The latest version of Acunetix Web Vulnerability Scanner, v15, was released on October 13, 2022. To make it easier for customers to access all relevant information, we have combined all updates for this edition into one post, with the latest information at the top. The post date will be updated as changes are made, making it a convenient reference for both current customers and those interested in the build history and feature implementations of this release.
What is new compare with previous edition?
New Features
- Invicti Web Application Security Scanner
- Acunetix can now be installed on Redhat Enterprise Linux (RHEL) 9
- New navigation menu for a better user experience.
- Notification updates are shown for the last 30 days
IMPORTANT NOTE
Acunetix Premium 15.7.230616162 is the latest version available for installation on Windows 8, Server 2012, and Server 2012 R2. If you wish to receive new updates, we recommend updating your operating system to either Windows 10, Windows Server 2016, 2019, or 2022.
NEW SECURITY CHECKS
- Added new security check for MOVEIt Transfer SQL Injection. (CVE-2023-34362)
IMPROVEMENTS
- Updated the Software Composition Analysis (SCA) database.
- Updated the embedded Chromium browser to v109.0.5414.149 for Windows and 114.0.5735.110 for Linux.
v15.7.230603143 release on 05 Jun 2023
NEW FEATURES
- [Closed beta feature] Added support for internal site scanning.
NEW SECURITY CHECKS
- Added the support for automated detection of WSDL during crawling.
- A new security check for SOAP WS addressing Server-side request forgery.
IMPROVEMENTS
- .NET sensor supports .NET 6.0 for Windows and Linux.
- Updated the WordPress plugin vulnerabilities.
- Updated the WordPress core vulnerabilities.
- Updated the Software Composition Analysis (SCA) database.
FIXES
- Fixed the time validation issue on the Scheduling Scan dialog.
- Added time validation for scheduling scans.
v15.6.230505122 release on 09 May 2023
NEW SECURITY CHECKS
- Added SAML-related security checks.
- New security checks for Adobe ColdFusion affected by Deserialization RCE vulnerability. CVE-2023-26359/CVE-2023-26360
- New security checks for GraphQL.
- New checks for Joomla vulnerabilities.
IMPROVEMENTS
- Updated the embedded Chromium browser to v109.0.5414.141 for Windows and 112.0.5615.165 for Linux.
- Improved the Business Logic Recorder to work with autocomplete fields.
- Updated .NET IAST AcuSensor to avoid reporting false positives for default server misconfiguration.
- Improved .NET IAST AcuSensor for reporting vulnerable packages.
- Added support for file upload to the Login Sequence Recorder and Business Logic Recorder.
- Improved response handling.
- Various DeepScan Improvements.
- Improved the coverage of development file exposure check.
- Updated the Software Composition Analysis (SCA) database.
- Updated the WordPress plugin vulnerabilities.
FIXES
- Various fixes in the scanner to lower memory usage.
v15.5.230406089 release on 11 Apr 2023
FIXES
- Fixed scanner crash.
v15.5.230326230 release on 28 Mar 2023
- .NET Core AcuSensor now supports installing on Linux. Note: When upgrading, please use the new .NET IAST AcuSensor Installation Instructions.
SECURITY CHECKS
- Improved the Server-side prototype pollution check.
- Updated the WordPress plugin vulnerabilities.
- Updated the software composition analysis database.
IMPROVEMENTS
- Added sitemap parser to better handle the sitemap files.
- Improved the user interface to remove the hyperlink for websites that users do not have permission to.
- Improved scanner to identify XSS in forms where these forms are protected with a CSRF token that is changing each time the page is refreshed.
- Increased limit for data exchanged between IAST AcuSensors and the Acunetix engine.
- Improved the token validator for new Jira tokens.
FIXES
- Fixed the OpenVAS service on Acunetix Premium Online to avoid the scan queue.
- Fixed bug causing some vulnerability checks to not execute on scans which are paused and resumed.
- Fixed issue with the request header limit for Github/Gitlab issue trackers.
- Fixed the issue of sending issues to Bugzilla.
- Fixed the bug that threw an internal server exception when a system admin tries to add a new user.
- Fixed the UI bug that appeared when the target is network.
- Fixed the issue that rejected locations and schemes are still being scanned.
- Fixed the issue with the corrupted links that are sent via email after the scan.
- Fixed the password reset issue.
- Fixed possible false positive misconfiguration “ASP.NET expired session IDs are not regenerated”
v15.4.3 release on 3 Mar 2023
NEW SECURITY CHECKS
- New security check for Fortinet RCE (CVE-2022-39952).
v15.4 release on 23 Feb 2023
NEW FEATURES
- Improved the default roles.
NEW SECURITY CHECKS
- Updated the WordPress plugin vulnerabilities.
- Updated the software composition analysis database.
- New security check for detection of ASP.NET core in the development mode.
- Added various checks for Content Security Policy misconfiguration.
- New security check for Oracle Web Applications Desktop Integrator unauthenticated takeover. (CVE-2022-21587)
- New security check for Deserialization RCE vulnerability in Oracle Access Manager OpenSSO Agent. (CVE-2021-35587)
- Updated the file extensions and parameter exclusions.
- New security check for F5 BIG-IP Cookie Remote Information Disclosure.
- New security check detecting retired hash functions usage in SAML.
- Improved the SQL injection check to identify whether the database user has admin privileges.
IMPROVEMENTS
- Added the Heuristic server-side routing detection to optimize attacks.
- Updated the embedded Chromium browser to v109.0.5414.119.
- Added the company name field to the registration process to Acunetix.
- Updated the issue tracker integrations to show the link to the relevant ticket created in those issue trackers.
- Updated the DISA STIG report to version 5.2.
- Improved the CSV importing link to limit the target limit to 500.
- Improved the scanner engine to reduce the memory footprint.
- Improved the .NET IAST sensor to mask any password.
FIXES
- Fixed the pagination bug on the Targets page.
- Fixed the crawler issue that the page becomes unresponsive when it contains many elements.
- Fixed the single-page application crawler to be consistent in the form submission.
- Fixed a notification bug that does not redirect users to the correct URL for the finished scan.
- Fixed the bug that does not refresh the user interface after the update.
v15.3.1 release on 30 Jan 2023
FIXES
- Fixed the Linux installations for updating issues.
v15.3 release on 24 Jan 2023
NEW SECURITY CHECKS
- Added SAML anonymous assertion consumer service audit for XML external entity injection, XSLT, Server-side request forgery, and Cross-site scripting.
- Added a SAML signature audit to test attacks on signature verification.
- Added various checks for Content Security Policy misconfiguration.
- New security check for ASP.NET core development mode.
- Updated the WordPress core vulnerabilities.
- Updated the WordPress plugin vulnerabilities.
IMPROVEMENTS
- Updated .NET IAST Sensor to detect a number of server-side configuration problems which may result in a security vulnerability.
- Improved the JSON payload tests.
- Updated JWT secrets dictionary.
FIXES
- Fixed a bug in the PHP IAST sensor when reporting arrays to the scanner.
- Fixed the scan summary page that failed to show some of the results.
- Fixed issues in the UI Notifications causing them to be unactionable.
- Fixed a problem that caused the LSR to show the mobile version for some sites incorrectly.
- Fixed .NET sensor issue that returns the root applications (website’s root) files although the sensor is enabled for sub-application.
- Fixed the version information shown on the user interface after the update.
- Fixed the routing issue for .NET Framework ASP.NET Web API because of compatibility issues.
- Improved the logic sequence recorder notification that informs users when the response max size limit is exceeded.
- Fixed issue with pagination on the vulnerabilities page.
- Fixed the crawler issue that the page becomes unresponsive when it contains many elements.
v15.2 release on 13 Dec 2022
NEW SECURITY CHECKS
- Updated the WordPress plugin vulnerabilities.
- Added the AjaxPro.NET Professional Deserialization RCE (CVE-2021-23758).
- Improved the out-of-band detection.
IMPROVEMENTS
- Added ability to send HTTP requests to pre-request scripts.
- Various DeepScan improvements, generally improving the processing of JavaScript-rich web applications.
- Updated the embedded Chromium browser to v108.0.5359.71.
- Implemented the scan id to limit the caching, such as file list and libraries, to a scan.
- Improved the performance of alert transmission for AcuSensor.
FIXES
- Fixed the MongoDB injection and removed JSON parsing from the feature extraction library to avoid scan crashes.
- Fixed the issue that sent bogus report because of inconsistent last scan id.
- Improved the Pre-request script to send an HTTP job.
- Fixed the formatting issue for vulnerabilities exported to GitHub Issues.
- Fixed the unhandled exception that the IAST Bridge throws.
- Fixed the business logic recorder issue that failed to replay the logic sequence recorder.
- Fixed the issue that the custom scripts folder was not created during the installation.
- Fixed the issue that failed to show the Chinese on some headings when switched to Chinese.
- Fixed the manual intervention required information box that began to appear in the notification bar instead of being displayed as a dialog box.
- Added cURL as a backup if NSLookup is not present.
- Fixed the Jira integration that failed to create the epic issues.
- Fixed the issue that long scan names overlap with the AcuSensor icon.
- Fixed the issue that the authorization bearer was not used throughout the scan.
v15.1–10 release on Nov 2022
NEW FEATURES
- New navigation menu for a better user experience.
- Notification updates are shown for the last 30 days
NEW VULNERABILITY CHECKS
- New check for Swagger UI DOM XSS vulnerability.
- New test for Fortinet Authentication bypass on the administrative interface (CVE-2022-40684).
- New test for Insecure usage of Version 1 UUID/GUID.
- New test for Text4shell: Apache Commons Text RCE via insecure interpolation(CVE-2022-42889).
- New test for OpenSSL X.509 Email Address Buffer Overflows (CVE-2022-3786).
- Updated test for Open Monitoring Interfaces.
- Updated the software composition analysis database.
- Updated the WordPress plugin vulnerabilities.
UPDATES
- Updated the embedded Chromium browser to v107.0.5304.87/88.
- Updated how scans reaching max scan time are displayed in UI.
- Updated Issue Tracker UI to accept internal URLs.
- Improved Log4J checks to reduce false positives.
FIXES
- Fixed the issue causing the IAST bridge to fail to send responses to the sensor when large packets are received from the sensor.
- Added loopback routes that returned ‘undefined’ as an HTTP method.
- Added the keep connection alive message between AcuSensor and the web application scanner to keep the connection alive.
v15.0.221007170 release on 13 Oct 2022
Note: There will be no new updates of the MacOS on premise installations. MacOS users can switch to Acunetix Premium Online, or use Acunetix On Premise in a virtual environment or on Docker.
NEW FEATURES
- Acunetix can now be installed on Redhat Enterprise Linux (RHEL) 9
NEW VULNERABILITY CHECKS
- Added check for Permissions-Policy header
- Added check for unrestricted access to Karma monitoring interface
- Added check for Go web application binary disclosure
UPDATES
- SCA: Improved the detection of components used by JAVA web application
- Updated to Chromium v106.0.5249.61
- Updated PHP AcuSensor to better support web applications using the Slim Framework
- Improved support for HTTP calls from Axios
- Updated CWE Top 25 Most Dangerous Software Weaknesses to 2022 list of weaknesses
- Scan results and scan reports will include the Acunetix version used to conduct the scan
- Updated PHP sensor to report MongoDB injection
- Updated PHP sensor to report Server-side Template Injection (SSTI)
- Increased the detection of default GraphQL Introspection URLs
- Implemented heartbeat for connections between scanner and AcuSensor bridge
- Multiple DeepScan updates
- Improved the auditing of JavaScript Libraries
FIXES
- Fixed issue which might cause Blind SSRF in the Issue Tracker and Proxy configuration
- Fixed 3 authorization problems
- Fixed memory exhaustion bug in Heuristic Links Verifier
- Fixed: Malware was being reported when invalid / unknown malware was reported by Windows Defender
- Fixed some crashes in the scanner
- Updated Network scans to not abort if initial ICMP ping fails
- Fixed error when sending vulnerabilities to Jira Issue Tracker
- Fixed UI error when filtering vulnerabilities by time
E-SPIN Group specializes in providing Application Security Testing (AST) services, utilizing both the Invicti web vulnerability scanner (formerly known as Netsparker) and Acunetix. E-SPIN offer a range of value-added services including consulting, implementation, integration, training and maintenance. Contact E-SPIN for support and project assistance.