v14.3.210615184 - 17 Jun 2021
Version 14 build 14.3.210615184 for Windows, Linux and macOS – 17th June 2021
New Features
- New SCA (Software Composition Analysis) for PHP, JAVA, Node.js and .NET web applications. Acunetix will report vulnerable libraries used by the web application when AcuSensor is used
New Vulnerability Checks
- New check for SSRF via logo_uri in MITREid Connect (CVE-2021-26715)
- New check for Oracle E-Business Suite Information Disclosure
- New check for Unauthorized Access to a web app installer
- New check for SAML Consumer Service XML entity injection (XXE)
- New check for Grav CMS Unauthenticated RCE (CVE-2021-21425)
- New check for Outsystems Upload Widget Arbitrary File Uploading (RPD-4310)
- New check for Django Debug Toolbar
- New check for Joomla Debug Console enabled
- New check for Joomla J!Dump extension enabled
- New check for Request Smuggling
- New check for Unrestricted access to Caddy API interface
- New check for Pyramid framework weak secret key
- New check for Apache Tapestry Unauthenticated RCE (CVE-2019-0195 and CVE-2021-27850)
- New check for Unrestricted access to Spring Eureka dashboard
- New check for Unrestricted access to Yahei PHP Probe
- New check for Unrestricted access to Envoy Dashboard
- New check for Unrestricted access to Traefik2 Dashboard
- New check for Dragonfly Arbitrary File Read/Write (CVE-2021-33564)
- New check for Oracle E-Business Suite Frame Injection (CVE-2017-3528)
- New check for Gitlab CI Lint SSRF
- New check for Gitlab open user registration
- New check for Gitlab user disclosure via GraphQL
Updates
- Updated .NET AcuSensor
- .NET AcuSensor can be now deployed from CLI
- User is notified when imported URLs are out of scope
- Scan events are not shown in json any more
- New column for Continuous Scanning in the Targets page
- New filter in Targets page to easily identify Targets with debug enabled
- Vulnerabilities page shows if the vulnerability was detected by a web or network scan
- Merged Add Target and Add Targets options in UI
- Custom Field, labels and tags can be configured for Issue Trackers
- Platform Admin can now unlock locked accounts
- New column in CSV export showing details in text only
- Updated the way that AcuSensor token can be updated in the Target Settings
- PCI DSS compliance report updated to PCI DSS 3.2.1
- Compliance Reports updated to make use of the Comprehensive report template
- Browser Dev tools can be used when LSR is started from CLI
- Updated XFO check
- Multiple UI updates
- Improved false positive detection of out of band RCE and argument injection vulnerabilities
- Multiple updates to the Postman import implementation
- Updated JavaScript Library Audit to support merged JavaScript files
Fixes
- HSTS has been enabled for the AcuSensor bridge
- Latest Alerts section of Scan results was not updated with AcuMonitor (OOB) vulnerabilities)
- The Fragments was not clickable in the site structure
- HSTS Best Practices was sometimes being reported multiple times
- Fixed HSTS false negative
- Fixed issue in the detection of Django 3 weak secret
- Fixed issue causing GitHub labels not to be updated when changing Github issue Tracker Project
- Fixed encoding issue in Node.js AcuSensor
- Fixed issue causing corruption of Target knowledgebase
- Fixed DeepScan timeout when processing Prototype JavaScript library
- Fixed issue causing outdated JavaScript libraries check not to report external libraries
- Fixed issue in Oauth password credentials grant