Acunetix Premium - v14.3.210615184

New Features

• New SCA (Software Composition Analysis) for PHP, JAVA, Node.js and .NET web applications. Acunetix will report vulnerable libraries used by the web application when AcuSensor is used

New Vulnerability Checks

• New check for SSRF via logo_uri in MITREid Connect (CVE-2021-26715)
• New check for Oracle E-Business Suite Information Disclosure
• New check for Unauthorized Access to a web app installer
• New check for SAML Consumer Service XML entity injection (XXE)
• New check for Grav CMS Unauthenticated RCE (CVE-2021-21425)
• New check for Outsystems Upload Widget Arbitrary File Uploading (RPD-4310)
• New check for Django Debug Toolbar
• New check for Joomla Debug Console enabled
• New check for Joomla J!Dump extension enabled
• New check for Request Smuggling
• New check for Unrestricted access to Caddy API interface
• New check for Pyramid framework weak secret key
• New check for Apache Tapestry Unauthenticated RCE (CVE-2019-0195 and CVE-2021-27850)
• New check for Unrestricted access to Spring Eureka dashboard
• New check for Unrestricted access to Yahei PHP Probe
• New check for Unrestricted access to Envoy Dashboard
• New check for Unrestricted access to Traefik2 Dashboard
• New check for Dragonfly Arbitrary File Read/Write (CVE-2021-33564)
• New check for Oracle E-Business Suite Frame Injection (CVE-2017-3528)
• New check for Gitlab CI Lint SSRF
• New check for Gitlab open user registration
• New check for Gitlab user disclosure via GraphQL

Updates

• Updated .NET AcuSensor
• .NET AcuSensor can be now deployed from CLI
• User is notified when imported URLs are out of scope
• Scan events are not shown in json any more
• New column for Continuous Scanning in the Targets page
• New filter in Targets page to easily identify Targets with debug enabled
• Vulnerabilities page shows if the vulnerability was detected by a web or network scan
• Merged Add Target and Add Targets options in UI
• Custom Field, labels and tags can be configured for Issue Trackers
• Platform Admin can now unlock locked accounts
• New column in CSV export showing details in text only
• Updated the way that AcuSensor token can be updated in the Target Settings
• PCI DSS compliance report updated to PCI DSS 3.2.1
• Compliance Reports updated to make use of the Comprehensive report template
• Browser Dev tools can be used when LSR is started from CLI
• Updated XFO check
• Multiple UI updates
• Improved false positive detection of out of band RCE and argument injection vulnerabilities
• Multiple updates to the Postman import implementation
• Updated JavaScript Library Audit to support merged JavaScript files

Fixes

• HSTS has been enabled for the AcuSensor bridge
• Latest Alerts section of Scan results was not updated with AcuMonitor (OOB) vulnerabilities)
• The Fragments was not clickable in the site structure
• HSTS Best Practices was sometimes being reported multiple times
• Fixed HSTS false negative
• Fixed issue in the detection of Django 3 weak secret
• Fixed issue causing GitHub labels not to be updated when changing Github issue Tracker Project
• Fixed encoding issue in Node.js AcuSensor
• Fixed issue causing corruption of Target knowledgebase
• Fixed DeepScan timeout when processing Prototype JavaScript library
• Fixed issue causing outdated JavaScript libraries check not to report external libraries
• Fixed issue in Oauth password credentials grant