Changelogs

Acunetix Standard & Premium

RSS Feed

v15.3.1 - 30 Jan 2023

This release includes a fix for the Linux installations.

Fixes

  • Fixed the Linux installations for updating issues.

v15.3 - 24 Jan 2023

This release includes security checks, improvements, and fixes. We added a security check for SAML, ASP.NET, and WordPress. We improved .NET IAST sensor and JWT secrets dictionary. We also fixed some bugs.

New security checks

  • Added SAML anonymous assertion consumer service audit for XML external entity injection, XSLT, Server-side request forgery, and Cross-site scripting.
  • Added a SAML signature audit to test attacks on signature verification.
  • Added various checks for Content Security Policy misconfiguration.
  • New security check for ASP.NET core development mode.
  • Updated the WordPress core vulnerabilities.
  • Updated the WordPress plugin vulnerabilities.

Improvements

  • Updated .NET IAST Sensor to detect a number of server-side configuration problems which may result in a security vulnerability.
  • Improved the JSON payload tests.
  • Updated JWT secrets dictionary.

Fixes

  • Fixed a bug in the PHP IAST sensor when reporting arrays to the scanner.
  • Fixed the scan summary page that failed to show some of the results.
  • Fixed issues in the UI Notifications causing them to be unactionable.
  • Fixed a problem that caused the LSR to show the mobile version for some sites incorrectly.
  • Fixed .NET sensor issue that returns the root applications (website’s root) files although the sensor is enabled for sub-application.
  • Fixed the version information shown on the user interface after the update.
  • Fixed the routing issue for .NET Framework ASP.NET Web API because of compatibility issues.
  • Improved the login sequence recorder notification that informs users when the response max size limit is exceeded.
  • Fixed issue with pagination on the vulnerabilities page.
  • Fixed the crawler issue that the page becomes unresponsive when it contains many elements.

v15.2 - 13 Dec 2022

This release includes security checks, improvements, and fixes. We added a security check for AjaxPro.NET and improved the out-of-band detection and the DeepScan. We implemented the Scan ID to limit the caching and enhanced the performance of alert transmission for AcuSensor. We also fixed some bugs, like GitHub Issues integration and the business logic recorder.

New security checks

  • Updated the WordPress plugin vulnerabilities.
  • Added the AjaxPro.NET Professional Deserialization RCE (CVE-2021-23758).
  • Improved the out-of-band detection.

Improvements

  • Added ability to send HTTP requests to pre-request scripts.
  • Various DeepScan improvements, generally improving the processing of JavaScript-rich web applications.
  • Updated the embedded Chromium browser to v108.0.5359.71.
  • Implemented the scan id to limit the caching, such as file list and libraries, to a scan.
  • Improved the performance of alert transmission for AcuSensor.

Fixes

  • Fixed the MongoDB injection and removed JSON parsing from the feature extraction library to avoid scan crashes.
  • Fixed the issue that sent bogus report because of inconsistent last scan id.
  • Improved the Pre-request script to send an HTTP job.
  • Fixed the formatting issue for vulnerabilities exported to GitHub Issues.
  • Fixed the unhandled exception that the IAST Bridge throws.
  • Fixed the business logic recorder issue that failed to replay the logic sequence recorder.
  • Fixed the issue that the custom scripts folder was not created during the installation.
  • Fixed the issue that failed to show the Chinese on some headings when switched to Chinese.
  • Fixed the manual intervention required information box that began to appear in the notification bar instead of being displayed as a dialog box.
  • Added cURL as a backup if NSLookup is not present.
  • Fixed the Jira integration that failed to create the epic issues.
  • Fixed the issue that long scan names overlap with the AcuSensor icon.
  • Fixed the issue that the authorization bearer was not used throughout the scan.

v15.1 - 10 Nov 2022

This release includes new features, security checks, improvements, and fixes. We updated the navigation menu and notifications. We added security checks for Swagger UI DOM XSS, Text4Shell, and Fortinet Authentication. We also improved Log4J checks and issue tracker UI. We fixed some bugs, too.

New features

  • New navigation menu for a better user experience.
  • Notification updates are shown for the last 30 days

New vulnerability checks

    Updates

    • Updated the embedded Chromium browser to v107.0.5304.87/88.
    • Updated how scans reaching max scan time are displayed in UI.
    • Updated Issue Tracker UI to accept internal URLs.
    • Improved Log4J checks to reduce false positives.

    Fixes

    • Fixed the issue causing the IAST bridge to fail to send responses to the sensor when large packets are received from the sensor.
    • Added loopback routes that returned ‘undefined’ as an HTTP method.
    • Added the keep connection alive message between AcuSensor and the web application scanner to keep the connection alive.

    v15.0.221007170 - 13 Oct 2022

    Version 15 build 15.0.221007170 for Windows and Linux – 13th October 2022

    Note: There will be no new updates of the MacOS on premise installations. MacOS users can switch to Acunetix Premium Online, or use Acunetix On Premise in a virtual environment or on Docker.

    New Features

    New Vulnerability checks

    • Added check for Permissions-Policy header
    • Added check for unrestricted access to Karma monitoring interface
    • Added check for Go web application binary disclosure

    Updates

    • SCA: Improved the detection of components used by JAVA web application
    • Updated to Chromium v106.0.5249.61
    • Updated PHP AcuSensor to better support web applications using the Slim Framework
    • Improved support for HTTP calls from Axios
    • Updated CWE Top 25 Most Dangerous Software Weaknesses to 2022 list of weaknesses
    • Scan results and scan reports will include the Acunetix version used to conduct the scan
    • Updated PHP sensor to report MongoDB injection
    • Updated PHP sensor to report Server-side Template Injection (SSTI)
    • Increased the detection of default GraphQL Introspection URLs
    • Implemented heartbeat for connections between scanner and AcuSensor bridge
    • Multiple DeepScan updates
    • Improved the auditing of JavaScript Libraries

    Fixes

    • Fixed issue which might cause Blind SSRF in the Issue Tracker and Proxy configuration
    • Fixed 3 authorization problems
    • Fixed memory exhaustion bug in Heuristic Links Verifier
    • Fixed: Malware was being reported when invalid / unknown malware was reported by Windows Defender
    • Fixed some crashes in the scanner
    • Updated Network scans to not abort if initial ICMP ping fails
    • Fixed error when sending vulnerabilities to Jira Issue Tracker
    • Fixed UI error when filtering vulnerabilities by time

    v14.9.220913107 - 14 Sep 2022

    Version 14 build 14.9.220913107 for Windows, Linux and macOS – 14th September 2022

    Updates

    • Updated to Chromium 105.0.5195.102

    Fixes

    • Fixed DeepScan issue

    v14.9.220830118 - 30 Aug 2022

    Version 14 build 14.9.220830118 for Windows, Linux and macOS – 30th August 2022

    New Features

    • Added support for the Zend Framework in the PHP IAST AcuSensor

    New Vulnerability Checks

    Updates

    • Various DeepScan Improvements
    • Updated to Chromium 104.0.5112.101 (Linux) / 104.0.5112.102 (Windows)
    • Improved XSS in URI (folder/file)
    • Improved handling of SourceMaps
    • Updated exposed web installers check
    • Updated exposed development files check
    • Updated exposed monitoring systems check

    Fixes

    • Fixed issue in the PHP IAST AcuSensor when reporting SCA components
    • Fixed scanner crash

    v14.9.220713150 - 14 Jul 2022

    Version 14 build 14.9.220713150 for Windows, Linux and macOS – 14th July 2022

    New features

    • JAVA IAST AcuSensor can now be used on WebSphere
    • HTTP requests can be copied as Curl command from the vulnerability data

    New vulnerability checks

    Updates

    • Multiple DeepScan updates improving crawling of Single Page Applications (SPAs)
    • Upgraded Chromium to v103.0.5060.114
    • Improved handling of installed.json by PHP IAST AcuSensor
    • SCA, AcuMonitor (OOB vulnerability checks) and URL malware checks now require the “Acunetix Online Services” to be enabled in the user profile
    • Updated the MongoDB Injection checks
    • Various UI updates and fixes

    Fixes

    • Multiple fixes in the JAVA and .NET IAST AcuSensors
    • Fixed false negative in “Possible virtual host found”
    • Fixed bug causing CSRF tokens to be retrieved using HTTP
    • Fixed false positive in “Apache HTTP Server Source Code Disclosure”

    v14.8.220610146 - 13 Jun 2022

    Version 14 build 14.8.220610146 for Linux (only) – 13th June 2022

    Fixes

    • Fixed issue when using Acunetix on Amazon Linux 2
    1 2 21