Acunetix Build History

Version 13 (build 13.0.201112128 for Windows / Linux / macOS) 12 November 2020

Updates

• Updated Telerik vulnerability checks
• The Tech Admin user role can now create new Targets
• Renamed acu_phpaspect.php to acusensor.php
• Updated Comprehensive report to indicate Verified vulnerabilities
• Logon Banner now supports multi-line banners

Fixes

• Fixed issue in SlowLoris vulnerability check
• Fixed issue LSR hang caused when closing the LSR immediately after opening it
• Fixed scan hanging issue
• Fixed a couple of issues in the CSV export
• Fixed issue causing incorrect threat level in Comprehensive report
• Fixed false positives in Outdated JS libraries and Insecure Referrer Policy checks
• Fixed UI issue with long target name causing buttons to be hidden
• Fixed issue causing double input schemes
• Fixed crash in scanner
• Fixed issue causing vulnerability count in Dashboard to not always be updated

Version 13 (build 13.0.201028153 for Windows / Linux and build 13.0.201028161 for macOS) 29th October 2020

New Features

• Logon Banner can be configured for Acunetix logon page (satisfies DOD Notice and Consent Banner requirement)
• Added ability to export vulnerabilities to CSV (available as WAF Export option)
• Added ability to export scan locations to CSV (available as WAF Export option)

New Vulnerability Checks

• New check for JavaScript Source map detected
• New check for Unauthenticated Remote Code Execution via JSONWS in Liferay 6.1 (LPS-88051)
• New check for Oracle WebLogic Server unauthenticated remote code execution (CVE-2020-14882)
• Updated WordPress plugin checks

Updates

• Improved handling of Swagger
• The scanner will try to detect differences in the site using different user-agents
• Various minor UI updates
• Added Scan Profile used in Scan results
• Business Logic Recorder cannot be used on Targets which require Manual Intervention
• Updated Jira issue tracker
• Improved error shown when checking for updates fails
• Updated import file feature to support files using BOM
• Comprehensive report tags vulnerabilities detected by AcuSensor and AcuMonitor

Fixes

• Fixed issue causing multi-line session detection not to be used during scan
• Updated Jira issue tracker to use proxy server if configured
• Fixed issue causing gzip encoded body of HTTP responses to become invalidated
• Fixed: Printing the Coverage report would not print the sitemap in the report
• Fixed issue causing some login forms not to be detected during the scan
• Fixed timing issue when scheduling a scan for a future date
• Fixed scanner crashes caused by specific import files
• Fixed issue causing DeepScan not to be used on Kali Linux
• Fixed false positive in Zend Framework LFI via XXE
• Fixed issue causing some scans to fail because of the client certificate
• Fixed issue causing LSR playback to fail for some scans
• Fixed issue in New Scan dialog for Tech Admin users

Version 13 (build 13.0.200930102 for Windows, Linux and macOS) 30th September 2020

New Features

• Export Scans to JSON (available as WAF Export option)
• Added context-sensitive help for all pages in the UI. Clicking on the ? icon will open documentation for the specific page

New Vulnerability Checks

• New test for Apache OFBiz XMLRPC Deserialization RCE (CVE-2020-9496)
• New test for No HTTP Redirection
• Numerous tests related to TLS / SSL, including:
• Added support for 200 new cipher suites, bringing the total number of supported cipher suites to 360
• New test for TLS/SSL Diffie-Hellman Key Reuse (prerequisite for Raccoon Attack)
• New test for TLS/SSL LOGJAM attack (CVE-2015-4000)
• New test for TLS/SSL Sweet32 attack (CVE-2016-2183 and CVE-2016-6329
• Alert if server offers cipher suites with symmetric encryption key length <128
• Alert if server offers cipher suites using symmetric encryption algorithms RC2, DES (insecure), IDEA
• Alert if server offers cipher suites using ANON, NULL, SHA-1 for authentication
• Alert if server offers cipher suites using MD5 for HMAC
• New vulnerability checks for WordPress plugins and Drupal core

Updates

• Numerous updates to the UI
• Malware scan profile updated to check for Trojans
• Scanner updated to receive newly discovered hosts from vulnerability checks
• Updated Swagger 2 implementation to better cater for nested schemes/objects
• Updated deduplication to better cater for network scans / vulnerabilities
• Adaptive ciphersuite testing, reduces the average SSL/TLS scan duration by 90%

Fixes

• Fixed issue where no data was shown for archived scans
• Fixed some minor issues with default filters
• Fixed issue showing wrong Target count in license page
• Fixed UI issue affecting Custom Scan Profiles
• Fixed Possible Sensitive Files / Folders to use the Case Sensitive Paths setting for the Target
• Fixed issue in Reverse Proxy Detection check

Version 13 (build 13.0.200911154 for Windows and Linux and build 13.0.200911171 for macOS) 14th September 2020

New Features

• New Data Retention settings, providing the ability to:
• Keep the last 3 scans for each target and archive previous scans
• Delete archived scans which are older than 2 years
• The above data retention settings are configurable
• The above settings affect vulnerabilities detected, which are archived / deleted accordingly
• A default scan profile can be configured for each target
• Forgot Password option for Acunetix On premise, allowing users to reset their password – Email settings need to be configured
• Detect paths in JavaScript code via static method analysis
• Ability to retrieve links from several HTTP headers
• Scanner will try to auto-discover API definitions

New Vulnerability Checks

• New check for SAP NetWeaver RECON (CVE-2020-6287)
• New check for DNN (DotNetNuke) CMS Cookie Deserialization RCE (CVE-2017-9822)
• New check for Insecure Referrer Policy
• New check for Remote code execution of user-provided local names in Rails
• New check for Cisco Adaptive Security Appliance (ASA) Path Traversal (CVE-2020-3452)
• New check for Total.js Directory Traversal (CVE-2019-8903)
• New check for Envoy Metadata disclosure
• New checks for WordPress Core / Plugins / Themes, Drupal and Joomla vulnerabilities

Updates

• Vulnerabilities are now shown as grouped by Vulnerability Type and FQDNs
• Numerous improvements affecting vulnerability deduplication
• Deleted Targets will not be showing in the UI by default
• Malicious links detected will be highlighted in the vulnerability report
• Ability to scan all Targets in a Target Group
• Improved Swagger support implementation
• Updated backup files/folders and possible sensitive files checks to report alerts on parent of file detected
• Time zone can now be configured by each user account
• User accounts can now change UI to Chinese
• .NET Sensor updated to support .NET Core
• Updated Session Fixation vulnerability check to avoid possible False Positives
• Updated to Chromium v83

Fixes

• Fixed issue with offline activation
• Fixed a few crashes occurring on specific sites
• Fixed issue affecting AcuMonitor when scanning certain sites
• Various small UI fixes
• Fixed Target Deletion issue for Consult licenses
• Fixed: PDF report generation was failing in specific situations
• Fixed issue causing HTTP requests passing through a proxy to fail
• Fixed issue affecting relative HTTP redirects
• Fixed issue causing Manual Intervention not to work on Linux
• Fixed issue causing DeepScan to miss some DOMXSS vulnerabilities
• Fixed text overlapping issue in reports
• Fixed issue causing Telerik Web UI RadAsyncUpload Deserialization (CVE-2019-18935) to not always be detected
• Fixed: ‘HTTP Strict Transport Security (HSTS) not implemented’ and ‘HTTP Strict Transport Security (HSTS) Best Practices’ where using the same name
• Fixed: Sensitive files / directories checks were missing Attack details
• Fixed issue caused when sorting scans by target description
• fixed a few issues in the Login Sequence Recorder and Business Logic Recorder

Version 13 (Windows / Linux: 13.0.200807155, macOS: 13.0.200807156) 7th August 2020

New Features

• Acunetix is now available in Simplified Chinese
• Path Fragments are now shown in the site structure

New Vulnerability Checks

• New check for Insecure Inline Frames
• New check for Remote code execution of user-provided local names in Rails
• New check for SAP NetWeaver RECON auth bypass vulnerability
• New check for H2 console publicly accessible
• New check for PHP version disclosure
• New check for Atlassian JIRA ServiceDesk misconfiguration
• New test for Jolokia XML External Entity (XXE) vulnerability
• New checks for WordPress core, WordPress themes, WordPress plugins, Joomla and Drupal

Updates

• Created and Last Updated dates are available for vulnerabilities
• Order of section in Comparison report updated to be more intuitive
• Target Address is shown in full in the UI
• /users/ endpoint is now available in the API

Fixes

• Fixed issue when exporting vulnerabilities to WAF which contained CVSS3.1
• Fixed issue causing custom user-agent to not be used in all requests during a scan
• Fixed issues causing some vulnerabilities not to be well formatted when sent to JIRA issue tracker
• Fixed issue when adding JIRA Issue Tracker in Acunetix Online
• Fixed issue caused when adding Targets to an existing Target Group
• Minor fix in Comprehensive report text
• Fixed UI issue showing blank list (Scans, Targets etc) when using the browser’s back button
• Fixed issue caused by scanning Targets with complex GraphQL schemas

Version 13 (build 13.0.200715111 for Windows, Linux and build 13.0.200715153 for macOS) 15th July 2020

New Features

• Acunetix on premise is now available for macOS

New Vulnerability Checks

• New test for F5 BIG-IP Traffic Management User Interface (TMUI) RCE [CVE-2020-5902]
• New test for Composer installed.json publicly accessible
• New test for Symfony debug mode enabled
• New test for Symfony Profiler open
• New test for Directory Traversal with spring-cloud-config-server [CVE-2020-5410]
• New test for Grafana avatar SSRF [CVE-2020-13379]
• New test for rack-mini-profiler environment variables disclosure
• New test for Telerik Web UI RadAsyncUpload Deserialization [CVE-2019-18935]

Updates

• Improved UI messages when scans cannot start due to Manual Intervention
• Updated interpretation and generation of XML requests / responses
• New Scanning profile for High and Medium Vulnerabilities
• Target Description is now available on the Scans page
• Incremental Scans initiated by Jenkins plugin are correctly labelled as incremental
• A number of improvements in JavaScript Libraries Audit

Fixes

• Fixed issue caused when configuring Gitlab issue tracker with Impersonation Token
• Fixed issue causing filter not to be available for Standard licenses
• Fixed Malware Scan profile to include checks for malware links
• Fixed resource allocation issue, causing scans to end unexpectedly
• Comprehensive Report was incorrectly showing High Severity Threat level
• Fixed issue affecting the CVSS score calculation of some vulnerabilities

Version 13 (build 13.0.200624118 – Windows and Linux) 24th June 2020

New Features

• Introduced support for GraphQL
• Introduced support for OAuth2.0
• GraphQL files can be used as Import Files
• New Comprehensive Report, which includes the HTTP Response in the HTML version of the report
• HTTP Response uses syntax highlighting for improved readability
• Scans can now be restricted to paths/locations in import files
• User can choose which columns to show in all the Acunetix lists
• UI saves columns selected for each page / user (applies to Targets, Vulnerabilities, Scans and Reports)
• UI saves number of items to show on each page / user (applies to Targets, Vulnerabilities, Scans and Reports)
• UI saves sorting order for each page / user (applies to Targets, Vulnerabilities, Scans and Reports)

New Vulnerability Checks

• New check for vBulletin 5.6.1 (and earlier) nodeId SQL injection
• New check for Cmd hijack vulnerability
• New check for PHP opcache-gui publicly accessible
• New check for Laravel debug mode enabled
• New check for Laravel Health Monitor publicly accessible
• New check for Laravel Health Horizon publicly accessible
• New check for Laravel Health LogViewer publicly accessible
• New check for Laravel Health Telescope publicly accessible
• New check for Laravel Ignition Reflected Cross-Site Scripting
• New check for Laravel framework weak secret key
• New check for HTML Attribute Injection
• New check for Clockwork PHP dev tool enabled
• New check for PHP Debug Bar enabled
• New check for Broken Link Hijacking
• New checks for Cookie misconfigurations leading to security issues
• New vulnerabilities for WordPress Core, WordPress plugins, Joomla and Drupal

Updates

• Targets with Manual Intervention cannot have a Business Logic Recording
• Changed vulnerability name filter to use search as you type
• Scans will start reporting pages that require HTTP Authentication
• Acunetix UI notifications have been changed as follows:
• Moved to bottom right of Acunetix UI
• Stay longer on the page
• Can be closed by the user
• Increased name length limit of import files to 128 characters
• User can optionally specify the address to be used for Auto-login. This is useful for SSO login pages
• The scanner will try to connect to the address of the target before aborting the scan after 25 consecutive network errors
• Targets can be deleted and replaced on the license anniversary

Fixes

• Fixed: The vulnerability name filter did not always show all vulnerabilities
• Fixed incorrect error handling message when disabling the proxy settings
• Hide Business Logic Recorder for Network Only targets
• Fixed: Acunetix Online was showing an ID as the name of some network vulnerabilities
• Fixed: Acunetix Online was not always showing the HTTP Response for some vulnerabilities
• Fixed: Acunetix Online was not showing the number of licensed Targets
• Fixed issue causing paths of ignored files to be ignored too
• Fixed LSR issue on Safari browser
• Fixed issue caused when the LSR and BLR are used on certain sites
• Various minor fixes to the UI
• Fixed false positives in over 25 vulnerability checks

Version 13 (build 13.0.200519155 – Windows and Linux) 20th May 2020

Updates

• Vulnerabilities filter shows correct sorting
• User can now test notification settings
• List of Licensed Targets can now be accessed from user profile page

Fixes

• Fixed issue when using the Login Sequence Recorder remotely
• ConsultLite licenses were being shown as Standard
• Some vulnerabilities were not displayed correctly in Azure Devops Services

Version 13 (build 13.0.200508159 – Windows and Linux) 11th May 2020

New Features

• Business Logic Recorder – used to record logic used in multi-step forms
• Export to Citrix WAF
• Support for Azure DevOps Services issue tracker
• CVSS3.1 score for most Acunetix vulnerabilities
• Targets can now be exported to CSV
• New Graph in Dashboard showing Average vulnerabilities per Target

New Vulnerability Checks

• New check for Server-Side Template Injection (SSTI) in ASP.NET Razor
• New check for Oracle BI AMF Deserialization RCE (CVE-2020-2950)
• New check for Possible Cross Site Scripting via jquery.htmlPrefilter() (CVE-2020-11023)
• New check for Stored XSS in WP theme Onetone (CVE-2019-17230 and CVE-2019-17231)
• Updated detection of phpinfo pages
• New checks in WordPress Core and WordPress plugins
• New checks for default credentials in over 65 web applications

Updates

• Manual Intervention (used for CAPTCHAs, OTP etc) is now using the integrated (web-based) LSR
• As a result of the previous update, Manual Intervention is now available on Linux
• Improved error reporting for network scans aborted due to network errors
• Vulnerability alerts updated to show important information at the top
• Updated Github issue tracker to support Personal Access Token (PAT) authentication
• Improved reporting of Paused scans in the UI
• Improved UI message user triggers a scan which is not allowed due to Manual Intervention
• API documentation can now be downloaded from within the Acunetix UI
• Added support for popup windows in the Login Sequence Recorder
• Improved handling of large import files
• Improved handling large requests / responses generated from import files
• Decreased false positives reported for Possible username or password disclosure
• Truncated large vulnerability alerts when sending to Jira issue tracker

Fixes

• Fixed incorrect from email address used for monthly update emails
• Fixed AcuMonitor UI notification to link to corresponding vulnerability
• Fixed issue causing vulnerability checks to not be able to send empty values
• Fixed a number of crashes
• Fixed issue causing ASP.NET sites to be processed as ASP sites
• Fixed 2 issues caused when using Swagger import files
• Improved handling of txt import files using incorrect import format
• Fixed Session Fixation false positive
• Fixed UI issue when configuring Custom Cookies
• Trend charts where not being updated for user accounts
• Fixed issue in excluded hours
• Fixed “Client Certificate Not Set” message incorrectly being reported

Version 13 (build 13.0.200409107 – Windows and Linux) 9th April 2020

New Vulnerability Checks

• New check to warn user if server sends known password to client
• New check for RCE in Liferay Portal (CVE-2020-7961)

Updates

• Improved detection of SQL Injection

Fixes

• Fixed bbcode display issue in some alerts
• Fix in Login page password-guessing attack
• Fixed licensing issue caused by different case in Target address

Version 13 (build 13.0.200401171 – Windows and Linux) 2nd April 2020

New Vulnerability Checks

• New WordPress plugin checks

Updates

• Improved XXE check
• Improved internal IP disclosure check
• Vulnerabilities detected with 100% Confidence get a Verified stamp

Fixes

• Fixed issue with response highlighting for SQL Injection alerts
• Fixed AcuMonitor alert notifications not linking to scan
• Fixed page not found UI issue when trying to generate a report from Reports page
• Fixed issue with scanner looping when parsing specific long JSON responses

Version 13 (build 13.0.200326097 – Windows and Linux) 26th March 2020

New Features

• Introduced support for processing of Swagger 2.0 files during scans
• Introduced support for Swagger 2.0 files as import files
• New Quarterly scheduled scan option
• Users can change their password from the Acunetix UI

New Vulnerability Checks

• New check for Weak key used to sign cookie in Play framework
• JavaScript Library Audit now supports TinyMCE
• New check for BigIP iRule command injection
• New check for XSS in .NET session in URL
• New check for Remote Code Execution (RCE) in Ruby on Rails (CVE-2019-5420)
• New Check for Oracle E-Business Suite Deserialisation RCE
• New Check for Oracle E-Business Suite SSRF (CVE-2017-10246)
• New Check for Oracle E-Business Suite SSRF (CVE-2018-3167)
• New Check for Oracle E-Business Suite SQL Injection (CVE-2017-3549)
• New checks for WordPress Core and plugins, Joomla and Drupal

Updates

• Minor UI updates
• Better reporting of scans interrupted due to network errors
• Client Certificate address can now be configured for a Target
• HTTP Authentication address can now be configured for a Target
• Abort Scan after 25 network errors
• Implemented Proof of Exploit for Blind SQL Injection vulnerabilities
• Improved showing Scan Duration for long scans
• Acunetix can be installed in custom paths
• Scan email notifications will include a PDF report if requested at start of scan
• Email notifications can be configured for:
  • Product updates
  • Target notifications
  • Scan notifications
  • Report notifications
  • Monthly status updates

Fixes

• Fixed: On Reports page, Target address shows as N/A for Targets that do not have a Description
• Fixed issue uploading import files larger than 1mb
• Fixed issue whereby some addresses had missing a character in the report
• Fixed false positive in Possible server path disclosure
• Fixed issue causing the scanner to not following multiple redirects
• Fixed 2 scanner crashes
• Multiple fixes in WADL parser
• Fixed: Case Sensitive Paths settings was sometimes not being taken into consideration
• Fixed issue in Possible Sensitive Directories identifying incorrect locations
• Fixed issue for users with expired passwords not given the option to change their password

Version 13 (build 13.0.200205121 – Windows and Linux) 5th February 2020

New Features

• New Acunetix web UI
• Improved Network Scanner integration
• Malware Detection using Windows Defender on Windows and ClamAv on Linux
• Smart Scan
• New scanning algorithm prioritises scanning tasks and reduces scanning time
• Proof of exploit is reported in the vulnerability alerts
• Incremental Scans
• Vulnerability Confidence Rating for web vulnerabilities
• New GitLab Issue Tracker Integration
• New Bugzilla Issue Tracker Integration
• New Mantis Issue Tracker Integration
• Ability to create Login Sequence from Selenium script
• New WADL import file
• New ASP.NET Webforms import file
• New Postman import file
• New Paros import file
• Ability to create custom checks
• Highlighting of vulnerability in HTTP response
• DeepScan provides better support for Angular 2, Vue and React JavaScript Frameworks
• Unlimited network scanning for Acunetix Premium customers
• Account Session Timeout settings
• Account Maximum Consecutive Login Failure settings

New Vulnerability Checks

• New check for publicly accessible Bitrix server test script
• New check for publicly accessible NGINX+ dashboard
• New check for unrestricted access to NGINX+ API endpoints
• New check for outdated TLS version
• New check for Citrix Netscaler Unauthenticated Remote Code Execution (CVE-2019-19781)
• New check for Kentico CMS Deserialization RCE
• New check for Cross site scripting via Bootstrap
• New check for Django weak secret key
• New check for Oracle Weblogic T3 XXE (CVE-2019-2888)
• New check for leakage of API keys
• New check for JWT weak secret key
• New check for JWT none algorithm
• New check for publicly exposed .NET HTTP Remoting
• New check for .NET BinaryFormatter Object Deseralization vulnerabilities
• New check for Apache Solr Parameter Injection
• New check for Ruby framework weak secret key
• New check for Tornado weak secret key
• New check for BottlePy weak secret key
• New WordPress Core and plugin vulnerability checks
• New Joomla Core vulnerability checks
• New Drupal Core vulnerability checks

Updates

• Improved memory consumption for the scanner
• PDF reports now have page numbers
• Generic User-agent will be used for communication with issue trackers
• All lists in Acunetix UI can be sorted
• Easier filtering options in the Acunetix UI
• Settings can now be accessed from the side-bar
• Links discovered by AcuSensor are given more prominence
• Improved processing of XML and JSON POST input schemes
• Scanner will try to replay the LSR playback actions a number of times before failing
• Improved Auto-Login
• Multiple updates in the Login Sequence Recorder
• Developer report updated to include Source file, line number and other details provided by AcuSensor
• Acunetix now supports scanning domains with international characters
• Increase page size limit to 20Mb in scanner and LSR
• Improved detection of Possible Sensitive Files
• Improved detection of email addresses
• Improved detection of Command Injection
• Improved detection of database backup files
• Improved detection of XXE

Fixes

• Fixed issue in Developer report showing incorrect parameter name for detected vulnerabilities
• Fixed: “Tester” user role will not be able to create reports
• upgrades on Linux were not removing all files from previous installation
• Fixed issue with Manual Intervention
• Fixed: Session cookies where not always collected by LSR
• Fixed: Incorrect processing of URLs with “{” character
• Fixed a number of crashes in scanner
• Fixed issue causing scanner proxy to unintentionally transform parts of the HTTP request
• Fixed false positive in the detection of Apache Tomcat Remote Code Execution
• Fixed issues causing some links not to be properly imported by the importer
• Fixed issue with license activation when proxy and authentication is used
• Fixed issue causing session to get lost when Deepscan is used

• 1
• 2
• 3
• 4
• 5
• 6
• 7
• 8
• 9
• 10
• 11