0
/ Published in Acunetix, Brand, Product

Acunetix v15 Web Vulnerability Scanner (WVS) Latest Build and Release

The latest version of Acunetix Web Vulnerability Scanner, v15, was released on October 13, 2022. To make it easier for customers to access all relevant information, we have combined all updates for this edition into one post, with the latest information at the top. The post date will be updated as changes are made, making it a convenient reference for both current customers and those interested in the build history and feature implementations of this release.

What is new compare with previous edition?

New Features

  • Invicti Web Application Security Scanner
  • Acunetix can now be installed on Redhat Enterprise Linux (RHEL) 9
  • New navigation menu for a better user experience.
  • Notification updates are shown for the last 30 days

v15.4.3 release on 3 Mar 2023

NEW SECURITY CHECKS

v15.4 release on 23 Feb 2023

NEW FEATURES

  • Improved the default roles.

NEW SECURITY CHECKS

IMPROVEMENTS

  • Added the Heuristic server-side routing detection to optimize attacks.
  • Updated the embedded Chromium browser to v109.0.5414.119.
  • Added the company name field to the registration process to Acunetix.
  • Updated the issue tracker integrations to show the link to the relevant ticket created in those issue trackers.
  • Updated the DISA STIG report to version 5.2.
  • Improved the CSV importing link to limit the target limit to 500.
  • Improved the scanner engine to reduce the memory footprint.
  • Improved the .NET IAST sensor to mask any password.

FIXES

  • Fixed the pagination bug on the Targets page.
  • Fixed the crawler issue that the page becomes unresponsive when it contains many elements.
  • Fixed the single-page application crawler to be consistent in the form submission.
  • Fixed a notification bug that does not redirect users to the correct URL for the finished scan.
  • Fixed the bug that does not refresh the user interface after the update.

v15.3.1 release on 30 Jan 2023

FIXES

  • Fixed the Linux installations for updating issues.

v15.3 release on 24 Jan 2023

NEW SECURITY CHECKS

  • Added SAML anonymous assertion consumer service audit for XML external entity injection, XSLT, Server-side request forgery, and Cross-site scripting.
  • Added a SAML signature audit to test attacks on signature verification.
  • Added various checks for Content Security Policy misconfiguration.
  • New security check for ASP.NET core development mode.
  • Updated the WordPress core vulnerabilities.
  • Updated the WordPress plugin vulnerabilities.

IMPROVEMENTS

  • Updated .NET IAST Sensor to detect a number of server-side configuration problems which may result in a security vulnerability.
  • Improved the JSON payload tests.
  • Updated JWT secrets dictionary.

FIXES

  • Fixed a bug in the PHP IAST sensor when reporting arrays to the scanner.
  • Fixed the scan summary page that failed to show some of the results.
  • Fixed issues in the UI Notifications causing them to be unactionable.
  • Fixed a problem that caused the LSR to show the mobile version for some sites incorrectly.
  • Fixed .NET sensor issue that returns the root applications (website’s root) files although the sensor is enabled for sub-application.
  • Fixed the version information shown on the user interface after the update.
  • Fixed the routing issue for .NET Framework ASP.NET Web API because of compatibility issues.
  • Improved the logic sequence recorder notification that informs users when the response max size limit is exceeded.
  • Fixed issue with pagination on the vulnerabilities page.
  • Fixed the crawler issue that the page becomes unresponsive when it contains many elements.

v15.2 release on 13 Dec 2022

NEW SECURITY CHECKS

  • Updated the WordPress plugin vulnerabilities.
  • Added the AjaxPro.NET Professional Deserialization RCE (CVE-2021-23758).
  • Improved the out-of-band detection.

IMPROVEMENTS

  • Added ability to send HTTP requests to pre-request scripts.
  • Various DeepScan improvements, generally improving the processing of JavaScript-rich web applications.
  • Updated the embedded Chromium browser to v108.0.5359.71.
  • Implemented the scan id to limit the caching, such as file list and libraries, to a scan.
  • Improved the performance of alert transmission for AcuSensor.

FIXES

  • Fixed the MongoDB injection and removed JSON parsing from the feature extraction library to avoid scan crashes.
  • Fixed the issue that sent bogus report because of inconsistent last scan id.
  • Improved the Pre-request script to send an HTTP job.
  • Fixed the formatting issue for vulnerabilities exported to GitHub Issues.
  • Fixed the unhandled exception that the IAST Bridge throws.
  • Fixed the business logic recorder issue that failed to replay the logic sequence recorder.
  • Fixed the issue that the custom scripts folder was not created during the installation.
  • Fixed the issue that failed to show the Chinese on some headings when switched to Chinese.
  • Fixed the manual intervention required information box that began to appear in the notification bar instead of being displayed as a dialog box.
  • Added cURL as a backup if NSLookup is not present.
  • Fixed the Jira integration that failed to create the epic issues.
  • Fixed the issue that long scan names overlap with the AcuSensor icon.
  • Fixed the issue that the authorization bearer was not used throughout the scan.

v15.110 release onNov 2022

NEW FEATURES

  • New navigation menu for a better user experience.
  • Notification updates are shown for the last 30 days

NEW VULNERABILITY CHECKS

UPDATES

  • Updated the embedded Chromium browser to v107.0.5304.87/88.
  • Updated how scans reaching max scan time are displayed in UI.
  • Updated Issue Tracker UI to accept internal URLs.
  • Improved Log4J checks to reduce false positives.

FIXES

  • Fixed the issue causing the IAST bridge to fail to send responses to the sensor when large packets are received from the sensor.
  • Added loopback routes that returned ‘undefined’ as an HTTP method.
  • Added the keep connection alive message between AcuSensor and the web application scanner to keep the connection alive.

v15.0.221007170 release on 13 Oct 2022

Note: There will be no new updates of the MacOS on premise installations. MacOS users can switch to Acunetix Premium Online, or use Acunetix On Premise in a virtual environment or on Docker.

NEW FEATURES

NEW VULNERABILITY CHECKS

  • Added check for Permissions-Policy header
  • Added check for unrestricted access to Karma monitoring interface
  • Added check for Go web application binary disclosure

UPDATES

  • SCA: Improved the detection of components used by JAVA web application
  • Updated to Chromium v106.0.5249.61
  • Updated PHP AcuSensor to better support web applications using the Slim Framework
  • Improved support for HTTP calls from Axios
  • Updated CWE Top 25 Most Dangerous Software Weaknesses to 2022 list of weaknesses
  • Scan results and scan reports will include the Acunetix version used to conduct the scan
  • Updated PHP sensor to report MongoDB injection
  • Updated PHP sensor to report Server-side Template Injection (SSTI)
  • Increased the detection of default GraphQL Introspection URLs
  • Implemented heartbeat for connections between scanner and AcuSensor bridge
  • Multiple DeepScan updates
  • Improved the auditing of JavaScript Libraries

FIXES

  • Fixed issue which might cause Blind SSRF in the Issue Tracker and Proxy configuration
  • Fixed 3 authorization problems
  • Fixed memory exhaustion bug in Heuristic Links Verifier
  • Fixed: Malware was being reported when invalid / unknown malware was reported by Windows Defender
  • Fixed some crashes in the scanner
  • Updated Network scans to not abort if initial ICMP ping fails
  • Fixed error when sending vulnerabilities to Jira Issue Tracker
  • Fixed UI error when filtering vulnerabilities by time

E-SPIN Group specializes in providing Application Security Testing (AST) services, utilizing both the Invicti web vulnerability scanner (formerly known as Netsparker) and Acunetix. E-SPIN offer a range of value-added services including consulting, implementation, integration, training and maintenance. Contact E-SPIN for support and project assistance.

Tagged under: , , ,

What you can read next

E-SPIN SolarWinds User Device Tracker Product Overview
E-SPIN SolarWinds User Device Tracker Product Overview
E-SPIN McAfee Application Data Monitor Product Overview
SCADA+ Exploitation Pack for CANVAS
E-SPIN McAfee Application Data Monitor Product Overview
E-SPIN McAfee Application Data Monitor Product Overview

Leave a Reply

Your email address will not be published. Required fields are marked *