13:31:29Z</CODE_MODIFIED_DATETIME>
                <PATCHABLE>1</PATCHABLE>
                <SOFTWARE_LIST>
                    <SOFTWARE>
                        <PRODUCT>
                            <![CDATA[pip]]>
                        </PRODUCT>
                        <VENDOR>
                            <![CDATA[pip]]>
                        </VENDOR>
                    </SOFTWARE>
                </SOFTWARE_LIST>
                <VENDOR_REFERENCE_LIST>
                    <VENDOR_REFERENCE>
                        <ID>
                            <![CDATA[GHSA-96hw-v598-jvgh]]>
                        </ID>
                        <URL>
                            <![CDATA[https://github.com/advisories/GHSA-96hw-v598-jvgh]]>
                        </URL>
                    </VENDOR_REFERENCE>
                </VENDOR_REFERENCE_LIST>
                <CVE_LIST>
                    <CVE>
                        <ID>
                            <![CDATA[CVE-2017-1000469]]>
                        </ID>
                        <URL>
                            <![CDATA[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000469]]>
                        </URL>
                    </CVE>
                </CVE_LIST>
</VULN>
        </VULN_LIST>
    </RESPONSE>
</KNOWLEDGE_BASE_VULN_LIST_OUTPUT>

Sample - Lists the QIDs that exactly matches the given CVESample - Lists the QIDs that exactly matches the given CVE

API Request

curl --location --request POST 'https://qualys_base_url/api/2.0/fo/knowledge_base/vuln/index.php?action= list&cve=CVE-1999-0527' \--header 'X-Requested-With: curl demo2' \--header 'Authorization: encoded username:password string'

Output

 <?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE KNOWLEDGE_BASE_VULN_LIST_OUTPUT SYSTEM "https://qualys_base_url/api/2.0/fo/knowledge_base/vuln/knowledge_base_vuln_list_output.dtd">
<KNOWLEDGE_BASE_VULN_LIST_OUTPUT>
    <RESPONSE>
        <DATETIME>2023-11-24T06:37:11Z</DATETIME>
        <VULN_LIST>
            <VULN>
                <QID>27002</QID>
                <VULN_TYPE>Vulnerability</VULN_TYPE>
                <SEVERITY_LEVEL>5</SEVERITY_LEVEL>
                <TITLE>
                    <![CDATA[Writeable Root Directory on FTP Server]]>
                </TITLE>
                <CATEGORY>File Transfer Protocol</CATEGORY>
                <LAST_SERVICE_MODIFICATION_DATETIME>2009-07-08T17:28:46Z</LAST_SERVICE_MODIFICATION_DATETIME>
                <PUBLISHED_DATETIME>1999-01-01T08:00:00Z</PUBLISHED_DATETIME>
                <PATCHABLE>0</PATCHABLE>
                <CVE_LIST>
                    <CVE>
                        <ID>
                            <![CDATA[CVE-1999-0527]]>
                        </ID>
                        <URL>
                            <![CDATA[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0527]]>
                        </URL>
                    </CVE>
                </CVE_LIST>
                <DIAGNOSIS>
                    <!CDATA>
                </DIAGNOSIS>
                <CONSEQUENCE>
                    <!CDATA>
                </CONSEQUENCE>
                <SOLUTION>
                    <!CDATA>
                </SOLUTION>
                <CVSS>
                    <BASE>10.0</BASE>
                    <TEMPORAL>8.6</TEMPORAL>
                                </VULN>
            <VULN>
                <QID>27005</QID>
                <VULN_TYPE>Vulnerability</VULN_TYPE>
                <SEVERITY_LEVEL>3</SEVERITY_LEVEL>
                <TITLE>
                    <!CDATA>
                </TITLE>
                <CATEGORY>File Transfer Protocol</CATEGORY>
                <LAST_SERVICE_MODIFICATION_DATETIME>2020-11-23T18:43:15Z</LAST_SERVICE_MODIFICATION_DATETIME>
                <PUBLISHED_DATETIME>1999-01-01T08:00:00Z</PUBLISHED_DATETIME>
                <PATCHABLE>0</PATCHABLE>
                <CVE_LIST>
                    <CVE>
                        <ID>
                            <![CDATA[CVE-1999-0527]]> .......
                        
           </VULN_LIST>
    </RESPONSE>
</KNOWLEDGE_BASE_VULN_LIST_OUTPUT>

DTD

<platform API server>/api/2.0/fo/knowledge_base/vuln/knowledge_base_vuln_list_output.dtd

V3.0

GET POST/api/3.0/fo/knowledge_base/vuln/?action=list

Download vulnerability data from the Qualys KnowledgeBase. Authorized users have permission to use this API. Please contact Qualys Support or your Sales Representative if you would like to obtain authorization for your subscription.

Permissions - Managers, Unit Managers, Scanners and Readers have permission to download vulnerability data from the KnowledgeBase. 

Input ParametersInput Parameters

Parameter

Required/Optional

Data Type

Description

action=list

Required

String

Specify action to list and download the knowledgebase.

echo_request={0|1}

Optional

Integer 

Specify 1 to view (echo) input parameters in the XML output. By default these are not included.

details={Basic|All|None}

Optional

Boolean

Show the requested amount of information for each vulnerability in the XML output. A valid value is: Basic (default), All, or None. Basic includes basic elements plus CVSS Base and Temporal scores. All includes all vulnerability details, including the Basic details.

ids={value}

Optional

Integer

Used to filter the XML output to include only vulnerabilities that have QID numbers matching the QID numbers you specify.

id_min={value}

Optional

Integer 

Used to filter the XML output to show only vulnerabilities that have a QID number greater than or equal to a QID number you specify.

id_max={value}

Optional

Integer 

Used to filter the XML output to show only vulnerabilities that have a QID number less than or equal to a QID number you specify.

is_patchable={0|1}

Optional

Integer 

Used to filter the XML output to show only vulnerabilities that are patchable or not patchable. A vulnerability is considered patchable when a patch exists for it. When 1 is specified, only vulnerabilities that are patchable will be included in the output. When 0 is specified, only vulnerabilities that are not patchable will be included in the output. When unspecified, patchable and unpatchable vulnerabilities will be included in the output.

last_modified_after={date}

Optional

Integer 

Used to filter the XML output to show only vulnerabilities last modified after a certain date and time. When specified vulnerabilities last modified by a user or by the service will be shown. The date/time is specified in YYYY-MM-DD[THH:MM:SSZ] format (UTC/GMT).

last_modified_before={date}

Optional

Integer 

Used to filter the XML output to show only vulnerabilities last modified before a certain date and time. When specified vulnerabilities last modified by a user or by the service will be shown. The date/time is specified in YYYY-MM-DD[THH:MM:SSZ] format (UTC/GMT).

last_modified_by_user_after={date}

Optional

Integer 

Used to filter the XML output to show only vulnerabilities last modified by a user after a certain date and time. The date/time is specified in YYYY-MM-DD[THH:MM:SSZ] format (UTC/GMT).

last_modified_by_user_before={date}

Optional

Integer 

Used to filter the XML output to show only vulnerabilities last modified by a user before a certain date and time. The date/time is specified in YYYY-MM-DD[THH:MM:SSZ] format (UTC/GMT).

last_modified_by_service_after={date}

Optional

Integer 

Used to filter the XML output to show only vulnerabilities last modified by the service after a certain date and time. The date/time is specified in YYYY-MM-DD[THH:MM:SSZ] format (UTC/GMT).

last_modified_by_service_before={date}

Optional

Integer 

Used to filter the XML output to show only vulnerabilities last modified by the service before a certain date and time. The date/time is specified in YYYY-MM-DD[THH:MM:SSZ] format (UTC/GMT).

published_after={date}

Optional

Integer 

Used to filter the XML output to show only vulnerabilities published after a certain date and time. The date/time is specified in YYYY-MM-DD[THH:MM:SSZ] format (UTC/GMT).

published_before={date}

Optional

Integer 

Used to filter the XML output to show only vulnerabilities published before a certain date and time. The date/time is specified in YYYY-MM-DD[THH:MM:SSZ] format (UTC/GMT).

discovery_method={value}

Optional

Integer

Used to filter the XML output to show only vulnerabilities assigned a certain discovery method. A valid value is: Remote, Authenticated, RemoteOnly, AuthenticatedOnly, or RemoteAndAuthenticated.

When “Authenticated” is specified, the service shows vulnerabilities that have at least one associated authentication type. Vulnerabilities that have at least one authentication type can be detected in two ways: 1) Remotely without using authentication, and
2) Using authentication.

discovery_auth_types={value}

Optional

Integer 

Used to filter the XML output to show only vulnerabilities having one or more authentication types. For example: Windows, Oracle, Unix, SNMP, DB2, HTTP, MySQL, VMware. Multiple values should be comma-separated.

show_pci_reasons={0|1}

Optional

Integer 

Used to filter the XML output to show reasons for passing or failing PCI compliance (when the CVSS Scoring feature is turned on in the user’s subscription). Specify 1 to view the reasons in the XML output. When unspecified, the reasons are not included in the XML output.

show_supported_modules_info={0|1}

Optional

Integer 

Used to filter the XML output to show Qualys modules that can be used to detect each vulnerability. Specify 1 to view supported modules in the XML output. When unspecified, supported modules are not included in the XML output.

show_disabled_flag={0|1}

Optional

Integer 

Specify 1 to include the disabled flag for each vulnerability in the XML output.

show_qid_change_log={0|1}

Optional

Integer 

Specify 1 to include QID changes for each vulnerability in the XML output.

code_modified_after={date} Optional Integer  Used to filter the XML output. This shows only the QIDs modified after a certain date and time. The supported date format is YYYY-MM-DD [THH:MM:SSZ] format (UTC/GMT).
code_modified_before={date} Optional Integer  Used to filter the XML output. This shows only the QIDs modified before a certain date and time. The supported date format is YYYY-MM-DD [THH:MM:SSZ] format (UTC/GMT).

Real-Time Threat Indicators (RTIs)Real-Time Threat Indicators (RTIs)

The KnowledgeBase list output includes Real-Time Threat Indicators (RTIs) associated with each vulnerability. RTIs appear as part of vulnerability details under THREAT_INTELLIGENCE. Please note that RTIs are only visible when Threat Protection is enabled for the subscription.

Real-Time Threat Indicators are described below.

RTI (ID)

Description

Zero_Day (1)

Active attack has been observed in the wild and there is no patch from the vendor. An active attack is a prerequisite for this RTI in addition to no patch from the vendor. If a vulnerability is not actively attacked this RTI will not be set (even if there is no patch from the vendor). If a patch becomes available Qualys will remove the Zero Day RTI attribute which helps users to focus only on vulnerabilities that are actively exploited and there is no official patch.

Exploit_Public (2)

Exploit knowledge is well known and a working exploitation code is publicly available. Potential of active attacks is very high. This attribute is set for example when PoC exploit code is available from Exploit-DB, Metasploit, Core, Immunity or other exploit vendors. This RTI does not necessarily indicate that active attacks have been observed in the wild.

Active_Attacks (3)

Active attacks have been observed in the wild. This information is derived from Malware, Exploit Kits, acknowledgment from vendors, US-CERT and similar trusted sources. If there are no patches, Qualys will mark it as Zero Day, in addition, to actively attacked.

High_Lateral_Movement (4)

After a successful compromise, the attacker has high potential to compromise other machines in the network.

Easy_Exploit (5)

The attack can be carried out easily and requires little skills or does not require additional information.

High_Data_Loss (6)

Successful exploitation will result in massive data loss on the host.

Denial_of_Service (7)

Successful exploitation will result in denial of service.

No_Patch (8)

The vendor has not provided an official fix.

Malware (9)

Malware has been associated with the vulnerability.

Exploit_Kit (10)

Exploit Kit has been associated with this vulnerability. Exploit Kits are usually cloud based toolkits that help malware writers in identifying vulnerable browsers/plugins and install malware. Users can also search on Exploit Kit name like Angler, Nuclear, Rig and others.

Wormable (11)

Wormable has been associated with this vulnerability. The vulnerability can be used in "worms" - malware that spreads itself without user interaction.

Predicted_High_Risk (12)

Predicted High Risk has been associated with this vulnerability. Qualys Machine Learning Model predicted this vulnerability as a High Risk based on various data sources including NVD, Social network, Dark web, Security Blogs, Code repository, Exploits, etc.

Privilege_Escalation (13)

Successful exploitation allows an attacker to gain elevated privileges.

Unauthenticated_Exploitation (14)

Exploitation of this vulnerability does not require authentication.

Remote_Code_Execution (15)

Successful exploitation allows an attacker to execute arbitrary commands or code on a targeted system or in a target process.

Ransomware (16)

This vulnerability has been exploited in attack vectors where ransomware has been deployed. In other words, this vulnerability is associated with known ransomware.

Solorigate_Sunburst (17)

Solorigate Sunburst has been associated with all the CVEs, used by FireEye's Red Team tools to test the security of their client environments and compromised versions of SolarWinds Orion.

CISA Known Exploited Vulnerabilities (18)

CISA maintains a catalog of the top publicly known vulnerabilities being exploited in the wild and organizations (referred as CISA Known Exploitable Vulnerabilities) are advised to patch affected systems on priority. This RTI indicates that the vulnerability is associated with the CISA catalog and with CVE mappings to respective QIDs. We will add the CISA Known Exploited Vulnerabilities to QIDs within 24hrs of CISA catalog updates with new CVEs.

The CISA Directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting.

The timelines are available in CISA's Catalog for each of the CVEs.

Sample - Fetch Basic Details for VulnerabilitiesSample - Fetch Basic Details for Vulnerabilities

API Request

curl --location 'https://<qualys_base_url>/api/3.0/fo/knowledge_base/vuln/?action=list&details=All&ids=6666666' \
--header 'X-Requested-With: curl demo 2' \
--header 'Authorization: Basic cXVheXNfYXMzOnFhdGVtcA=='

XML Output

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE KNOWLEDGE_BASE_VULN_LIST_OUTPUT SYSTEM "https://<qualys_base_url>/api/3.0/fo/knowledge_base/vuln/knowledge_base_vuln_list_output.dtd">
<KNOWLEDGE_BASE_VULN_LIST_OUTPUT>
    <RESPONSE>
        <DATETIME>2024-09-02T10:55:37Z</DATETIME>
        <VULN_LIST>
            <VULN>
                <QID>6666666</QID>
                <VULN_TYPE>Vulnerability</VULN_TYPE>
                <SEVERITY_LEVEL>3</SEVERITY_LEVEL>
                <TITLE>
                    <![CDATA[Debian 12 Security Update for webkit2gtk (CVE-2024-40780)]]>
                </TITLE>
                <CATEGORY>Debian</CATEGORY>
                <LAST_SERVICE_MODIFICATION_DATETIME>2024-09-02T02:43:07Z</LAST_SERVICE_MODIFICATION_DATETIME>
                <PUBLISHED_DATETIME>2024-08-26T14:08:11Z</PUBLISHED_DATETIME>
                <CODE_MODIFIED_DATETIME>2024-08-26T14:08:11Z</CODE_MODIFIED_DATETIME>
                <PATCHABLE>1</PATCHABLE>
                <PATCH_PUBLISHED_DATE>2024-08-15T00:00:00Z</PATCH_PUBLISHED_DATE>
                <SOFTWARE_LIST>
                    <SOFTWARE>
                        <PRODUCT>
                            <![CDATA[webkit2gtk]]>
                        </PRODUCT>
                        <VENDOR>
                            <![CDATA[debian]]>
                        </VENDOR>
                    </SOFTWARE>
                </SOFTWARE_LIST>
                <VENDOR_REFERENCE_LIST>
                    <VENDOR_REFERENCE>
                        <ID>
                            <![CDATA[webkit2gtk_Debian12]]>
                        </ID>
                        <URL>
                            <![CDATA[https://security-tracker.debian.org/tracker/CVE-2024-40780]]>
                        </URL>
                    </VENDOR_REFERENCE>
                </VENDOR_REFERENCE_LIST>
                <CVE_LIST>
                    <CVE>
                        <ID>
                            <![CDATA[CVE-2024-40780]]>
                        </ID>
                        <URL>
                            <![CDATA[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40780]]>
                        </URL>
                    </CVE>
                </CVE_LIST>
                <DIAGNOSIS>
                    <![CDATA[Debian has released a security update for webkit2gtk to fix the vulnerabilities.]]>
                </DIAGNOSIS>
                <CONSEQUENCE>
                    <![CDATA[Successful exploitation of this vulnerability could lead to a security breach or affect integrity, availability, and confidentiality.]]>
                </CONSEQUENCE>
                <SOLUTION>
                    <![CDATA[Refer to Debian security advisory <A HREF='https://security-tracker.debian.org/tracker/CVE-2024-40780' TARGET='_blank'>CVE-2024-40780</A> for updates and patch information.]]>
                </SOLUTION>
                <PCI_FLAG>0</PCI_FLAG>
                <THREAT_INTELLIGENCE>
                    <THREAT_INTEL id="4">
                        <![CDATA[High_Lateral_Movement]]>
                    </THREAT_INTEL>
                </THREAT_INTELLIGENCE>
                <DISCOVERY>
                    <REMOTE>0</REMOTE>
                    <AUTH_TYPE_LIST>
                        <AUTH_TYPE>Unix</AUTH_TYPE>
                    </AUTH_TYPE_LIST>
                    <ADDITIONAL_INFO>Patch Available</ADDITIONAL_INFO>
                </DISCOVERY>
            </VULN>
        </VULN_LIST>
    </RESPONSE>
</KNOWLEDGE_BASE_VULN_LIST_OUTPUT>


Sample - Patchable VulnerabilitiesSample - Patchable Vulnerabilities

Vulnerabilities with certain QIDs that are patchable.

API Request

curl --location 'https://<qualys_base_url>/api/3.0/fo/knowledge_base/vuln/?action=list&ids=6080871&details=All&is_patchable=1' \
--header 'X-Requested-With: curl demo 2' \
--header 'Authorization: Basic cXVheXNfYXMzOnFhdGVtcA=='

XML Output

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE KNOWLEDGE_BASE_VULN_LIST_OUTPUT SYSTEM "https://<qualys_base_url>/api/3.0/fo/knowledge_base/vuln/knowledge_base_vuln_list_output.dtd">
<KNOWLEDGE_BASE_VULN_LIST_OUTPUT>
    <RESPONSE>
        <DATETIME>2024-09-03T06:03:55Z</DATETIME>
        <VULN_LIST>
            <VULN>
                <QID>6080871</QID>
                <VULN_TYPE>Vulnerability</VULN_TYPE>
                <SEVERITY_LEVEL>5</SEVERITY_LEVEL>
                <TITLE>
                    <![CDATA[VMware Photon OS Security Update for python-cryptography,coredns,grub2 (PHSA-2023-3.0-0681)]]>
                </TITLE>
                <CATEGORY>PhotonOS</CATEGORY>
                <LAST_SERVICE_MODIFICATION_DATETIME>2024-06-25T12:04:37Z</LAST_SERVICE_MODIFICATION_DATETIME>
                <PUBLISHED_DATETIME>2024-06-24T12:55:24Z</PUBLISHED_DATETIME>
                <CODE_MODIFIED_DATETIME>2024-06-24T12:55:24Z</CODE_MODIFIED_DATETIME>
                <PATCHABLE>1</PATCHABLE>
                <PATCH_PUBLISHED_DATE>2023-11-04T00:00:00Z</PATCH_PUBLISHED_DATE>
                <SOFTWARE_LIST>
                    <SOFTWARE>
                        <PRODUCT>
                            <![CDATA[photonos]]>
                        </PRODUCT>
                        <VENDOR>
                            <![CDATA[vmware]]>
                        </VENDOR>
                    </SOFTWARE>
                </SOFTWARE_LIST>
                <VENDOR_REFERENCE_LIST>
                    <VENDOR_REFERENCE>
                        <ID>
                            <![CDATA[PHSA-2023-3.0-0681]]>
                        </ID>
                        <URL>
                            <![CDATA[https://github.com/vmware/photon/wiki/Security-Update-3.0-681]]>
                        </URL>
                    </VENDOR_REFERENCE>
                </VENDOR_REFERENCE_LIST>
                <CVE_LIST>
                    <CVE>
                        <ID>
                            <![CDATA[CVE-2021-28235]]>
                        </ID>
                        <URL>
                            <![CDATA[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28235]]>
                        </URL>
                    </CVE>
                    <CVE>
                        <ID>
                            <![CDATA[CVE-2023-4692]]>
                        </ID>
                        <URL>
                            <![CDATA[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4692]]>
                        </URL>
                    </CVE>
                    <CVE>
                        <ID>
                            <![CDATA[CVE-2023-4693]]>
                        </ID>
                        <URL>
                            <![CDATA[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4693]]>
                        </URL>
                    </CVE>
                    <CVE>
                        <ID>
                            <![CDATA[CVE-2023-32082]]>
                        </ID>
                        <URL>
                            <![CDATA[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32082]]>
                        </URL>
                    </CVE>
                    <CVE>
                        <ID>
                            <![CDATA[CVE-2023-23931]]>
                        </ID>
                        <URL>
                            <![CDATA[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23931]]>
                        </URL>
                    </CVE>
                </CVE_LIST>
                <DIAGNOSIS>
                    <![CDATA[PhotonOS has released a security update for python-cryptography,coredns,grub2 to fix the vulnerabilities.]]>
                </DIAGNOSIS>
                <CONSEQUENCE>
                    <![CDATA[Successful exploitation of this vulnerability could lead to a security breach or affect integrity, availability, and confidentiality.]]>
                </CONSEQUENCE>
                <SOLUTION>
                    <![CDATA[Refer to PhotonOS security advisory <A HREF="https://github.com/vmware/photon/wiki/Security-Update-3.0-681" TARGET="_blank">PHSA-2023-3.0-0681</A> for updates and patch information.]]>
                </SOLUTION>
                <CORRELATION>
                    <EXPLOITS>
                        <EXPLT_SRC>
        </EXPLT_SRC>
                    </EXPLOITS>
                </CORRELATION>
                <PCI_FLAG>1</PCI_FLAG>
                <THREAT_INTELLIGENCE>
                    <THREAT_INTEL id="2">
                        <![CDATA[Exploit_Public]]>
                    </THREAT_INTEL>
                    <THREAT_INTEL id="4">
                        <![CDATA[High_Lateral_Movement]]>
                    </THREAT_INTEL>
                    <THREAT_INTEL id="15">
                        <![CDATA[Remote_Code_Execution]]>
                    </THREAT_INTEL>
                </THREAT_INTELLIGENCE>
                <DISCOVERY>
                    <REMOTE>0</REMOTE>
                    <AUTH_TYPE_LIST>
                        <AUTH_TYPE>Unix</AUTH_TYPE>
                    </AUTH_TYPE_LIST>
                    <ADDITIONAL_INFO>Patch Available, Exploit Available</ADDITIONAL_INFO>
                </DISCOVERY>
            </VULN>
        </VULN_LIST>
    </RESPONSE>
</KNOWLEDGE_BASE_VULN_LIST_OUTPUT>

Sample - Vulnerabilities Modified After DateSample - Vulnerabilities Modified After Date

Vulnerabilities modified by the service after August 20, 2024 and that have discovery method "remote and authenticated".

API Request

curl --location 'https://<qualys_base_url>/api/3.0/fo/knowledge_base/vuln/?action=list&last_modified_by_service_after=2024-08-20&discovery_method=RemoteAndAuthenticated' \
--header 'X-Requested-With: curl demo 2' \
--header 'Authorization: Basic cXVheXNfYXMzOnFhdGVtcA=='

XML Output

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE KNOWLEDGE_BASE_VULN_LIST_OUTPUT SYSTEM "https://<qualys_base_url>/api/3.0/fo/knowledge_base/vuln/knowledge_base_vuln_list_output.dtd">
<KNOWLEDGE_BASE_VULN_LIST_OUTPUT>
    <RESPONSE>
        <DATETIME>2024-09-03T11:00:08Z</DATETIME>
        <VULN_LIST>
            <VULN>
                <QID>12681</QID>
                <VULN_TYPE>Vulnerability</VULN_TYPE>
                <SEVERITY_LEVEL>4</SEVERITY_LEVEL>
                <TITLE>
                    <![CDATA[Adobe ColdFusion Information Disclosure Vulnerability (APSA13-03, APSB13-13)]]>
                </TITLE>
                <CATEGORY>CGI</CATEGORY>
                <LAST_SERVICE_MODIFICATION_DATETIME>2024-09-03T00:00:01Z</LAST_SERVICE_MODIFICATION_DATETIME>
                <PUBLISHED_DATETIME>2013-05-14T20:25:21Z</PUBLISHED_DATETIME>
                <CODE_MODIFIED_DATETIME>2013-05-14T20:25:21Z</CODE_MODIFIED_DATETIME>
                <BUGTRAQ_LIST>
                    <BUGTRAQ>
                        <ID>
                            <![CDATA[59773]]>
        <VULN_LIST>
            <VULN>
                        </ID>
                        <URL>
                            <![CDATA[https://url.com]]>
                        </URL>
                    </BUGTRAQ>
                </BUGTRAQ_LIST>
                <PATCHABLE>1</PATCHABLE>
                <PATCH_PUBLISHED_DATE>2013-05-14T00:00:00Z</PATCH_PUBLISHED_DATE>
                <SOFTWARE_LIST>
                    <SOFTWARE>
                        <PRODUCT>
                            <![CDATA[coldfusion]]>
                        </PRODUCT>
                        <VENDOR>
                            <![CDATA[adobe]]>
                        </VENDOR>
                    </SOFTWARE>
                </SOFTWARE_LIST>
                <VENDOR_REFERENCE_LIST>
                    <VENDOR_REFERENCE>
                        <ID>
                            <![CDATA[APSB13-13]]>
                        </ID>
                        <URL>
                            <![CDATA[https://url.com]]>
                        </URL>
                    </VENDOR_REFERENCE>
                </VENDOR_REFERENCE_LIST>
                <CVE_LIST>
                    <CVE>
                        <ID>
                            <![CDATA[CVE-2013-3336]]>
                        </ID>
                        <URL>
                            <![CDATA[url.com]]>
                        </URL>
                    </CVE>
                </CVE_LIST>
                <DIAGNOSIS>
                    <![CDATA[Adobe ColdFusion is an application for developing Web sites.]]>
                </DIAGNOSIS>
                <CONSEQUENCE>
                    <![CDATA[Exploitation allows an unauthorized user to remotely retrieve files stored on the server.]]>
                </CONSEQUENCE>
                <SOLUTION>
                    <![CDATA[The vendor has released a hotfix to patch this vulnerability.<P>
Workaround:<BR>
Restrict public access to the CFIDE/administrator, CFIDE/adminapi and CFIDE/gettingstarted directories.]]>
                </SOLUTION>
                <CORRELATION>
                    <EXPLOITS>
                        <EXPLT_SRC>
                            <SRC_NAME>
                                <![CDATA[coreimpact]]>
                            </SRC_NAME>
                            <EXPLT_LIST>
                                <EXPLT>
                                    <REF>
                                        <![CDATA[CVE-2013-3336]]>
                                    </REF>
                                    <DESC>
                                        <![CDATA[Adobe ColdFusion l10n.cfm Remote Code Execution Exploit]]>
                                    </DESC>
                                    <LINK>
                                        <![CDATA[https://url.com/core-labs/exploits]]>
                                    </LINK>
                                </EXPLT>
                            </EXPLT_LIST>
                        </EXPLT_SRC>
                        <EXPLT_SRC>
                            <SRC_NAME>
                                <![CDATA[nist-nvd2]]>
                            </SRC_NAME>
                            <EXPLT_LIST>
                                <EXPLT>
                                    <REF>
                                        <![CDATA[CVE-2013-3336]]>
                                    </REF>
                                    <DESC>
                                        <![CDATA[Unspecified vulnerability in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to read arbitrary files via unknown vectors.]]>
                                    </DESC>
                                    <LINK>
                                        <![CDATA[https://url.com/exploits/25305]]>
                                    </LINK>
                                </EXPLT>
                            </EXPLT_LIST>
                        </EXPLT_SRC>
                        <EXPLT_SRC>
                            <SRC_NAME>
                                <![CDATA[exploitdb]]>
                            </SRC_NAME>
                            <EXPLT_LIST>
                                <EXPLT>
                                    <REF>
                                        <![CDATA[CVE-2013-3336]]>
                                    </REF>
                                    <DESC>
                                        <![CDATA[ColdFusion 9-10 - Credential Disclosure]]>
                                    </DESC>
                                    <LINK>
                                        <![CDATA[https://url.com/exploits/25305]]>
                                    </LINK>
                                </EXPLT>
                            </EXPLT_LIST>
                        </EXPLT_SRC>
                    </EXPLOITS>
                </CORRELATION>
                <PCI_FLAG>1</PCI_FLAG>
                <THREAT_INTELLIGENCE>
                    <THREAT_INTEL id="12">
                        <![CDATA[Predicted_High_Risk]]>
                    </THREAT_INTEL>
                    <THREAT_INTEL id="14">
                        <![CDATA[Unauthenticated_Exploitation]]>
                    </THREAT_INTEL>
                    <THREAT_INTEL id="15">
                        <![CDATA[Remote_Code_Execution]]>
                    </THREAT_INTEL>
                </THREAT_INTELLIGENCE>
                <DISCOVERY>
                    <REMOTE>1</REMOTE>
                    <AUTH_TYPE_LIST>
                        <AUTH_TYPE>Windows</AUTH_TYPE>
                    </AUTH_TYPE_LIST>
                    <ADDITIONAL_INFO>Patch Available, Exploit Available</ADDITIONAL_INFO>
                </DISCOVERY>
            </VULN>
            <VULN>
                <QID>19088</QID>
                <VULN_TYPE>Vulnerability or Potential Vulnerability</VULN_TYPE>
                <SEVERITY_LEVEL>4</SEVERITY_LEVEL>
                <TITLE>
                    <![CDATA[IBM DB2 Remote Command Server Privilege Escalation Vulnerability]]>
                </TITLE>
                <CATEGORY>Database</CATEGORY>
                <LAST_SERVICE_MODIFICATION_DATETIME>2024-09-03T00:00:01Z</LAST_SERVICE_MODIFICATION_DATETIME>
                <PUBLISHED_DATETIME>2004-04-08T18:23:47Z</PUBLISHED_DATETIME>
                <BUGTRAQ_LIST>
                    <BUGTRAQ>
                        <ID>
                            <![CDATA[9821]]>
                        </ID>
                        <URL>
                            <![CDATA[https://url.com/bid/9821]]>
                        </URL>
                    </BUGTRAQ>
                </BUGTRAQ_LIST>
                <PATCHABLE>1</PATCHABLE>
                <PATCH_PUBLISHED_DATE>2004-02-20T00:00:00Z</PATCH_PUBLISHED_DATE>
                <SOFTWARE_LIST>
                    <SOFTWARE>
                        <PRODUCT>
                            <![CDATA[db2_universal_database]]>
                        </PRODUCT>
                        <VENDOR>
                            <![CDATA[ibm]]>
                        </VENDOR>
                    </SOFTWARE>
                </SOFTWARE_LIST>
                <VENDOR_REFERENCE_LIST>
                    <VENDOR_REFERENCE>
                        <ID>
                            <![CDATA[IY53894]]>
                        </ID>
                        <URL>
                            <![CDATA[https://url.com/support/docview.wss?uid=swg1IY53894]]>
                        </URL>
                    </VENDOR_REFERENCE>
                </VENDOR_REFERENCE_LIST>
                <CVE_LIST>
                    <CVE>
                        <ID>
                            <![CDATA[CVE-2004-0795]]>
                        </ID>
                        <URL>
                            <![CDATA[https://url.com/cgi-bin/cvename.cgi?name=CVE-2004-0795]]>
                        </URL>
                    </CVE>
                </CVE_LIST>
                <DIAGNOSIS>
                    <![CDATA[The database server includes a component called the Remote Command Server to facilitate execution of commands by remote clients.
<P>
IBM DB2 Remote Command Server is prone to a vulnerability that may permit authenticated users to gain administrative access to the underlying database.]]>
                </DIAGNOSIS>
                <CONSEQUENCE>
                    <![CDATA[By exploiting this vulnerability, an attacker may execute arbitrary commands with the escalated privileges of the &quot;db2admin&quot; account. This issue could be exploited by a Windows &quot;Guest&quot; account.]]>
                </CONSEQUENCE>
                <SOLUTION>
                    <![CDATA[Information about this issue is provided in <A HREF="http://www-01.ibm.com/support/docview.wss?uid=swg1IY53894" TARGET="_blank">APAR IY53894</A>. IBM has included a fix for this problem in<A HREF="http://www-01.ibm.com/support/docview.wss?rs=71&uid=swg27007053" TARGET="_blank">DB2 Version 8 FixPak 5</A>. ]]>
                </SOLUTION>
                <CORRELATION>
                    <EXPLOITS>
                        <EXPLT_SRC>
                            <SRC_NAME>
                                <![CDATA[metasploit]]>
                            </SRC_NAME>
                            <EXPLT_LIST>
                                <EXPLT>
                                    <REF>
                                        <![CDATA[CVE-2004-0795]]>
                                    </REF>
                                    <DESC>
                                        <![CDATA[IBM DB2 db2rcmd.exe Command Execution Vulnerability]]>
                                    </DESC>
                                    <LINK>
                                        <![CDATA[https://url.com/rapid7/metasploit-framework/master/modules/auxiliary/admin/db2/db2rcmd.rb]]>
                                    </LINK>
                                </EXPLT>
                            </EXPLT_LIST>
                        </EXPLT_SRC>
                        <EXPLT_SRC>
                            <SRC_NAME>
                                <![CDATA[Metasploit]]>
                            </SRC_NAME>
                            <EXPLT_LIST>
                                <EXPLT>
                                    <REF>
                                        <![CDATA[CVE-2004-0795]]>
                                    </REF>
                                    <DESC>
                                        <![CDATA[IBM DB2 db2rcmd.exe Command Execution Vulnerability - Metasploit Ref : /modules/auxiliary/admin/db2/db2rcmd]]>
                                    </DESC>
                                    <LINK>
                                        <![CDATA[https://url.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/db2/db2rcmd.rb]]>
                                    </LINK>
                                </EXPLT>
                            </EXPLT_LIST>
                        </EXPLT_SRC>
                        <EXPLT_SRC>
                            <SRC_NAME>
                                <![CDATA[packetstorm]]>
                            </SRC_NAME>
                            <EXPLT_LIST>
                                <EXPLT>
                                    <REF>
                                        <![CDATA[CVE-2004-0795]]>
                                    </REF>
                                    <DESC>
                                        <![CDATA[IBM DB2 Db2rcmd.exe Command Execution]]>
                                    </DESC>
                                    <LINK>
                                        <![CDATA[https://url.com/files/180775/IBM-DB2-Db2rcmd.exe-Command-Execution.html]]>
                                    </LINK>
                                </EXPLT>
                            </EXPLT_LIST>
                        </EXPLT_SRC>
                    </EXPLOITS>
                </CORRELATION>
                <PCI_FLAG>1</PCI_FLAG>
                <THREAT_INTELLIGENCE>
                    </THREAT_INTEL>
                    <THREAT_INTEL id="5">
                        <![CDATA[Easy_Exploit]]>
                    </THREAT_INTEL>
                    <THREAT_INTEL id="6">
                        <![CDATA[High_Data_Loss]]>
                    </THREAT_INTEL>
                    <THREAT_INTEL id="7">
                        <![CDATA[Denial_of_Service]]>
                    </THREAT_INTEL>
                    <THREAT_INTEL id="13">
                        <![CDATA[Privilege_Escalation]]>
                    </THREAT_INTEL>
                </THREAT_INTELLIGENCE>
                <DISCOVERY>
                    <REMOTE>1</REMOTE>
                    <AUTH_TYPE_LIST>
                        <AUTH_TYPE>Windows</AUTH_TYPE>
                    </AUTH_TYPE_LIST>
                    <ADDITIONAL_INFO>Patch Available, Exploit Available</ADDITIONAL_INFO>
                </DISCOVERY>
            </VULN>
            </VULN_LIST>
    </RESPONSE>
</KNOWLEDGE_BASE_VULN_LIST_OUTPUT>

Sample - List all the QIDs for the code modified before and after specific dateSample - List all the QIDs for the code modified before and after specific date

API Request

curl --location 'https://<qualys_base_url>/api/3.0/fo/knowledge_base/vuln/?null=null&code_modified_before=2024-10-28&action=list&code_modified_after=2024-10-27' \
--header 'X-Requested-With: curl' \
--header 'Authorization: encoded username:password string'

XML Output

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE KNOWLEDGE_BASE_VULN_LIST_OUTPUT SYSTEM "https://<qualys_base_url>/api/3.0/fo/knowledge_base/vuln/knowledge_base_vuln_list_output.dtd">
<KNOWLEDGE_BASE_VULN_LIST_OUTPUT>
    <RESPONSE>
        <DATETIME>2024-10-28T07:32:48Z</DATETIME>
        <VULN_LIST>
            <VULN>
                <QID>152263</QID>
                <VULN_TYPE>Potential Vulnerability</VULN_TYPE>
                <SEVERITY_LEVEL>4</SEVERITY_LEVEL>
                <TITLE>
                    <![CDATA[WordPress Unseen Blog Theme: PHP Object Injection Vulnerability (CVE-2024-7432)]]>
                </TITLE>
                <CATEGORY>Web Application</CATEGORY>
                <LAST_SERVICE_MODIFICATION_DATETIME>2024-10-27T18:12:51Z</LAST_SERVICE_MODIFICATION_DATETIME>
                <PUBLISHED_DATETIME>2024-10-27T15:03:21Z</PUBLISHED_DATETIME>
                <CODE_MODIFIED_DATETIME>2024-10-27T15:03:21Z</CODE_MODIFIED_DATETIME>
                <PATCHABLE>0</PATCHABLE>
                <SOFTWARE_LIST>
                    <SOFTWARE>
                        <PRODUCT>
                            <![CDATA[None]]>
                        </PRODUCT>
                        <VENDOR>
                            <![CDATA[wordpress]]>
                        </VENDOR>
                    </SOFTWARE>
                </SOFTWARE_LIST>
                <VENDOR_REFERENCE_LIST>
                    <VENDOR_REFERENCE>
                        <ID>
                            <![CDATA[Unseen Blog Changelog]]>
                        </ID>
                        <URL>
                            <![CDATA[https://ultrapress.org/changelog/]]>
                        </URL>
                    </VENDOR_REFERENCE>
                </VENDOR_REFERENCE_LIST>
                <CVE_LIST>
                    <CVE>
                        <ID>
                            <![CDATA[CVE-2024-7432]]>
                        </ID>
                        <URL>
                            <![CDATA[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7432]]>
                        </URL>
                    </CVE>
                </CVE_LIST>
                <DIAGNOSIS>
                    <![CDATA[WordPress Unseen Blog is a free WordPress theme which is light weight, super fast, fully customizable, easy to use and is best for lead generation for any coaching business. <P>
Unseen Blog Theme is vulnerable to PHP Object Injection.<P>
Affected Versions:<BR> WordPress Unseen Blog Theme versions up to and including 1.0.0<P>
QID Detection Logic:<BR> This QID sends a HTTP GET request and checks for vulnerable version of Unseen Blog theme running on the target application.<P>]]>
                </DIAGNOSIS>
                <CONSEQUENCE>
                    <![CDATA[Successful exploitation of this vulnerability could allow authenticated attackers with Contributor-level access and above to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.<P>]]>
                </CONSEQUENCE>
                <SOLUTION>
                    <![CDATA[Customers are advised to refer to <A HREF="https://ultrapress.org/changelog/" TARGET="_blank">Unseen Blog Theme Changelog</A> for updates to remediate this vulnerability.]]>
                </SOLUTION>
                <PCI_FLAG>1</PCI_FLAG>
                <THREAT_INTELLIGENCE>
                    <THREAT_INTEL id="4">
                        <![CDATA[High_Lateral_Movement]]>
                    </THREAT_INTEL>
                    <THREAT_INTEL id="5">
                        <![CDATA[Easy_Exploit]]>
                    </THREAT_INTEL>
                    <THREAT_INTEL id="6">
                        <![CDATA[High_Data_Loss]]>
                    </THREAT_INTEL>
                    <THREAT_INTEL id="7">
                        <![CDATA[Denial_of_Service]]>
                    </THREAT_INTEL>
                    <THREAT_INTEL id="8">
                        <![CDATA[No_Patch]]>
                    </THREAT_INTEL>
                </THREAT_INTELLIGENCE>
                <DISCOVERY>
                    <REMOTE>1</REMOTE>
                </DISCOVERY>
            </VULN>
            <VULN>
                <QID>152299</QID>
                <VULN_TYPE>Potential Vulnerability</VULN_TYPE>
                <SEVERITY_LEVEL>4</SEVERITY_LEVEL>
                <TITLE>
                    <![CDATA[WordPress Pretix Widget Plugin: Local File Inclusion Vulnerability (CVE-2024-9575)]]>
                </TITLE>
                <CATEGORY>Web Application</CATEGORY>
                <LAST_SERVICE_MODIFICATION_DATETIME>2024-10-27T18:09:47Z</LAST_SERVICE_MODIFICATION_DATETIME>
                <PUBLISHED_DATETIME>2024-10-27T15:39:56Z</PUBLISHED_DATETIME>
                <CODE_MODIFIED_DATETIME>2024-10-27T15:39:56Z</CODE_MODIFIED_DATETIME>
                <PATCHABLE>1</PATCHABLE>
                <PATCH_PUBLISHED_DATE>2024-10-10T00:00:00Z</PATCH_PUBLISHED_DATE>
                <SOFTWARE_LIST>
                    <SOFTWARE>
                        <PRODUCT>
                            <![CDATA[None]]>
                        </PRODUCT>
                        <VENDOR>
                            <![CDATA[wordpress]]>
                        </VENDOR>
                    </SOFTWARE>
                </SOFTWARE_LIST>
                <VENDOR_REFERENCE_LIST>
                    <VENDOR_REFERENCE>
                        <ID>
                            <![CDATA[Pretix Widget Changelog]]>
                        </ID>
                        <URL>                            <![CDATA[https://wordpress.org/plugins/pretix-widget/#developers]]>
                        </URL>
                    </VENDOR_REFERENCE>
                </VENDOR_REFERENCE_LIST>
                <CVE_LIST>
                    <CVE>
                        <ID>
                            <![CDATA[CVE-2024-9575]]>
                        </ID>
                        <URL>
                            <![CDATA[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9575]]>
                        </URL>
                    </CVE>
                </CVE_LIST>
                <DIAGNOSIS>
                    <![CDATA[The pretix widget allows us to easily display pretix ticket widgets on a website by customizing the display of any pretix tickets and providing a seamless ticket booking experience for users. <P>
WordPress pretix widget plugin is vulnerable to Local File Inclusion vulnerability in Windows.<P>
Affected Versions:<BR> pretix widget plugin versions starting from 1.0.0 up to, and including 1.0.5<P>
QID Detection Logic:<BR> This QID sends a HTTP GET request and checks for vulnerable version of pretix widget plugin running on the target application.<P>]]>
                </DIAGNOSIS>
                <CONSEQUENCE>
                    <![CDATA[Successful exploitation of this vulnerability could allow unauthenticated attacker to cause arbitrary .php files of the system to be included on the page, including possible directory traversal.<P>]]>
                </CONSEQUENCE>
                <SOLUTION>
                    <![CDATA[Customers are advised to upgrade to <A HREF="https://latepoint.com/changelog/" TARGET="_blank">pretix widget plugin 1.0.6</A> or later version to remediate this vulnerability.]]>
                </SOLUTION>
                <PCI_FLAG>1</PCI_FLAG>
                <THREAT_INTELLIGENCE>
                    <THREAT_INTEL id="5">
                        <![CDATA[Easy_Exploit]]>
                    </THREAT_INTEL>
                </THREAT_INTELLIGENCE>
                <DISCOVERY>
                    <REMOTE>1</REMOTE>
                    <ADDITIONAL_INFO>Patch Available</ADDITIONAL_INFO>
                </DISCOVERY>
            </VULN>
        </VULN_LIST>
    </RESPONSE>
</KNOWLEDGE_BASE_VULN_LIST_OUTPUT>       
             
                   

Sample - Lists the QIDs that exactly match the given CVESample - Lists the QIDs that exactly match the given CVE

API Request

curl --location --request POST 'https://qualys_base_url/api/3.0/fo/knowledge_base/vuln/index.php?action=list&cve=CVE-1999-0527' \
--header 'X-Requested-With: curl demo2' \
--header 'Authorization: encoded username:password string'

XML Output

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE KNOWLEDGE_BASE_VULN_LIST_OUTPUT SYSTEM "https://<qualys_base_url>/api/3.0/fo/knowledge_base/vuln/knowledge_base_vuln_list_output.dtd">
<KNOWLEDGE_BASE_VULN_LIST_OUTPUT>
    <RESPONSE>
        <DATETIME>2024-10-28T07:21:55Z</DATETIME>
        <VULN_LIST>
            <VULN>
                <QID>27002</QID>
                <VULN_TYPE>Vulnerability</VULN_TYPE>
                <SEVERITY_LEVEL>5</SEVERITY_LEVEL>
                <TITLE>
                    <![CDATA[Writeable Root Directory on FTP Server]]>
                </TITLE>
                <CATEGORY>File Transfer Protocol</CATEGORY>
                <LAST_SERVICE_MODIFICATION_DATETIME>2009-07-08T17:28:46Z</LAST_SERVICE_MODIFICATION_DATETIME>
                <PUBLISHED_DATETIME>1999-01-01T08:00:00Z</PUBLISHED_DATETIME>
                <PATCHABLE>0</PATCHABLE>
                <CVE_LIST>
                    <CVE>
                        <ID>
                            <![CDATA[CVE-1999-0527]]>
                        </ID>
                        <URL>
                            <![CDATA[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0527]]>
                        </URL>
                    </CVE>
                </CVE_LIST>
                <DIAGNOSIS>
                    <![CDATA[The FTP server has a world writeable root directory.  The root directory of your FTP server can therefore be written-to by any user.]]>
                </DIAGNOSIS>
                <CONSEQUENCE>
                    <![CDATA[Writeable FTP servers are commonly abused by unauthorized users to upload movies, pornography, pirated software and other &quot;warez&quot;. Sometimes the secondary storage is completely filled up resulting in performance degradation or even complete failure.
<P>For some FTP servers, the FTP root directory contains configuration files. Allowing write permissions may allow an anonymous user to overwrite these configuration files.
<P>In addition for UNIX, unauthorized users could place a &quot;.forward&quot; or an &quot;.rhosts&quot; file in this directory.  &quot;.forward&quot; files may contain commands to be executed each time the anonymous user receives an e-mail message.  &quot;.rhosts&quot; files contain hostnames from which any user will be able to connect to this host without a password.  Thus, the unauthorized user can add the .rhosts file using their own hostname.  They can then log in with rsh, rlogin or rexec service. These two files are commonly used to compromise servers.]]>
                </CONSEQUENCE>
                <SOLUTION>
                    <![CDATA[Disable write access for unauthorized users in the root directory of the FTP server.
<P>For UNIX:<BR>
$ chmod o-w path/to/ftp/root/directory
<P>For Microsoft IIS 6:<BR>
1.  Click Start, point to Administrative Tools, and then click Internet Information Services (IIS).<BR>
2.  In IIS Manager, expand the local computer, expand the FTP Sites folder, right-click the FTP site in question, and click Properties.<BR>
3.  Click the Home Directory tab and deselect the Write checkbox; click OK.<BR>
4.  For advanced permissions, refer to step 2 and click Permissions instead of Properties; then click Advanced Permissions.<BR><P> For other versions of IIS, please refer to the Microsoft website.
]]>
                </SOLUTION>
                <PCI_FLAG>1</PCI_FLAG>
                <THREAT_INTELLIGENCE>
                    <THREAT_INTEL id="4">
                        <![CDATA[High_Lateral_Movement]]>
                    </THREAT_INTEL>
                    <THREAT_INTEL id="5">
                        <![CDATA[Easy_Exploit]]>
                    </THREAT_INTEL>
                    <THREAT_INTEL id="6">
                        <![CDATA[High_Data_Loss]]>
                    </THREAT_INTEL>
                    <THREAT_INTEL id="7">
                        <![CDATA[Denial_of_Service]]>
                    </THREAT_INTEL>
                    <THREAT_INTEL id="8">
                        <![CDATA[No_Patch]]>
                    </THREAT_INTEL>
                    <THREAT_INTEL id="14">
                        <![CDATA[Unauthenticated_Exploitation]]>
                    </THREAT_INTEL>
                    <THREAT_INTEL id="15">
                        <![CDATA[Remote_Code_Execution]]>
                    </THREAT_INTEL>
                </THREAT_INTELLIGENCE>
                <DISCOVERY>
                    <REMOTE>1</REMOTE>
                </DISCOVERY>
            </VULN>
            <VULN>
                <QID>27005</QID>
                <VULN_TYPE>Vulnerability</VULN_TYPE>
                <SEVERITY_LEVEL>3</SEVERITY_LEVEL>
                <TITLE>
                    <![CDATA[World Readable and Writable Directory on Anonymous FTP]]>
                </TITLE>
                <CATEGORY>File Transfer Protocol</CATEGORY>
                <LAST_SERVICE_MODIFICATION_DATETIME>2020-11-23T18:43:15Z</LAST_SERVICE_MODIFICATION_DATETIME>
                <PUBLISHED_DATETIME>1999-01-01T08:00:00Z</PUBLISHED_DATETIME>
                <PATCHABLE>0</PATCHABLE>
                <CVE_LIST>
                    <CVE>
                        <ID>
                            <![CDATA[CVE-1999-0527]]>
                        </ID>
                        <URL>
                            <![CDATA[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0527]]>
                        </URL>
                    </CVE>
                </CVE_LIST>
                <DIAGNOSIS>
                    <![CDATA[Your FTP server contains a directory with dangerous permissions. This directory is world writable and world readable.  If this is an incoming directory, users should not be able to list the it's contents.
]]>
                </DIAGNOSIS>
                <CONSEQUENCE>
                    <![CDATA[Unauthorized users can write to your FTP server. This FTP directory can be used as a pirate software repository or for adult picture exchanges. You also run the risk of receiving virus or Trojan programs. Do not run unknown files from this area. ]]>
                </CONSEQUENCE>
                <SOLUTION>
                    <![CDATA[Unless they are required, remove the directories. Otherwise, make sure that no hidden directories are used for illegal purposes.  These hidden directories may be named with control characters or begin with a dot (.), making it harder to detect and remove them.
<P>
Frequently monitor your FTP server directories. You can schedule a repetitive task with the cron command under Unix, which will execute the following command every week:
<P><DL><DD>find ~ftp/ -print</DD></DL><P>
This will regularly inform you of all files in this area, and advise you whether or not they are writeable and readable.]]>
                </SOLUTION>
                <PCI_FLAG>1</PCI_FLAG>
                <THREAT_INTELLIGENCE>
                    <THREAT_INTEL id="4">
                        <![CDATA[High_Lateral_Movement]]>
                    </THREAT_INTEL>
                    <THREAT_INTEL id="5">
                        <![CDATA[Easy_Exploit]]>
                    </THREAT_INTEL>
                    <THREAT_INTEL id="6">
                        <![CDATA[High_Data_Loss]]>
                    </THREAT_INTEL>
                    <THREAT_INTEL id="7">
                        <![CDATA[Denial_of_Service]]>
                    </THREAT_INTEL>
                    <THREAT_INTEL id="8">
                        <![CDATA[No_Patch]]>
                    </THREAT_INTEL>
                    <THREAT_INTEL id="14">
                        <![CDATA[Unauthenticated_Exploitation]]>
                    </THREAT_INTEL>
                    <THREAT_INTEL id="15">
                        <![CDATA[Remote_Code_Execution]]>
                    </THREAT_INTEL>
                </THREAT_INTELLIGENCE>
                <DISCOVERY>
                    <REMOTE>1</REMOTE>
                </DISCOVERY>
            </VULN>
...
        </VULN_LIST>
    </RESPONSE>
</KNOWLEDGE_BASE_VULN_LIST_OUTPUT>                 
             
                

DTD

<platform API server>/api/3.0/fo/knowledge_base/vuln/knowledge_base_vuln_list_output.dtd

API Version History

The following table depicts the information about the different versions of this API along with the status:

API Version API Status Release Date
/api/2.0/fo/knowledge_base/vuln/?action=list To be deprecated March 2025
/api/3.0/fo/knowledge_base/vuln/?action=list Active September 2024

 

 

Was this topic helpful?

success Thank you! We're glad to hear that this topic was useful.
success We appreciate your feedback. We'll work to make this topic better for you in the future.