Acunetix Build History

Version 13 (build 13.0.200911154 for Windows and Linux and build 13.0.200911171 for macOS) 14th September 2020

New Features

  • New Data Retention settings, providing the ability to:
    • Keep the last 3 scans for each target and archive previous scans
    • Delete archived scans which are older than 2 years
    • The above data retention settings are configurable
    • The above settings affect vulnerabilities detected, which are archived / deleted accordingly
  • A default scan profile can be configured for each target
  • Forgot Password option for Acunetix On premise, allowing users to reset their password – Email settings need to be configured
  • Detect paths in JavaScript code via static method analysis
  • Ability to retrieve links from several HTTP headers

New Vulnerability Checks

Updates

  • Vulnerabilities are now shown as grouped by Vulnerability Type and FQDNs
  • Numerous improvements affecting vulnerability deduplication
  • Deleted Targets will not be showing in the UI by default
  • Malicious links detected will be highlighted in the vulnerability report
  • Ability to scan all Targets in a Target Group
  • Improved Swagger support implementation
  • Updated backup files/folders and possible sensitive files checks to report alerts on parent of file detected
  • Time zone can now be configured by each user account
  • User accounts can now change UI to Chinese
  • .NET Sensor updated to support .NET Core
  • Updated Session Fixation vulnerability check to avoid possible False Positives
  • Updated to Chromium v83

Fixes

  • Fixed issue with offline activation
  • Fixed a few crashes occurring on specific sites
  • Fixed issue affecting AcuMonitor when scanning certain sites
  • Various small UI fixes
  • Fixed Target Deletion issue for Consult licenses
  • Fixed: PDF report generation was failing in specific situations
  • Fixed issue causing HTTP requests passing through a proxy to fail
  • Fixed issue affecting relative HTTP redirects
  • Fixed issue causing Manual Intervention not to work on Linux
  • Fixed issue causing DeepScan to miss some DOMXSS vulnerabilities
  • Fixed text overlapping issue in reports
  • Fixed issue causing Telerik Web UI RadAsyncUpload Deserialization (CVE-2019-18935) to not always be detected
  • Fixed: ‘HTTP Strict Transport Security (HSTS) not implemented’ and ‘HTTP Strict Transport Security (HSTS) Best Practices’ where using the same name
  • Fixed: Sensitive files / directories checks were missing Attack details
  • Fixed issue caused when sorting scans by target description
  • fixed a few issues in the Login Sequence Recorder and Business Logic Recorder

Version 13 (Windows / Linux: 13.0.200807155, macOS: 13.0.200807156) 7th August 2020

New Features

New Vulnerability Checks

Updates

  • Created and Last Updated dates are available for vulnerabilities
  • Order of section in Comparison report updated to be more intuitive
  • Target Address is shown in full in the UI
  • /users/ endpoint is now available in the API

Fixes

  • Fixed issue when exporting vulnerabilities to WAF which contained CVSS3.1
  • Fixed issue causing custom user-agent to not be used in all requests during a scan
  • Fixed issues causing some vulnerabilities not to be well formatted when sent to JIRA issue tracker
  • Fixed issue when adding JIRA Issue Tracker in Acunetix Online
  • Fixed issue caused when adding Targets to an existing Target Group
  • Minor fix in Comprehensive report text
  • Fixed UI issue showing blank list (Scans, Targets etc) when using the browser’s back button
  • Fixed issue caused by scanning Targets with complex GraphQL schemas

Version 13 (build 13.0.200715111 for Windows, Linux and build 13.0.200715153 for macOS) 15th July 2020

New Features

  • Acunetix on premise is now available for macOS

New Vulnerability Checks

Updates

  • Improved UI messages when scans cannot start due to Manual Intervention
  • Updated interpretation and generation of XML requests / responses
  • New Scanning profile for High and Medium Vulnerabilities
  • Target Description is now available on the Scans page
  • Incremental Scans initiated by Jenkins plugin are correctly labelled as incremental
  • A number of improvements in JavaScript Libraries Audit

Fixes

  • Fixed issue caused when configuring Gitlab issue tracker with Impersonation Token
  • Fixed issue causing filter not to be available for Standard licenses
  • Fixed Malware Scan profile to include checks for malware links
  • Fixed resource allocation issue, causing scans to end unexpectedly
  • Comprehensive Report was incorrectly showing High Severity Threat level
  • Fixed issue affecting the CVSS score calculation of some vulnerabilities

Version 13 (build 13.0.200624118 – Windows and Linux) 24th June 2020

New Features

  • Introduced support for GraphQL
  • Introduced support for OAuth2.0
  • GraphQL files can be used as Import Files
  • New Comprehensive Report, which includes the HTTP Response in the HTML version of the report
  • HTTP Response uses syntax highlighting for improved readability
  • Scans can now be restricted to paths/locations in import files
  • User can choose which columns to show in all the Acunetix lists
  • UI saves columns selected for each page / user (applies to Targets, Vulnerabilities, Scans and Reports)
  • UI saves number of items to show on each page / user (applies to Targets, Vulnerabilities, Scans and Reports)
  • UI saves sorting order for each page / user (applies to Targets, Vulnerabilities, Scans and Reports)

New Vulnerability Checks

Updates

  • Targets with Manual Intervention cannot have a Business Logic Recording
  • Changed vulnerability name filter to use search as you type
  • Scans will start reporting pages that require HTTP Authentication
  • Acunetix UI notifications have been changed as follows:
    • Moved to bottom right of Acunetix UI
    • Stay longer on the page
    • Can be closed by the user
  • Increased name length limit of import files to 128 characters
  • User can optionally specify the address to be used for Auto-login. This is useful for SSO login pages
  • The scanner will try to connect to the address of the target before aborting the scan after 25 consecutive network errors
  • Targets can be deleted and replaced on the license anniversary

Fixes

  • Fixed: The vulnerability name filter did not always show all vulnerabilities
  • Fixed incorrect error handling message when disabling the proxy settings
  • Hide Business Logic Recorder for Network Only targets
  • Fixed: Acunetix Online was showing an ID as the name of some network vulnerabilities
  • Fixed: Acunetix Online was not always showing the HTTP Response for some vulnerabilities
  • Fixed: Acunetix Online was not showing the number of licensed Targets
  • Fixed issue causing paths of ignored files to be ignored too
  • Fixed LSR issue on Safari browser
  • Fixed issue caused when the LSR and BLR are used on certain sites
  • Various minor fixes to the UI
  • Fixed false positives in over 25 vulnerability checks

Version 13 (build 13.0.200519155 – Windows and Linux) 20th May 2020

Updates

  • Vulnerabilities filter shows correct sorting
  • User can now test notification settings
  • List of Licensed Targets can now be accessed from user profile page

Fixes

  • Fixed issue when using the Login Sequence Recorder remotely
  • ConsultLite licenses were being shown as Standard
  • Some vulnerabilities were not displayed correctly in Azure Devops Services

Version 13 (build 13.0.200508159 – Windows and Linux) 11th May 2020

New Features

  • Business Logic Recorder – used to record logic used in multi-step forms
  • Export to Citrix WAF
  • Support for Azure DevOps Services issue tracker
  • CVSS3.1 score for most Acunetix vulnerabilities
  • Targets can now be exported to CSV
  • New Graph in Dashboard showing Average vulnerabilities per Target

New Vulnerability Checks

Updates

  • Manual Intervention (used for CAPTCHAs, OTP etc) is now using the integrated (web-based) LSR
  • As a result of the previous update, Manual Intervention is now available on Linux
  • Improved error reporting for network scans aborted due to network errors
  • Vulnerability alerts updated to show important information at the top
  • Updated Github issue tracker to support Personal Access Token (PAT) authentication
  • Improved reporting of Paused scans in the UI
  • Improved UI message user triggers a scan which is not allowed due to Manual Intervention
  • API documentation can now be downloaded from within the Acunetix UI
  • Added support for popup windows in the Login Sequence Recorder
  • Improved handling of large import files
  • Improved handling large requests / responses generated from import files
  • Decreased false positives reported for Possible username or password disclosure
  • Truncated large vulnerability alerts when sending to Jira issue tracker

Fixes

  • Fixed incorrect from email address used for monthly update emails
  • Fixed AcuMonitor UI notification to link to corresponding vulnerability
  • Fixed issue causing vulnerability checks to not be able to send empty values
  • Fixed a number of crashes
  • Fixed issue causing ASP.NET sites to be processed as ASP sites
  • Fixed 2 issues caused when using Swagger import files
  • Improved handling of txt import files using incorrect import format
  • Fixed Session Fixation false positive
  • Fixed UI issue when configuring Custom Cookies
  • Trend charts where not being updated for user accounts
  • Fixed issue in excluded hours
  • Fixed “Client Certificate Not Set” message incorrectly being reported

Version 13 (build 13.0.200409107 – Windows and Linux) 9th April 2020

New Vulnerability Checks

  • New check to warn user if server sends known password to client
  • New check for RCE in Liferay Portal (CVE-2020-7961)

Updates

  • Improved detection of SQL Injection

Fixes

  • Fixed bbcode display issue in some alerts
  • Fix in Login page password-guessing attack
  • Fixed licensing issue caused by different case in Target address

Version 13 (build 13.0.200401171 – Windows and Linux) 2nd April 2020

New Vulnerability Checks

  • New WordPress plugin checks

Updates

  • Improved XXE check
  • Improved internal IP disclosure check
  • Vulnerabilities detected with 100% Confidence get a Verified stamp

Fixes

  • Fixed issue with response highlighting for SQL Injection alerts
  • Fixed AcuMonitor alert notifications not linking to scan
  • Fixed page not found UI issue when trying to generate a report from Reports page
  • Fixed issue with scanner looping when parsing specific long JSON responses

Version 13 (build 13.0.200326097 – Windows and Linux) 26th March 2020

New Features

  • Introduced support for processing of Swagger 2.0 files during scans
  • Introduced support for Swagger 2.0 files as import files
  • New Quarterly scheduled scan option
  • Users can change their password from the Acunetix UI

New Vulnerability Checks

Updates

  • Minor UI updates
  • Better reporting of scans interrupted due to network errors
  • Client Certificate address can now be configured for a Target
  • HTTP Authentication address can now be configured for a Target
  • Abort Scan after 25 network errors
  • Implemented Proof of Exploit for Blind SQL Injection vulnerabilities
  • Improved showing Scan Duration for long scans
  • Acunetix can be installed in custom paths
  • Scan email notifications will include a PDF report if requested at start of scan
  • Email notifications can be configured for:
    • Product updates
    • Target notifications
    • Scan notifications
    • Report notifications
    • Monthly status updates

Fixes

  • Fixed: On Reports page, Target address shows as N/A for Targets that do not have a Description
  • Fixed issue uploading import files larger than 1mb
  • Fixed issue whereby some addresses had missing a character in the report
  • Fixed false positive in Possible server path disclosure
  • Fixed issue causing the scanner to not following multiple redirects
  • Fixed 2 scanner crashes
  • Multiple fixes in WADL parser
  • Fixed: Case Sensitive Paths settings was sometimes not being taken into consideration
  • Fixed issue in Possible Sensitive Directories identifying incorrect locations
  • Fixed issue for users with expired passwords not given the option to change their password

Version 13 (build 13.0.200205121 – Windows and Linux) 5th February 2020

New Features

  • New Acunetix web UI
  • Improved Network Scanner integration
  • Malware Detection using Windows Defender on Windows and ClamAv on Linux
  • Smart Scan
  • New scanning algorithm prioritises scanning tasks and reduces scanning time
  • Proof of exploit is reported in the vulnerability alerts
  • Incremental Scans
  • Vulnerability Confidence Rating for web vulnerabilities
  • New GitLab Issue Tracker Integration
  • New Bugzilla Issue Tracker Integration
  • New Mantis Issue Tracker Integration
  • Ability to create Login Sequence from Selenium script
  • New WADL import file
  • New ASP.NET Webforms import file
  • New Postman import file
  • New Paros import file
  • Ability to create custom checks
  • Highlighting of vulnerability in HTTP response
  • DeepScan provides better support for Angular 2, Vue and React JavaScript Frameworks
  • Unlimited network scanning for Acunetix Premium customers
  • Account Session Timeout settings
  • Account Maximum Consecutive Login Failure settings

New Vulnerability Checks

Updates

  • Improved memory consumption for the scanner
  • PDF reports now have page numbers
  • Generic User-agent will be used for communication with issue trackers
  • All lists in Acunetix UI can be sorted
  • Easier filtering options in the Acunetix UI
  • Settings can now be accessed from the side-bar
  • Links discovered by AcuSensor are given more prominence
  • Improved processing of XML and JSON POST input schemes
  • Scanner will try to replay the LSR playback actions a number of times before failing
  • Improved Auto-Login
  • Multiple updates in the Login Sequence Recorder
  • Developer report updated to include Source file, line number and other details provided by AcuSensor
  • Acunetix now supports scanning domains with international characters
  • Increase page size limit to 20Mb in scanner and LSR
  • Improved detection of Possible Sensitive Files
  • Improved detection of email addresses
  • Improved detection of Command Injection
  • Improved detection of database backup files
  • Improved detection of XXE

Fixes

  • Fixed issue in Developer report showing incorrect parameter name for detected vulnerabilities
  • Fixed: “Tester” user role will not be able to create reports
  • upgrades on Linux were not removing all files from previous installation
  • Fixed issue with Manual Intervention
  • Fixed: Session cookies where not always collected by LSR
  • Fixed: Incorrect processing of URLs with “{” character
  • Fixed a number of crashes in scanner
  • Fixed issue causing scanner proxy to unintentionally transform parts of the HTTP request
  • Fixed false positive in the detection of Apache Tomcat Remote Code Execution
  • Fixed issues causing some links not to be properly imported by the importer
  • Fixed issue with license activation when proxy and authentication is used
  • Fixed issue causing session to get lost when Deepscan is used