Acunetix Premium - v24.2.240226074

New features

• Added the ability to use Aria Roles to provide better coverage
• Introduced PCI DSS 4.0 report. Note that PCI DSS 3.2 will reach the end of its support or relevance by the end of March
• .NET IAST now supports .NET 8 (currently in Open Beta)

New security checks

• XXE in Ivanti Connect Secure, Policy Secure and Neurons (CVE-2024-22024)
• Magento 2.0-2.3 End of life
• ColdFusion Access Control bypass (CVE-2023-29298 / CVE-2023-38205)
• ColdFusion XSS (CVE-2023-44352)
• Skype for Business SSRF (CVE-2023-41763)
• VMware Aria Operations for Networks RCE (CVE-2023-20887)
• IBM Aspera Faspex RCE (CVE-2022-47986)
• GeoServer SSRF (CVE-2021-40822)
• WSO2 Management Console XSS (CVE-2022-29548)
• SSRF in Ivanti Connect Secure, Policy Secure and Neurons (CVE-2024-21893)
• LISTSERV XSS (CVE-2022-39195)
• Unrestricted access to MLflow
• KeyCloak Information Disclosure (CVE-2020-27838)
• CloudPanel file-manager Auth bypass (CVE-2023-35885)
• TestRail Information Disclosure (CVE-2021-40875)
• Grafana Snapshot Authentication Bypass (CVE-2021-39226)
• Harbor Unauthorized Access Vulnerability
• Ghost CMS Theme Path Traversal (CVE-2023-32235)
• cPanel XSS (CVE-2023-29489)
• GoAnywhere MFT Authentication Bypass (CVE-2024-0204)
• Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core API Auth bypass (CVE-2023-35082)
• Unauthenticated OGNL injection in Confluence Server and Data Center (CVE-2023-22527)
• Authentication Bypass in Ivanti Connect Secure and Policy Secure (CVE-2023-46805)
• RCE in Ivanti Connect Secure and Policy Secure (CVE-2024-21887)
• GeoServer WMS SSRF (CVE-2023-43795)
• Ivanti Sentry Authentication Bypass (CVE-2023-38035)
• SAP SAP BusinessObjects Business Intelligence Platform XXE (CVE-2022-28213)
• SysAid On-Premise RCE (CVE-2023-47246)
• Multiple ColdFusion WDDX Deserialization RCEs (CVE-2023-44353 / CVE-2023-38203 / CVE-2023-38204)

Improvements

• Updated Chromium to 121.0.6167.139/140
• Improved detection of DOM-based Cross Site Scripting (XSS)
• Improved the way that "Content Security Policy Misconfiguration" alerts are reported
• Improved detection of Client Side Prototype Pollution (CSPP)
• IAST scans will start reporting the IAST sensor version used for the scan
• New column "Result" is shown in the list of scans to provide more details about scan outcome
• Enhanced support for OTP apps by displaying the activation code next to the QR code
• Improved crawling of Single Page Applications (SPA) that are using Ionic Framework
• Added the ability to scan web applications which require browsing in a single browser tab
• Upgraded user experience of in-app notifications - Updated UX of notifications dropdown
• When accessing the application from a different location or browser, all other sessions are promptly terminated. Previously, users were notified, causing inconvenience when working from various locations

Fixes

• Fixed a bug caused by the engine not respecting Cache-Control directive
• In rare situations, a report being generated could have resulted in an Internal server error. This issue has now been fixed
• Fixed several minor user experience issues across the application
• Removed deprecated X-Frame Options check