Web Application Detections—May 2024

In May, the Qualys Web Application Scanning (WAS) team issued a critical security signatures update. This update expands the scope to detect vulnerabilities in several widely-used software applications, including WordPress, NEOSDiscovery, Zabbix, CData, BIG-IP Next Central Manager, Apache OFBiz, Apache Superset, jQuery, Cacti, Ivanti Endpoint Manager Mobile (EPMM), Nexus Repository 3, JetBrains TeamCity, Atlassian Confluence Data Center and Server, Next.js, OpenSSL and Tinyproxy. Additionally, WAS has introduced new QIDs for identifying weak Cookies, Server Side Request Forgery, Presence of Privacy Policy Information, HTTP Method Tampering, Source code disclosure, Pixel or web beacon tracking technology, HTTP TRACE method and Cross Site Tracing.

The following table lists the new QIDs. 

QID Title
150319 Weak Cookies in Use
150743 Potential SSRF
150796 Presence of Privacy Policy Information
150798 HTTP Method Tampering
150811 Source Code Disclosure
150814 Pixel or Web Beacon Tracking Technology Found
150823 HTTP TRACE Method Detected
150844 Cross-Site Tracing Found
150879 WordPress All in One SEO Pack Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-3368)
150881 NEOSDiscovery Reverse Tabnabbing Vulnerability (CVE-2022-4927)
150889 Zabbix Cross-Site Scripting Vulnerability (CVE-2024-22119)
150890 WordPress Forminator Plugin: File Upload Vulnerability (CVE-2024-28890)
150901 WordPress Forminator Plugin: SQL injection Vulnerability (CVE-2024-31077)
150902 WordPress Forminator Plugin: Cross-Site Scripting (XSS) Vulnerability (CVE-2024-31857)
150903 WordPress Essential Addons for Elementor Plugin: Information Exposure Vulnerability (CVE-2024-3733)
150904 WordPress KingComposer Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2021-25048)
150906 CData Multiple Products Path Traversal Vulnerability
150909 WordPress User Meta Plugin: Sensitive Information Exposure Vulnerability (CVE-2024-33575)
150915 BIG-IP Next Central Manager SQL Injection vulnerability (CVE-2024-26026)
150916 Apache OFBiz Path Traversal Vulnerability (CVE-2024-32113)
150917 Apache Superset Incorrect Authorization Vulnerability (CVE-2024-28148)
150918 jQuery Validation Plugin Regular Expression Denial of Service (ReDoS) Vulnerability (CVE-2021-21252)
150919 jQuery Validation Plugin Regular Expression Denial of Service (ReDoS) Vulnerability (CVE-2021-43306)
150920 jQuery Validation Plugin Regular Expression Denial of Service (ReDoS) Vulnerability (CVE-2022-31147)
150935 Zabbix SQL Injection Vulnerability (CVE-2024-22120)
150936 Cacti Prior to 1.2.27 Multiple Security Vulnerabilities
150937 Ivanti Endpoint Manager Mobile (EPMM) Multiple Vulnerabilities
150939 Nexus Repository 3 Path Traversal Vulnerability (CVE-2024-4956)
150940 WordPress Country State City Dropdown CF7 Plugin: Unauthenticated SQL Injection Vulnerability (CVE-2024-3495)
150941 JetBrains TeamCity Multiple Vulnerabilities (CVE-2024-35300, CVE-2024-35301)
150942 Atlassian Confluence Data Center and Server Remote Code Execution (RCE) Vulnerability (CVE-2024-21683)
151028 Vulnerable JavaScript Library Detected – Next.js
154156 WordPress Core Stored Cross-Site Scripting Vulnerability (CVE-2024-4439)
520016 Open Secure Sockets Layer (OpenSSL) Uncontrolled Resource Consumption (CVE-2024-2511)
520017 Tinyproxy HTTP Connection Headers Use After Free Vulnerability (CVE-2023-49606)

For details, refer to Web Application Detections Published in April 2025