Invicti’s Acunetix automated web vulnerability scanner, it is one of the market offering for application security testing (AST). This post is cover v14 edition (release since 17th March 2021).
What is new compare with previous edition?
- Web Asset Discovery, allowing users to discover domains related to their organisation or web assets already configured in Acunetix
- New page showing all the Target FQDNs consuming a target license
- Acunetix is now available on Docker
- New Scan Statistics page for each Scan
- Vulnerability information can now be sent to AWS WAF
Acunetix v14 Web Vulnerability Scanner (WVS) Latest Build and Release
This is very common ask and keep update post, latest on top, and old just behind the latest information. Instead of create multiple post in different date, we combine all in one, easy for reference for the same edition and build history and feature implement along the release. The post date will keep change to reflect for the latest changes, despite it older portion of content is post previously, it will keep update the post date to make it relevant for customer and for those who want to access all the information in one post.
v14.9.220913107–14 Sep 2022
Updates
- Updated to Chromium 105.0.5195.102
Fixes
- Fixed DeepScan issue
v14.9.220830118–30 Aug 2022
New features
- Added support for the Zend Framework in the PHP IAST AcuSensor
New vulnerability checks
- New check for Oracle E-Business Suite iStore open user registration
- New check for InfluxDB Unauthorized Access Vulnerability
- New check for Bonita Authorization Bypass (CVE-2022-25237)
- New check for Oracle ADF Faces ‘Miracle’ RCE (CVE-2022-21445)
Updates
- Various DeepScan Improvements
- Updated to Chromium 104.0.5112.101 (Linux) / 104.0.5112.102 (Windows)
- Improved XSS in URI (folder/file)
- Improved handling of SourceMaps
- Updated exposed web installers check
- Updated exposed development files check
- Updated exposed monitoring systems check
Fixes
- Fixed issue in the PHP IAST AcuSensor when reporting SCA components
- Fixed scanner crash
Version 14 build 14.9.220713150 IAST support for WebSphere and improves crawling of SPAs – 14th July 2022
A new Acunetix Premium update has been released for Windows, Linux, and macOS: 14.9.220713150
This Acunetix release introduces IAST support for WebSphere enabling the use of the Java IAST sensor (AcuSensor) with this Java server. In addition, Acunetix DeepScan has been updated to better scan single-page applications (SPAs), allowing for better identification of the APIs used by the web application. The Acunetix UI received additional updates, including the feature to copy the HTTP request used to identify a vulnerability to a cURL command. This Acunetix update also includes a number of new vulnerability checks, updates, improvements, and product fixes.
New features
- Java IAST AcuSensor can now be used on WebSphere
- HTTP requests can be copied as cURL commands from the vulnerability data
New vulnerability checks
- New check for the DotCMS unrestricted file upload (CVE-2022-26352)
- New check for the.NET JSON.NET deserialization RCE
- New check for the unauthenticated RCE in Confluence Server and Data Center (CVE-2022-26134)
- New check for the authentication bypass via MongoDB operator injection
- New check for the MongoDB $where operator JavaScript injection
Updates
- Multiple DeepScan updates that improve crawling of single-page applications (SPAs)
- Upgraded Chromium to v103.0.5060.114
- Improved handling of installed.json by the PHP IAST AcuSensor
- SCA, AcuMonitor (OOB vulnerability checks), and URL malware checks now require Acunetix Online Services to be enabled in the user profile
- Updated the MongoDB injection checks
- Various UI updates and fixes
Fixes
- Multiple fixes in the Java and .NET IAST AcuSensors
- Fixed a false negative in the Possible virtual host found check
- Fixed a bug causing CSRF tokens to be retrieved using HTTP
- Fixed a false positive in the Apache HTTP server source code disclosure check
Version 14 build 14.8.220519149 for Windows, Linux, and macOS – 24th May 2022
A new Acunetix Premium update has been released for Windows, Linux, and macOS: 14.8.220519149.
This Acunetix release introduces support for JBoss, Jetty and WildFly, allowing the Java IAST sensor (AcuSensor) to be used with these Java servers. In addition, the Java IAST sensor has been updated to fully support Servlet 3 and Jersey, improving the coverage for scans performed on web applications that use these Java frameworks. This Acunetix update also includes a number of new vulnerability checks, updates, improvements, and product fixes.
New features
- The Java IAST sensor now supports JBoss, Jetty and WildFly Java Severs
- Improved support for Servlet3 and Jersey Java Frameworks
New vulnerability checks
- New IAST checks for expression language injection
- New IAST checks for Hibernate query injection
- New test for Apache OFBiz Log4Shell RCE (CVE-2021-44228)
- New WordPress plugin checks
- New/updated JavaScript audit checks
Updates
- Various UI improvements
- Improved detection of directory traversal vulnerabilities
- Improved detection of directory listing vulnerabilities
- Improved detection of development files
- Several improvements to LSR/DeepScan
Fixes
- Fixed an issue causing some vulnerabilities detected by AcuSensor not to show as AcuSensor verified
- Fixed an issue causing routes to not be listed by the Java IAST sensor
- Fixed 2 issues in target CSV import
- Fixed an issue causing SCA not to be done on Java Spring boot web applications
- Fixed an issue causing some checks not to be executed on cookies with the Secure flag
Version 14 build 14.7.220228146 for Windows, Linux and macOS – 1st March 2022
New Features
- .NET IAST Sensor (AcuSensor) can now be installed on .NET Core v3 and v5 on Windows (with Kestrel server)
- Acunetix Scanner updated to support Routes for frameworks supported by the IAST sensors (AcuSensor)
- Added support for Laravel framework in PHP IAST Sensor (AcuSensor)
- Added support for CodeIgnitor framework in PHP IAST Sensor (AcuSensor)
- Added support for Symphony framework in PHP IAST Sensor (AcuSensor)
- Added support for ASP.NET MVC in .NET Core IAST Sensor (AcuSensor)
- Added support for Razor Pages in .NET Core in .NET IAST Sensor (AcuSensor)
- Added support for Web API in .NET Framework and .NET Core IAST Sensors (AcuSensor)
- Added support for Spring MVC in JAVA IAST Sensor (AcuSensor)
- Added support for Spring Struts2 in JAVA IAST Sensor (AcuSensor)
New Vulnerability Checks
- Acunetix has been updated to detect the following vulnerabilities using IAST:
- LDAP Injection
- Unsafe Reflection of Untrusted Data
- XPath Injection
- Email Header Injection
- Deserialization of Untrusted Data
- MongoDB Injection
- Server-side template injection (SSTI)
- Server-side request forgery (SSRF)
- Acunetix IAST (AcuSensor) has been updated to detect over 30 new server-side misconfigurations across all sensors
- New check for Magento Config File Disclosure
- New check for BillQuick Web Suite SQL injection (CVE-2021-42258)
- New check for Apache Airflow Experimental API Auth Bypass (CVE-2020-13927)
- New check for Apache Airflow default credentials
- New check for Apache Airflow Exposed configuration
- New check for Apache Airflow Unauthorized Access Vulnerability
- New check for GoCD information disclosure (CVE-2021-43287)
- New check for Grafana Plugin Dir Traversal (CVE-2021-43798)
- New check for NodeBB Arbitrary JSON File Read (CVE-2021-43788)
- New check for ManageEngine Desktop Central Deserialization RCE (CVE-2020–10189)
- New check for SolarWinds Orion API Auth bypass (CVE-2020-10148)
- New check for Citrix ADC NetScaler Local File Inclusion (CVE-2020-8193)
- New check for VMware vCenter vcavbootstrap Arbitrary File Read
- New check for Pentaho API Auth bypass (CVE-2021-31602)
- New check for Sonicwall SMA 100 Unintended proxy (CVE-2021-20042)
- New check for VMware vCenter Log4Shell RCE
- New check for VMware Horizon Log4Shell RCE
- New check for MobileIron Log4Shell RCE
- New check for Ubiquiti Unifi Log4Shell RCE
- New check for Apache OFBiz Log4Shell RCE
- New check for Apache Struts2 Log4Shell RCE
- New check for Apache Solr Log4Shell RCE
- New check for Apache JSPWiki Log4Shell RCE
- New WordPress Core and WordPress plugins checks
Updates
- IAST Sensors (AcuSensor) capabilities have been updated to improve the detection of:
- Arbitrary File Creation
- Directory Traversal
- SQL Injection
- Remote Code Execution
- Acunetix will start reporting when an old version of the IAST Sensor (AcuSensor) is installed on the web application
- Considerable update to the handling of CSRF tokens
- The Vulnerabilities page now includes a unique Vulnerability ID
- Multiple UI updates
- Multiple DeepScan updates
Fixes
- Fixed issue with Gitlab issue types not showing in UI
- Fixed issue with Amazon AWS WAF export
- Fixed several scanner crashes
- Fixed issue with .NET IAST AcuSensor not working on IIS prior to version 10
- Fixed issue with Node.js IAST AcuSensor causing web application to stop working
- Fixed ordering issue caused in PDF Comprehensive reports for multiple scans
- Fixed timeout issue causing IAST data not to reach the Acunetix scanner
Version 14 build 14.6.220117111 for Windows, Linux and macOS – 18th January 2022
Updates
- Updated Python binaries to v3.8.10
- Updated WordPress plugin and WordPress core vulnerability checks
Version 14 build 14.6.211220100 for Windows, Linux and macOS – 20th December 2021
New Vulnerability Checks
- Apache Log4j RCE vulnerability check updated to detect blind (delayed) instances of the vulnerability
Version 14 build 14.6.211215172 for Windows, Linux and macOS – 16th December 2021
New Vulnerability Checks
- Apache Log4j RCE vulnerability check updated to detect the vulnerability in web server exceptions
- Apache Log4j RCE vulnerability check updated to execute on various HTTP Headers
Updates
- Updated the scanner to test custom headers used by the web application
Version 14 build 14.6.211213163 for Windows, Linux and macOS – 13th December 2021
New Vulnerability Checks
- New check for Apache Log4j RCE (CVE-2021-44228)
Version 14 build 14.6.211207099 for Windows, Linux and macOS – 7th December 2021
New Features
- Scanner supports detecting HTTP/2 vulnerabilities
New Vulnerability Checks
- New check for Reverse proxy misrouting through HTTP/2 pseudo-headers (SSRF)
- New check for HTTP/2 pseudo-header server-side request forgery
- New check for Web Cache Poisoning DoS through HTTP/2 headers
- New check for HTTP/2 Web Cache Poisoning
- New check for Ghost CMS Theme Preview XSS (CVE-2021-29484)
- New check for GitLab ExifTool RCE (CVE-2021-22205)
- New check for Limited Remote File Read/Include in Jira Software Server (CVE-2021-26086)
- New check for Sitecore XP Deserialization RCE (CVE-2021-42237)
Updates
- Improved handling of Laravel CSRF tokens
- Added possibility to restrict scanning a Target using the Main Installation’s scanning engine
- Added ability to configure blocking of requests to Ad services
- Multiple UI updates
- Multiple DeepScan updates
- Multiple updates to the PHP AcuSensor
Fixes
- Fixed: SQLi false negative caused when AcuSensor is installed
- Fixed: Incremental scans not starting when scheduled via Jenkins plugin
- Fixed: 2 issues in .NET sensor injector CLI
- Fixed: Node.js sensor not working on https sites
- Fixed: Not all paths are importing from specific Burp state file
- Fixed: Scanner crashes when parsing specific GraphQL and Swagger 2 files
- Fixed: Specific excluded paths can cause the scanner to hang
- Fixed: multiple scanner hangs
- Fixed: Race condition between LSR and BLR
- Fixed: Imported urls ignored when site redirects from http to https
- Fixed: Incorrect permissions for some Acunetix files / folders on Linux / Mac
Version 14 build 14.5.211115146 for Windows, Linux and macOS – 16th November 2021
New Features
- New OWASP Top 10 2021 compliance report
- JAVA AcuSensor now supports JDK 11
New Vulnerability Checks
- New check for GitLab ExifTool RCE (CVE-2021-22205)
- New check for Sitecore XP Deserialization RCE (CVE-2021-42237)
Fixes
- Fixed issue causing hang in scanner
- Fixed issue causing some vulnerabilities not to be detected when AcuSensor is enabled and not installed on the web application
Version 14 build 14.5.211109105 for Windows, Linux and macOS – 9th November 2021
New Vulnerability Checks
- New check for Keycloak request_uri SSRF (CVE-2020-10770)
- New check for Apache HTTP Server Insecure Path Normalization (CVE-2021-41773 and CVE-2021-42013)
- New check for Apache mod_proxy SSRF (CVE-2021-40438)
Fixes
- Fixed issue in .NET AcuSensor CLI parameter used to list the web sites in IIS
- Fixed issue in Clickjacking: CSP frame-ancestors missing vulnerability check
- Fixed false positive in Сockpit CMS reset password NoSQLi
Version 14 build 14.5.211026108 for Windows, Linux and macOS – 26th October 2021
Updates
- Removed message to “Press any key to continue” when installing .NET AcuSensor from CLI. This was hindering the automatic installation of the .NET sensor
Fixes
- Fixed issue causing scans to fail when site redirets from http to https
- Fixed issue causing incremental scans initiated from Jenkins plugin not to start
Version 14 build 14.5.211021117 for Windows, Linux and macOS – 21st October 2021
Fixes
- Fixed crash when processing swagger2 file with non-existent references
Version 14 build 14.5.211026108 for Windows, Linux and macOS – 11th October 2021
Updates
- Removed message to “Press any key to continue” when installing .NET AcuSensor from CLI. This was hindering the automatic installation of the .NET sensor
Fixes
- Fixed issue causing scans to fail when site redirets from http to https
- Fixed issue causing incremental scans initiated from Jenkins plugin not to start
Version 14 build 14.5.211021117 for Windows, Linux and macOS – 11th October 2021
Fixes
- Fixed crash when processing swagger2 file with non-existent references
Version 14 build 14.5.211008143 for Windows, Linux and macOS – 11th October 2021
New Features
- Added support for URL optional fields
- Added support for Brotli encoding
- JAVA AcuSensor can now be used on Tomcat 10.0.x
- Added support for Restify framework in Node.js Sensor
- Added support for LoopBack framework in Node.js Sensor
- Added support for Sequelize ORM in Node.js Sensor
- Added support for Router Package in Node.js Sensor
- Added support for Director Router in Node.js Sensor
New Vulnerability Checks
- New check for Apache HTTP Server Source Code Disclosure
- New check for ManageEngine ADSelfService Plus Authentication Bypass (CVE-2021-40539)
- New check for Oracle Business Intelligence ReportTemplateService XXE (CVE-2021-2400)
- New check for Jira Unauthorized User Enumeration (CVE-2020-14181)
- New check for Jira Unauthorized User Enumeration via UserPickerBrowser
- New check for Jira Projects accessible anonymously
- New check for Payara Micro File Read (CVE-2021-41381)
Updates
- Export to AWS WAF is now available in all pages which allow WAF Export
- Updated Pre-request scripts, making it easier to update session header value
- Updated the detection of WAFs to support new WAFs
- Increased the detection of development files
- Improved the JavaScript Library Audit checks
Fixes
- Fixed issue in Paros import
- Fixed issue in scanner causing False Negatives when processing specific pages
- Fixed issue in AWS WAF Export
- Fixed issue in PHP Sensor not being detected when used in a large site with many files
- Fixed issue causing pre-request scripts not to be loaded by scanner
- Fixed 3 issues in Postman imports
- Fixed False Negative in Django Debug Mode vulnerability check
- Fixed issue causing high response times in UI caused by large quantity of Targets configured
- Fixed false positive in “User credentials are sent in clear text” check
Version 14 build 14.4.210913167 for Windows, Linux and macOS – 14th September 2021
New vulnerability checks
- Added check for Unrestricted access to Kong Gateway API
- Added check for Unrestricted access to Haproxy Data Plane API
- Added check for OData feed accessible anonymously
- Added check for Unauthenticated OGNL injection in Confluence Server and Data Center (CVE-2021-26084)
- Added check for Microsoft Exchange Server Pre-auth Path Confusion vulnerability (CVE-2021-34473)
Updates
- Updated CORS Origin Validation check
Version 14 build 14.4.210831180 for Windows, Linux and macOS – 1st September 2021
Fixes
- Fixed: Error when adding new Targets
- Fixed: Scanner crash when using a Postman import file
Version 14 build 14.4.210826124 for Windows, Linux and macOS – 26th August 2021
New Vulnerability checks
- New check for Cisco Adaptive Security Appliance (ASA) XSS (CVE-2020-3580)
- New check for Jetty Information Disclosure (CVE-2021-34429)
- New check for SAP ICF URL redirection Vulnerability
Updates
- “AllOf” tag is now handled for Swagger2 schemas
- Improved handling of import files for sub-domains and allowed hosts
Fixes
- Fixed: Inexistant paths identified by WordPress checks
- Fixed: Scanner crashing on specific content
Version 14 build 14.4.210816098 for Windows, Linux and macOS – 16th August 2021
New Features
- Pre-request script support
- New Log Data Retention options
New Vulnerability Checks
- New check for Oracle E-Business Suite Information Disclosure
- New check for Alibaba Nacos Authentication Bypass (CVE-2021-29441)
- New check for Gitlab CI Lint SSRF
- New check for Gitlab open user registration
- New check for Gitlab user disclosure via graphql endpoint
- New check for Bitrix galleries_recalc.php XSS
- New check for Bitrix open redirect
- New check for Jetty ConcatServlet Information Disclosure (CVE-2021-28164)
- New check for Jenkins open user registration
- New check for Open Mikrotik stats
- New check for Open Nuster stats
- New check for RethinkDB administrative interface publicly exposed
- New check for spring-boot-actuator-logview Path Traversal
- New check for Hasura GraphQL API without authentication
- New check for ForgeRock OpenAM Deserialization RCE (CVE-2021-29156)
- New check for BuddyPress REST API Privilege Escalation
- New check for Grandnode Path Traversal (CVE-2019-12276)
- New check for SearchBlox Local File Inclusion (CVE-2020-35580)
- New check for Zimbra Collaboration Suite SSRF (CVE-2020-7796)
- New check for Ghost CMS Theme Preview XSS (CVE-2021-29484)
- New check for qdPM Information Disclosure
- New checks for vulnerabilities in WordPress Plugins
Updates
- Max items shown per page can now be configured
- Updated Deepscan to process hashes in URLs
- Updated Chromium to v92.0.4512.0
- Updated CSV export to include text only details
- JavaScript Library Audit now supports merged JavaScript files
- Added support for dev tools in standalone LSR
- Multiple UI updates
- Multiple LSR updates
- Target knowledgebase will now be reset when Target settings are changed
- Updated Selenium import to support selectFrame
- Updated OWASP Top 10 report to include CVSS score
- Updated Compliance report to include CWE
- Added option to enable debuglogs for all Targets
- Optimisations to the Java and Node.js AcuSensors
- Improved support for Hapi framework in Node.js AcuSensor
- Add support for find-my-way HTTP router in Node.js AcuSensor
- Improved ionCube Loader-wizard information disclosure check
- Improved cache poisoning DOS checks
- Improved detection of Apache Struts2 Remote Command Execution (S2-052)
- Improved detection of Directory Traversal vulnerabilities
- Added option to skip testing of login form configured for the Target
- Improved handling of Custom 404 pages
Fixes
- Fixed multiple crashes in the scanner
- Fixed issue causing some requests to be done to restricted links
- Addressed multiple Deepscan issues
- Paused scans can now be Aborted
- Fixed XPath Injection false positive
- Fixed Bitrix Open Redirect false positive
- Fixed Spring Boot Actuator false negative
- Fixed issue in .NET Sensor Manager not showing buttons on lower resolutions
Version 14 build 14.3.210628104 for Windows, Linux and macOS – 28th June 2021
Updates
- Target Knowledgebase will be reset when Target Settings are changed
- Updated SSL/TLS Certificate expiry threshold notification from 30 days to 60 days
Fixes
- Fixed: OWASP compliance report template to not be available in some Editions
- Fixed: Some scripts where not observing Excluded paths configured in Target settings
Version 14 build 14.3.210615184 for Windows, Linux and macOS – 17th June 2021
New Features
- New SCA (Software Composition Analysis) for PHP, JAVA, Node.js and .NET web applications. Acunetix will report vulnerable libraries used by the web application when AcuSensor is used
New Vulnerability Checks
- New check for SSRF via logo_uri in MITREid Connect (CVE-2021-26715)
- New check for Oracle E-Business Suite Information Disclosure
- New check for Unauthorized Access to a web app installer
- New check for SAML Consumer Service XML entity injection (XXE)
- New check for Grav CMS Unauthenticated RCE (CVE-2021-21425)
- New check for Outsystems Upload Widget Arbitrary File Uploading (RPD-4310)
- New check for Django Debug Toolbar
- New check for Joomla Debug Console enabled
- New check for Joomla J!Dump extension enabled
- New check for Request Smuggling
- New check for Unrestricted access to Caddy API interface
- New check for Pyramid framework weak secret key
- New check for Apache Tapestry Unauthenticated RCE (CVE-2019-0195 and CVE-2021-27850)
- New check for Unrestricted access to Spring Eureka dashboard
- New check for Unrestricted access to Yahei PHP Probe
- New check for Unrestricted access to Envoy Dashboard
- New check for Unrestricted access to Traefik2 Dashboard
- New check for Dragonfly Arbitrary File Read/Write (CVE-2021-33564)
- New check for Oracle E-Business Suite Frame Injection (CVE-2017-3528)
- New check for Gitlab CI Lint SSRF
- New check for Gitlab open user registration
- New check for Gitlab user disclosure via GraphQL
Updates
- Updated .NET AcuSensor
- .NET AcuSensor can be now deployed from CLI
- User is notified when imported URLs are out of scope
- Scan events are not shown in json any more
- New column for Continuous Scanning in the Targets page
- New filter in Targets page to easily identify Targets with debug enabled
- Vulnerabilities page shows if the vulnerability was detected by a web or network scan
- Merged Add Target and Add Targets options in UI
- Custom Field, labels and tags can be configured for Issue Trackers
- Platform Admin can now unlock locked accounts
- New column in CSV export showing details in text only
- Updated the way that AcuSensor token can be updated in the Target Settings
- PCI DSS compliance report updated to PCI DSS 3.2.1
- Compliance Reports updated to make use of the Comprehensive report template
- Browser Dev tools can be used when LSR is started from CLI
- Updated XFO check
- Multiple UI updates
- Improved false positive detection of out of band RCE and argument injection vulnerabilities
- Multiple updates to the Postman import implementation
- Updated JavaScript Library Audit to support merged JavaScript files
Fixes
- HSTS has been enabled for the AcuSensor bridge
- Latest Alerts section of Scan results was not updated with AcuMonitor (OOB) vulnerabilities)
- The Fragments was not clickable in the site structure
- HSTS Best Practices was sometimes being reported multiple times
- Fixed HSTS false negative
- Fixed issue in the detection of Django 3 weak secret
- Fixed issue causing GitHub labels not to be updated when changing Github issue Tracker Project
- Fixed encoding issue in Node.js AcuSensor
- Fixed issue causing corruption of Target knowledgebase
- Fixed DeepScan timeout when processing Prototype JavaScript library
- Fixed issue causing outdated JavaScript libraries check not to report external libraries
- Fixed issue in Oauth password credentials grant
Version 14 build 14.2.210505179 for Windows, Linux and macOS – 6th May 2021
Fixes
- Fixed validation errors when sorting vulnerabilities by Issue ID
- Fixed issue causing Node.js sensor to fail to start on Node v6
- Fixed issue causing some operations to be listed multiple times in Scan Statistics
Version 14 build 14.2.210503151 for Windows, Linux and macOS – 4th May 2021
New Features
- Acunetix is now available on Docker
- New Scan Statistics page for each Scan
- Vulnerability information can now be sent to AWS WAF
New Vulnerability Checks
- New check for Hashicorp Consul API is accessible without authentication [https://www.consul.io/docs/security]
- Multiple new checks for Unrestricted access to a monitoring system
- Improvements to JavaScript Library Audit checks
- New check for Cisco RV Series Authentication Bypass (CVE-2021-1472)
- New check for ntopng Authentication Bypass (CVE-2021-28073)
- New check for Agentejo Сockpit CMS resetpassword NoSQLi (CVE-2020-35847)
- New check for AppWeb Authentication Bypass (CVE-2018-8715)
- New check for Apache OFBiz SOAPService Deserialization RCE (CVE-2021-26295)
- New check for F5 iControl REST unauthenticated remote command execution vulnerability (CVE-2021-22986)
- New check for Python Debugger Unauthorized Access Vulnerability
- New check for Virtual Host locations misconfiguration
- New check for Request Smuggling
Updates
- Full rows and column selection is now possible in the Excluded Hours page
- Updated UI with new Acunetix branding
- Issue Tracker ID will be shown for vulnerabilities sent to any Issue Tracker
- Issue Trackers can now be restricted to a specific Target Group
- Target Description will be sent to the Issue Trackers
- Updated Jira integration to support Jira version 9
- Multiple updates to the JAVA AcuSensor
- Scanning engine will now test cookies on pages which do not have any inputs
- The scanner will stop testing cookies which have been found to be vulnerable
- Where possible, DOM XSS vulnerabilities will show the code snippet of the vulnerable JavaScript call
- CSV Export will now show the Target Address
- Maximum size for a custom cookie configured in a Target increased to 4096 characters
- New date filter in the Vulnerabilities page
- Vulnerability severity now shows text in addition to color coded icon
- Multiple updates to the LSR
- Added support for BaseUrl / Global Variables in Postman import files
Fixes
- Fixed extra CR in Target CSV export
- Fixed DeepScan crash
- Fixed: Discovery options are only shown to users with “Access All Targets” permission
- Fixed: Existing user’s details shown when adding a new user
- Fixed a scanner crash
- Fixed: Blind XSS check is now part of the XSS scanning profile
- Fixed: AcuMonitor checks where not done when scan done by an engineonly installation
- Fixed issue causing AcuMonitor not to be registered when using authenticated proxy
- Fixed issue when loading vulnerabilities for a Target Group
- Fixed issue with Postman importer
- Fixed sporadic issue when checking for new Acunetix updates on Mac
- Fixed issue in WP XMLRPC pingback check
Version 14 build 14.1.210329187 for Windows, Linux and macOS – 30th March 2021
Fixes
- Fixed issue causing proxy authentication failures
- Fixed scanner crash
- Fixed indentation in Comprehensive report
Version 14 build 14.1.210324124 for Windows, Linux and macOS – 25th March 2021
Updates
- Updated scanner so that “Restrict scans to import files” is taken into consideration for paths coming from Target knoweldgebase
Fixes
- Fixed a scanner crash
- Fixed issue in Swagger 3 import feature
Version 14 build 14.1.210316110 for Windows, Linux and macOS – 17th March 2021
New Features
- Web Asset Discovery, allowing users to discover domains related to their organisation or web assets already configured in Acunetix
- New page showing all the Target FQDNs consuming a target license
New Vulnerability Checks
- New test for SonicWall SSL-VPN 8.0.0.0 RCE via ShellShock exploit
- New test for Node.js Debugger Unauthorized Access Vulnerability
- New test for Node.js Inspector Unauthorized Access Vulnerability
- New test for Apache Shiro authentication bypass (CVE-2020-17523)
- New test for Reflected Cross-Site Scripting (XSS) vulnerability in PAN-OS management web interface (CVE-2020-2036)
- New test for Missing Authentication Check in SAP Solution Manager (CVE-2020-6207)
- New test for VMware vCenter Server Unauthorized Remote Code Execution (CVE-2021-21972)
- New test for Delve Debugger Unauthorized Access Vulnerability
- New check for HTTP response splitting with cloud storage
- New tests for WordPress plugins
Updates
- Acunetix updated to fully support NTLM Authentication for proxy authentication
- Multiple LSR/BLR and DeepScan updates and fixes
- Updated Chromium to v88.0.4298.0
- Updated Postgres database to v13.2
- Engines page has been updated to show the following:
- Status (online or otherwise) for each Engine
- The build number for each Engine
- Any license issues are reported as part of the status for each Engine
- Multi-Engine setups will start to automatically update the Engine only installations when the Main installation is updated
- The UI will reload after Acunetix is upgraded
- ‘WAF Export’ button renamed to ‘Export to’, and feature added to the Scans Page
- Multiple updates to the Comprehensive report
- Proxy Settings can now be specified for each Issue Tracker
- Updated JavaScript Library Audit check to cover libraries not hosted on the scanned target
- Users can now be created from the API
- Updated CORS check
Fixes
- Fixed bug in “Vulnerabilities in SharePoint could allow elevation of privilege” check
- Fixed issue causing check for updates to occasionally fail on MacOS
- Fixed issue causing DOM XSS sink to not always be show the in the code extract displayed in the alert
- Fixed issue caused when a custom collection is used in a TFS issue tracker configuration
- Fixed issue in WordPress XML-RPC pingback abuse check
- Fixed Deepscan crash
- Fixed False Positive in Broken Link Hijacking check
- Vulnerability CSV export now includes URL where vulnerability was detected