I am just curious why does Qualys manage 2 separate knowledge bases for VM and WAS?
For example the vulnerability CVE-2014-7236 is a TWiki related remote code execution vulnerability but it is not there in the WAS database. It can be exploited by a specially crafted http request. So, it should be listed in WAS but it is not.
Please help me understand why Qualys behaves in such a way.