Acunetix Build History

Version 12 (build 12.0.191121158 – Windows and Linux) 25th November 2019

New Features

• New scanning algorithm resulting in faster scans
• Scanner will give higher priority to locations which are dissimilar to ones that have already been scanned
• JAVA AcuSensor now supports JAVA Spring Framework

New Vulnerability Checks

• New check for Ruby on Rails Code Injection
• New check for Perl Code Injection
• AcuMonitor can now detect OOB PHP evaluation of user input
• New check for Prototype Pollution
• New check for Blind XSS via CSP report-uri
• New check for Jira Unauthorized SSRF via REST API
• New check for Apache Tapestry weak secret key
• New check for Oracle PeopleSoft SSO weak secret key
• New check for Yii2 weak secret key
• New check for Web2py weak secret key
• New check for Golang runtime profiling data
• New check for Adminer 4.6.2 file disclosure vulnerability
• New check for Apache mod_rewrite open redirect (CVE-2019-10098)
• New check for Flask weak secret key
• New check for Express express-session weak secret key
• New check for vBulletin 5.x 0day pre-auth RCE
• New check for Argument Injection

Updates

• Deepscan is now caching static assets. This will result in faster scans
• Improved memory consumption by the scanner
• Improved processing of forms and form handling
• Improved detection of paths
• Scanner will now process commented out html
• Updated command injection payloads

Fixes

• Fixed scanner crash
• Fixed WAF detection false positive
• Fixed: Check for Sensitive files was accessing restricted links
• Fixed issue causing scanner to multi-line session validation pattern
• Fixed: Some locations where incorrectly detected by DeepScan
• Fixed issue causing integrated LSR to close due to Ad blocking
• Fixed issue with HAR import files
• Fixed issue in the detection of Weak authentication credentials
• Fixed issue affecting the detection of DOM XSS vulnerabilities
• Fixed issue in the detection of possible username and password disclosure
• Fixed issue with recording restricted links in Internet Explorer
• Fixed: Tech Admin can now configure the engine to be used for a Target
• Fixed issue affecting scanning of domains with international characters

Version 12 (build 12.0.190927120 – Windows and Linux) 30th September 2019

New Features

• Introduced new Scan Type: New Web Vulnerabilities to scan for new vulnerabilities introduced in the latest Acunetix update
• Introduced ad-blocking in the scanner, resulting in faster scans
• Implemented support for Session HTTP headers when logging in to the site
• Introduced custom_settings.xml to configure settings from settings.xml, which are not overwritten on upgrade

New Vulnerability Checks

• New test for insecure Java de-serialization causing RCE in SAP Commerce Cloud (CVE-2019-0344)
• New test for a weak key used to sign a cookie in Yii2
• New test for a weak key used to sign a cookie in Mojolicious
• New test for Webmin 0day remote code execution (CVE-2019-15107)
• Updated WordPress Core and WordPress Plugin vulnerability checks

Updates

• The scan will now report when an invalid Selenium script is used as an import file
• Improved detection of the type of Burp import file being used
• Increased limit on Custom Headers
• Multiple improvements in DeepScan
• The LSR Record button is disabled during Login Action playback
• Acunetix will start reporting login forms when no login credentials are configured
• The tester user will not be able to create or view reports

Fixes

• Fixed: Directory Traversal vulnerabilities were sometimes incorrectly reported as found with AcuSensor
• Fixed: Several broken references in the vulnerability alerts
• Fixed: HTTP Response was not shown in some vulnerability alerts
• Fixed an issue causing DeepScan to take too long to process some locations
• Fix in PHP Hash Collision DOS vulnerability check
• Fixed: Integrated LSR was not working on IE11
• Fixed: Selenium script playback fails for some scripts
• Fixed: Session Detection fails if session pattern spans multiple lines
• Fixed: LSR keeps showing the spinner on some pages
• Fixed: LSR Session pattern was not always saved when detected using the navigation
• Fixed: LSR Session pattern check might fail for in body / not in body patterns
• Fixed: On some systems, Chromium processes cannot be terminated when generating PDF reports
• Fixed: Passwords were recoverable from the UI
• Better handling of HTTP timeouts by vulnerability checks

Version 12 (build 12.0.190827161 – Windows and Linux) 28th August 2019

New Features

• Implemented support for OpenSearch
• Acunetix will try to discover hidden parameters and test them
• Acunetix can now check base64 encoded JSON inputs for vulnerabilities

New Vulnerability Checks

• New test for Oracle Business Intelligence Convert XXE (CVE-2019-2767)
• New test for Oracle Business Intelligence Adfresource Path traversal (CVE-2019-2588)
• New test for Oracle Business Intelligence AuthBypass (CVE-2019-2768)
• New test for Oracle Business Intelligence ReportTemplateService XXE (CVE-2019-2616)
• New test for Jira RCE (CVE-2019-11581)
• New test for Test for Atlassian Crowd RCE (CVE-2019-11580)
• New tests for Python Code Injection
• New test for Apache Spark RCE [https://spark.apache.org/security.html] (CVE-2018-11770)
• New test for ColdFusion Deserialization RCE (CVE-2019-7091)
• Implemented support for OpenID Connect Discovery
• Detect and report Apple application association files
• Added new checks for WordPress plugins, Drupal core and Joomla core

Updates

• Updated UI to accept IPv6 addresses
• Multiple improvements to DeepScan
• Improved the Directory Traversal check
• Updated the scan limits, reducing repeated requests to larger sites
• Acunetix will now extract and process gzipped files
• Multiple updates to parsing and heuristic crawler features
• Improved the vulnerability deduplication – similar vulnerabilities will be reported once
• Improved reporting of the cause of scan failures (e.g. website is unresponsive, invalid import file etc)
• Credentials provided to Auto-Login or LSR will not be used for vulnerability tests
• Improved processing of Selenium scripts
• Improved login form detection by Auto-Login feature
• Improved WebLogic detection, and testing for default WebLogic credentials
• Improved detection of Vulnerable JavaScript libraries check

Fixes

• Fixed a number of issues causing the scanner to stop unexpectedly
• Fixed issue causing AcuMonitor checks to be done when AcuMonitor is not enabled
• Fixed issue with WSDL parsing
• Fixed: Reflected tests (e.g. reflected XSS) was not done on JSON inputs
• Fixed issue causing 100% CPU usage when processing certain pages
• Fixed hang in the Acunetix Administrative Password utility on Windows
• Fixed: DeepScan was not processing XHTML pages
• Fixed issue causing Chromiumn process to remain active after PDF report generation
• Fixed issue caused by background requests when recording a login sequence
• Fixed issue when recording a login sequence on a site that uses cross-domain iframes
• Fixed issue when parsing WADL
• Fixed issue causing Host Header Attack false negatives

Version 12 (build 12.0.190703137 – Windows and Linux) 4th July 2019

New Vulnerability Checks

• New test for Joomla! Core CSV Injection vulnerability check [CVE-2019-12765]
• New test for Joomla! Core XSS vulnerability check (CVE-2019-12766)
• New test for Joomla! Core Security bypass (CVE-2019-12764)
• New test for Oracle Weblogic XXE (CVE-2019-2647)
• Added the detection of CDNs
• Added the detection of reverse proxies

Updates

• Auto-Login is now using the LSR functionality – this will improve auto-login in general
• Improved detection of DOM XSS
• Improved handling of invalid Selenium scripts
• Improved handling of email addresses fields in web forms
• Improved parsing of WSDL files
• Implemented support for Proxy-Authenticate header
• Improved crawling of Spring-based web applications
• Updated LSR to automatically dismiss modal dialogs during playback
• Reduced false positives in checks looking for sensitive and backup files
• Reduced false positives in SSN number detection
• Reduced false positives in XSS in URIs
• Improved the detection of WAFs
• LSR can now record actions within <iframe> elements
• Jira Issue Tracker integration now supports HTTP Authentication with API key

Fixes

• Fixed a crash when parsing SOAP messages
• Fixed issue in interpretation of some Selenium scripts
• Fixed a number of broken links in the Vulnerability Alerts
• Autologin was recording the password in the log file
• Fixed crash caused when reading specific swagger files
• Fixed crash caused when reading specific large files
• Fixed issue causing the scanner to go into a loop
• Fixed issue causing crawler to not interpret correctly certain locations in JavaScript
• Fixed issue in Manual Intervention
• Fixed issue affecting sites using euc-kr encoding
• Fixed Chromium issue caused when window.chrome is used by the site
• Fixed issue causing Chromium not to load on Kali Linux
• Fixed LSR playback issue caused when input field contained predefined text
• SRI not implemented was being reported multiple times per host

Version 12 (build 12.0.190515149 – Windows and Linux) 14th May 2019

New Features

• Network Scanning via OpenVAS integration
• Introduced support for IPv6 domains (IPv6 addresses not supported yet)
• Dynamic resource allocation for when multiple scanners are started on the same machine
• Improved resource usage for string comparison functions
• Selenium scripts can now be used as import files

New Vulnerability Checks

• NEW check for Memcached Unauthorized Access Vulnerability
• NEW check for Redis Unauthorized Access Vulnerability
• NEW check for SAP ICF /sap/public/info sensitive information disclosure
• NEW check for SAP NetWeaver server info information disclosure
• NEW check for SAP NetWeaver ConfigServlet remote command execution
• NEW check for SAP Portal directory traversal vulnerability
• NEW check for SAP NetWeaver ipcpricing server side request forgery
• NEW check for SAP Management Console list logfiles
• NEW check for SAP Management Console get user list
• NEW check for SAP NetWeaver server info information disclosure
• NEW check for SAP Knowledge Management and Collaboration (KMC) incorrect permissions
• NEW check for SAP NetWeaver Java AS WD_CHAT information disclosure vulnerability
• NEW check for SAP weak/predictable user credentials
• NEW check for OpenCms Solr XML External Entity (XXE) vulnerability
• NEW check for Confluence Widget Connector SSTI
• New check for Ruby source code disclosure
• NEW check for Python source code disclosure
• Added new WordPress Core and WordPress Plugins vulnerability checks
• Added new Drupal Core vulnerability checks
• Added new Joomla Core vulnerability checks

Updates

• Multiple improvements to the detection of Blind SQL Injection
• Improved the Error Messages vulnerability check
• Improved the Adobe Experience Manager tests
• Improved detection of Java Deserialization and Mongo alert deduplication
• Improved detection of Rails accept file content disclosure
• Updated alert details for Oracle WebLogic Remote Code Execution via T3 (CVE-2018-3245)
• Improved detection of Confluence
• Improved PHP AcuSensor when used on nginx
• Improved detection of PHP code injection
• Updated Directory Traversal Check to make fewer requests
• Multiple improvements to DeepScan and the LSR
• Implemented support for WebSockets in LSR and Deepscan

Fixes

• Fixed a few crashes
• Fixed issue causing Postcrawl scripts to not be executed on folders
• Fixed: Custom cookies could be used twice when the application sets the same cookies
• Cookie processing now ignores leading . in domain
• Fixed issue with LSR when used on Internet Explorer
• Fixed issue with HTTP Authentication
• Fixed false positive in Struts_RCE_S2-052_CVE-2017-9805
• Fixed severity level for CSRF vulnerability check
• Fixed False Negative in Mercurial repository found check
• Fixed issue causing site structure not to be updated with locations identified by vulnerability scripts

Version 12 (build 12.0.190404166 – Windows and Linux) – 5th April 2019

New Vulnerability Checks

• Test for Remote code execution in bootstrap-sass 3.2.0.3 (CVE-2019-10842)
• Test for Magento (2.2.0 to 2.3.0) Unauthenticated SQL Injection Vulnerability

Updates

• Minor update improving efficiency of PerFolder checks
• LSR: Disabled spellcheck for fields loaded
• Deepscan: Improved exclusion of clicks on logout elements
• LSR: clicks on some SVG elements where not being recorded
• LSR: Session Pattern Detection now uses session headers provided by webapp

Fixes

• Fixed 2 issues causing the scanner to stop unexpectedly
• Scan progress was not always correctly saved when scan is paused
• Session Pattern Detection was not always using the session headers provided by the webapp

Version 12 (build 12.0.190325161 – Windows and Linux) – 26th March 2019

New Features

• Verified vulnerabilities are now indicated by Acunetix

New Vulnerability Checks

• Test for PHP opcache-status page
• Test for Arbitrary File Read in Next.js
• Test for Nagios XI Magpie_debug.php Unauthenticated RCE (CVE-2018-15708)
• Test for Horde Imp Unauthenticated Remote Command Execution
• Test for Cisco Identity Service Engine XSS (CVE-2018-15440)
• Test for publicly available Apache balancer-manager application
• Test for Rails File Content Disclosure in Action View (CVE-2019-5418)
• Test for Apache Solr Deserialization of untrusted data via jmx.serviceUrl (CVE-2019-0192)
• Added a test for /jolokia
• Updated XSS checks to detect vulnerabilities on newer versions of Apache Tomcat
• Added new WordPress Core and WordPress Plugins vulnerability checks

Updates

• Updated Directory Traversal vulnerability check
• Improved detection of Blind SQL Injection
• On Linux, OOM Killer will now stop less important processes
• Improve handling of XHR requests in Deepscan
• Multiple improvements to the LSR and Session detection
• Scan Stats are now retained between Pause/Resume
• Improved the detection of paths from JSON and XML
• Improve techniques used to detect type of input in web form
• Multiple minor UI updates

Fixes

• Fixed multiple instances of scanner stopping unexpectedly
• Fixed false positive reported by WordPress plugin All in One SEO Pack privielege escalation check
• Fixed issue causing the same web application to be detected multiple times
• Some vulnerability alerts did not show the HTTP Response
• Fixed issue causing incorrect processing of default values in forms
• HTTP redirects were not being detected
• Fixed issue in File Upload XSS vulnerability check
• Fixed issue causing PerFolder scripts not to be executed on all folders
• Fixed issue causing HAR file importing to fail
• Fixed issue causing LSR to fail to load Target with uppercase address
• Fixed issue causing SharePoint Reflected Cross-Site Scripting (CVE-2017-8514) not to be reported

Version 12 (build 12.0.190227132 – Windows and Linux) – 27th February 2019

New Vulnerability Checks

• Test for Drupal REST Remote Code Execution (CVE-2019-6340)
• Tests for vBulletin 5 routestring Local File Inclusion Vulnerability
• Tests for ThinkPHP v5.0.22/5.1.29 Remote Code Execution Vulnerability
• Tests for uWSGI Unauthorized Access Vulnerability
• Tests for FastGI Unauthorized Access Vulnerability
• Test for Typo3 Restler 1.7.0 Local File Disclosure
• A number of new vulnerability checks for WordPress Core and Plugins and Drupal Core

Updates

• Update Source Code Disclosure checks to prevent False Positives
• Unused paths are filtered out from AcuSensor data

Fixes

• Fixed false positive in Expression Language Injection vulnerability check
• Fixed issue in LSR / Deepscan when processing scripts overriding toJSON on Object

Version 12 (build 12.0.190214162 – Windows and Linux) – 15th February 2019

Updates

• Improved scanning of .NET web applications
• Improved processing of CSS files
• 40% speed improvement when parsing pages
• Various updates to WSDL processing

Fixes

• Some invalid URLs were being incorrectly reported as external hosts
• Fixed issue causing communication problem between scanner and backend
• Allowed hosts were not always being scanned
• Integrated LSR was not always working on Internet Explorer 11
• Fixed LSR display problem when browser window is zoomed or resized
• Fixed issue when importing Burp State file

Version 12 (build 12.0.190206130 – Windows and Linux) – 7th February 2019

New Features

• New Integrated Login Sequence Recorder – Login Sequences can be recorded directly from the Acunetix UI
• Swagger (JSON and YAML) and WSDL can be used as import files

New Vulnerability checks

• New checks for a number of WebBackdoors
• New checks for elmah.axd information disclosure
• New test for Stack Trace Disclosure in Django
• New test for Stack Trace Disclosure in ASP.NET
• New test for Stack Trace Disclosure in ColdFusion
• New test for Stack Trace Disclosure in Python
• New test for Stack Trace Disclosure in Ruby
• New test for Stack Trace Disclosure in Tomcat
• New test for Stack Trace Disclosure in Grails
• New test for Stack Trace Disclosure in Apache MyFaces
• New test for Stack Trace Disclosure in Java
• New test for Stack Trace Disclosure in GWT
• New test for Stack Trace Disclosure in Laravel
• New test for Stack Trace Disclosure in Rails
• New test for Stack Trace Disclosure in CakePHP
• New test for Stack Trace Disclosure in CherryPy
• New Directory Listing vulnerability checks
• New Error Message vulnerability checks
• New test for Oracle Reports RWServlet showenv
• New test for Docker Engine API publicly accessible
• New test for Docker Registry API publicly accessible
• New test for Jenkins server user enumeration
• New test for Jenkins server weak credentials
• Added the following new tests for Adobe Experience Manager
  • Day CQ WCM Debug Filter enabled
  • LoginStatusServlet exposed (allows to bruteforce credentials)
  • Bruteforce a set of default AEM credentials if LoginStatusServlet is exposed
  • QueryBuilderFeedServlet public accessible, sensitive information might be exposed
  • Implemented tests for a bunch of SWF files that are exposed by AEM code that are vulnerable to Reflected XSS
  • Test if the AEM Groovy Console is publicly accessible. Permits RCE
  • Added a test for exposed AEM ACS Tools (a set of tools for AEM developers) – RCE is possible
  • Test if GQLServlet is publicly accessible. Sensitive information could be exposed
  • Test if Adobe Experience Manager AuditLogServlet is publicly accessible. Audit log records could be exposed
  • Test for Server Side Request Forgery (SSRF) via SalesforceSecretServlet (CVE-2018-5006)
  • Test for Server Side Request Forgery (SSRF) via ReportingServicesServlet
  • Test for Server Side Request Forgery (SSRF) via SiteCatalystServlet was detected

Updates

• Improved the scanning of sites using SOAP
• Improved parsing of paths
• TXT import now takes precedence over excluded paths
• Improved the adherence of the scan scope
• Improved the detection of the version of WordPress plugins
• Improved the automatic session pattern detection in the LSR
• LocalStorage / SessionStorage is retained between LSR and Deepscan Sessions

Fixes

• Fixed: Scan scope was not always respected
• Technology detected during the scan was not being reported
• Fixed several scanner unexpected termination issues
• Fixed issue causing large PDF reports not to be generated
• Fixed: AcuSensor file data is better filtered by scanner

Version 12 (build 12.0.190121124 – Windows and Linux) – 22nd January 2019

Updates

• HTTP response size limit has been increased to 20Mb
• Swagger parser now supports yml files

Fixes

• Fixed a scanner crash
• Fixed: Login Sequence Recorder was not using the User-Agent configured for the Target
• Fixed issue causing false positives in ‘User controllable charset’ and ‘User controllable script source’
• Fixed issue with BURP state file importer
• Fixed: Users could not update an expired POC license

Version 12 (build 12.0.181218140 – Windows and Linux) – 18th December 2018

New Vulnerability checks

• New test for Apache Solr XXE (CVE-2017-12629)
• New test for RCE in Spring Security OAuth (CVE-2016-4977)
• New test for Apache mod_jk access control bypass (CVE-2018-11759)
• New test for Unauthenticated Stored XSS in WordPress Plugin WPML (CVE-2018-18069)
• New test for ACME mini_httpd (web server) arbitrary file read (CVE-2018-18778)
• New test for OSGi Management Console Default Credentials
• New test for Flex BlazeDS AMF Deserialization RCE (CVE-2017-5641)
• New test for common misconfigurations in ColdFusion
• New test for AMF Deserialization RCE in ColdFusion (CVE-2017-3066)
• New test for JNDI injection in ColdFusion (CVE-2018-15957)
• New test for unauthenticated File uploading in ColdFusion (CVE-2018-15961)
• New WordPress / WordPress plugin vulnerability checks

Updates

• Improved the injection of payloads and other improvements in the handling of JSON data
• Updated Chromium to fix Chromium vulnerability
• Improved web application detection

Fixes

• Corrected LSR launch message for Linux installations
• Fixed Update License issue on Internet Explorer
• Fixed several memory leaks/scanner closing unexpectedly
• Fixed issue affecting the processing of some content types
• Some cookies were being added multiple times during the scan
• Some redirects were not being correctly handled
• Some requests generated by the scanner incorrectly contained two backslashes (‘//’)
• Fixed issue in the Backup Folders checks going out of scope
• Several minor fixes

Version 12 (Windows build 12.0.181203110, Linux build 12.0.181204095) – 4th December 2018

New features

• Deepscan has been updated to make use of Chromium (Windows only – already included in Linux)
• Login Sequence Recorder has been updated to make use of Chromium (Windows only – already included in Linux)
• Acunetix can now test APIs document using Swagger (Windows only – already included in Linux)
• Introduced support for NTLM HTTP Authentication on Linux release (already included on Windows)
• Introduced support for Kerberos HTTP Authentication (Windows only)

New vulnerability checks

• A huge update increasing the detection of Stored XSS
• New test for possible file creation using the HTTP PUT method
• New test for Apache Tomcat Remote Code Execution Vulnerability (CVE-2017-12615)
• New test for Ektron Content Management System (CMS) 9.20 SP2, remote re-enabling users (CVE-2018–12596)
• New test for httpoxy vulnerability
• New test checks if CouchDB REST API is publicly accessible
• New test checks if CouchDB is vulnerable to Remote Privilege Escalation resulting in Remote Code Execution (CVE-2017-12635)
• New test for Apache ActiveMQ default credentials
• New test for Node.js Path validation vulnerability (CVE-2017-14849)
• New test for GoAhead web server RCE via unsafe environment initialization of forked CGI scripts (CVE-2017-17562)
• New test for publicly accessible Hadoop YARN ResourceManager WebUI
• New test for jQuery-File-Upload <= v9.22.0 unauthenticated arbitrary file upload vulnerability
• New test looks for Google Firebase Databases URLs in the response and checks if the Firebase Databases are accessible without authentication
• New test for Oracle WebLogic Remote Code Execution vulnerability via T3 (CVE-2018-3245)
• New test for Oracle WebLogic Authentication Bypass vulnerability (CVE-2018-2894)
• New test checks if Jupyter Notebook is publicly accessible
• New test for Apache Log4j socket receiver deserialization vulnerability
• New test for NGINX range filter integer overflow (CVE-2017-7529)
• New test for Xdebug remote code execution via xdebug.remote_connect_back
• Numerous new checks for WordPress Core, WordPress plugins, Joomla Core and Drupal Core.

Updates

• Numerous memory management improvements
• Multiple updates to LSR and session detection improving scanning of restricted areas
• Improved speed of SQL Injection vulnerability checks
• The new LSR / Deepscan will improve support of JavaScript rich sites
• Added mock geo-location support to support scanning sites that require geo-location
• Improved analysis of XML and JSON

Fixes

• Fixed scanner crash when scan was resumed from paused state
• Fixed some issues in the handling of cookies
• Custom cookies were not always used
• Content-Type header was not always being sent. This affected the detection of some vulnerabilities
• Fixed a false positive in SSL weak key length vulnerability check
• Fixed issue in the Social Security Number and Credit Card number check
• Fixed issue with AcuSensor download on Linux release
• Fixed issue causing scans to be aborted when server returns an invalid charset
• Fixed a number of other issues causing the scanner to close unexpectedly
• Sensitive and Backup files were not being checked for in the site root
• Fixed issue with jquery version extractor
• Fixed 2 internally reported security issues
• Fixed issue with re-installation of Linux installations

Version 12 (Linux release build 12.0.181115088) – 15th November 2018

New Features

• Acunetix release for Linux
• Acunetix can now test APIs document using Swagger
• Deepscan has been updated to make use of Chromium
• Login Sequence Recorder has been updated to make use of Chromium

Version 12 (build 12.0.181012141) – 12th October 2018

New Vulnerability Checks

• New check for Content Security Policy (CSP) not implemented
• New check for Subresource Integrity (SRI not implemented
• New check for Node.js web application source code disclosure
• New check for Ghostscript RCE via file upload
• New check for Paperclip Server-Side Request Forgery (SSRF) via file upload (CVE-2017–0889)
• New check for WPEngine _wpeprivate/config.json information disclosure
• New check for Cross site scripting in HTTP-01 ACME challenge implementation
• New check for npm log file disclosure
• New check for PHP-CS-Fixer cache file disclosure
• Multiple new WordPress and Joomla vulnerability checks

Updates

• License keys can now be updated via the Acunetix web UI
• Additional memory improvements
• Improved exclusion of parameters
• Multiple updates to existing vulnerability checks
• Improved CORS origin validation failure checks
• Improved Pickle Serialization check

Fixes

• Manual Intervention was not working after a paused scan is resumed
• Scans for some sites using Digest HTTP Authentication were stopping unexpectedly
• Additional fixes for issues causing scans exiting unexpectedly
• Fixed issue causing many product update requests when proxy authentication is incorrectly configured
• Fixed: Some backup files / folders were not being identified
• Some vulnerabilities were incorrectly reported in the site root
• Fixed issue in similar page detection causing scans to take longer than expected
• Fixed issue causing valid sessions not to be identified correctly during the scan

Version 12 (build 12.0.180911134) – 11th September 2018

New Vulnerability Checks

• Added detection for Apache Struts Remote Code Execution (S2-057) (CVE-2018-11776)
• Added detection for URL rewrite vulnerability due to legacy header support (CVE-2018-14773)
• Added detection for Web Cache Poisoning
• Added detection of HTTP (non-SSL) origin accessing HTTPS resource
• Added detection of Yii2 Framework’s development extensions
• Added detection for Cross-Origin Resource Sharing (CORS) origin validation failure
• Added detection for Drupal Core Open Redirect
• Added detection for Python pickle serialization
• New AcuMonitor Test – Detection of Reverse Proxy Misrouting (SSRF)
• New AcuMonitor Test – Detection of Attacks on Auxiliary Systems (SSRF)
• New vulnerability checks for multiple WordPress plugins and Joomla Core

Updates

• Multiple updates to the SSL checks
• Various memory optimisations
• Less requests required to verify AcuMontior checks

Fixes

• Fixed bug in testing of cookie values
• Fixed memory issues, causing some scans to exit unexpectedly
• Fixed bug causing some scans to crash when paused and resumed
• Fixed issue causing some scans to be aborted immediately because of error status on initial response
• Fixed issue causing some locations to get omitted from site structure
• Multiple fixes to import file feature
• Fixed issue which caused DeepScan not to use all cookies
• Custom headers were added twice on redirect
• Fixed issue affecting some sites using SSO

Version 12 (build 12.0.180821106) – 22nd August 2018

New Vulnerability checks

• Detection of Liferay TunnelServlet Deserialization Remote Code Execution
• Detection of Liferay XMLRPC Blind SSRF
• Detection of older versions of Liferay
• Detection of publicly writable Amazon S3 Buckets
• Detection of Apache Shiro Deserialization RCE
• Detection of RichFaces EL Injection RCE
• Detection of Spring JSONP enabled by default in MappingJackson2JsonView (CVE-2018-11040)
• Detection of Spring Webflow SPEL RCE (CVE-2017-4971)
• Detection of Telerik Web UI Cryptographic Weakness
• Detection of Rails Sprockets Path Traversal Vulnerability (CVE-2018-3760)
• Detection of Tomcat path traversal via reverse proxy mapping
• New Vulnerability checks for WordPress and Drupal

Updates

• Reduced the number of requests required for Web Application Detection
• Improved the JSON and the Generic document parser
• Improved handling of non-responsive sites

Fixes

• Fixed a few infrequent crashes
• Fixed Malware link checking vulnerability test
• Fixed issue causing scan to be aborted on redirect to different FQDN for login
• Fixed issue causing Scan Comparison reports to fail
• Fixed issue causing the scanner not to crawl certain HTTPs sites correctly when using proxy

Version 12 (build 12.0.180801120) – 1st August 2018

Fixes

• Fixed the detection of some DOMXSS variants
• Fixed scanner crash

Version 12 (build 12.0.180725167) – 26th July 2018

New Features

• HTTP response is now shown for vulnerabilities detected (only affects new scans)
• Manual Intervention has been implemented in v12

New Vulnerability checks

• Added detection of Java Object Deserialization vulnerabilities
• Added detection for Cisco ASA Path Traversal (CVE-2018-0296)
• Added tests for misconfigured nginx aliases that can lead to a path traversal
• Added detection of Spring Security Authentication Bypass Vulnerability (CVE-2016-5007)
• Added detection of weak/insecure permissions for Atlassian Jira REST interface
• Added detection of Apache Tomcat Information Disclosure (CVE-2017-12616)
• Added detection of Spring Data REST Remote Code Execution (CVE-2017-8046)
• Added detection of Insecure Odoo Web Database Manager
• Added detection of JBoss Remote Code Execution (CVE-2015-7501 and CVE-2017-7504)
• Added detection of WebSphere Remote Code Execution (CVE-2015-7450)
• Updated WordPress Plugin vulnerability detection

Updates

• Password is no longer required when configuring client certificate for a Target
• Additional memory optimizations
• Scanner will now report when the LSR cannot login
• Application Error Message vulnerability check updated to provide more details on the error
• Reports, XML exports and WAF exports now use a more meaningful filename
• Reports now show the status of a scan
• Scan debug logs now include imported files
• Increase maximum number of issues trackers that can be configured

Fixes

• multiple crashes while scanning
• Scanner will now re-authenticate when website invalidates authentication during scan (applies to HTTP authentication only)
• Scanner sometimes fails to decode LSR output, leading to an unauthenticated scan
• Fixed many issues causing vulnerabilities not to be detected or to be detected incorrectly
• Two fixes affecting the setting of Cookies
• Fixed issue in RSS parsing
• Fields with certain characters in the name (such as $) were not being tested
• Some out of scope paths were still being crawled
• Fix in the Autologin
• Upon upgrade, user is asked to “Logout from Other Session”
• Target and Vulnerabilities reports were failing
• Recurrent scans for Standard licenses were being disabled
• some reports were generated without file extension

Version 12 (build 12.0.180709159) – 9th July 2018

New Features and Vulnerability tests

• Added vulnerability checks for the following WordPress plugins
  • WP Live Chat Support Pro Arbitrary File Upload (CVE-2018-12426)
  • wpShop Germany Free Arbitrary File Upload
  • Sitesassure WP Malware Scanner Cross-Site Scripting
  • Ultimate Member-User Profile & Membership Cross-Site Scripting (CVE-2018-13136)

Updates

• Scanner will automatically continue scanning when http redirects to https
• Improvement in memory usage
• Acunetix will now hand over DNS resolution to Proxy Server when configured
• Improved messaging during installation

Fixes

• Scanner crash in DeepScan
• Scanner hang when certain LSR files are used
• Incomplete scans in certain situations, such as when using import files

Version 12 (build 12.0.180628131) – 28th June 2018

New Features and Vulnerability tests

• New test for WordPress Arbitrary File Deletion Vulnerability described here and here (CVE-2018-12895)
• Added detection of vulnerabilities in the following wordpress plugins:
  • Advanced Order Export For WooCommerce (CVE-2018-11525)
  • WordPress Comments Import & Export (CVE-2018-11526)
  • iThemes Security (formerly Better WP Security) (CVE-2018-12636)
  • ChimpMate-WordPress MailChimp Assistant
  • FireDrum Email Marketing
• New test for Joomla! Core Local File Inclusion (CVE-2018-12712)
• New test for Joomla! Core Cross-Site Scripting (CVE-2018-12711)

Fixes

• Fixed issue with NTLM HTTP Authentication
• Fixed issue causing some pages not to load correctly in the LSR
• Fixed 2 false positives for “User controllable charset” and “User controllable script source”
• Fixed issue in handling HAR import files

Version 12 (build 12.0.180619111) – 19th June 2018

New Features and Vulnerability tests

• Spring Data Commons RCE via Spring Expression Language (SpEL) injection (CVE-2018-1273)
• Atlassian OAuth Plugin IconUriServlet SSRF, affecting multiple Atlassian products (CVE-2017-9506)
• WordPress REST API User Enumeration
• Django Debug Mode via DisallowedHost
• Tests for PHP-FPM (FastCGI Process Manager) Status Page
• Check for common test CGI scripts that are leaking environment variables
• Check Spring Boot Actuator information disclosure
• Check for RCE via Spring Boot WhiteLabel Error Page Spring Expression Language (SpEL)
• Atlassian Jira ManageFilters Information Disclosure

Fixes

• Crash dump was sometimes not being created

Version 12 (build 12.0.180615105) – 15th June 2018

Updates

• More improvements to Web Application Detection
• Reports not show if a scan has failed

Fixes

• Scanner was not parsing all AcuSensor data, causing some vulnerabilities not to be reported when AcuSensor is used
• Some reqeusts to HTTPs sites were being downgraded to HTTP

Version 12 (build 12.0.180611183) – 11th June 2018

New Features and Vulnerability tests

• Introduced system to automatically avoid testing similar pages
• New check for Oracle Weblogic WLS-WSAT Component Deserialization RCE affecting versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0 (CVE-2017-10271)
• New check for PHPUnit RCE affecting versions 4.8.28 and 5.x before 5.6.3 (CVE-2017-9841)
• New check for Edge Side Include Injection vulnerabilities
• New check for Dotenv (.env and variants) files
• New check for Joe Text Editor DEADJOE file
• New check for Symfony configuration file
• New check for Laravel (PHP framework) log files
• New check for publicly accessible backup directory in Drupal Backup Migrate

Updates

• Updated timeout and retries for HTTP requests done by some vulnerability checks
• Updated Web Application Detection checks to make less HTTP requests resulting in faster scans
• Various minor updates to the UI
• Improved parsing of robots.txt
• Improved detection of default index files
• Acunetix now shows the number of licensed Targets in the License section of the UI

Fixes

• Some addresses were not parsed correctly, resulting in incorrect paths
• Some addresses were not detected, resulting in missing paths
• Some paths where being detected incorrectly
• Scanner crash when allowed hosts are used
• Scanner crash when parsing some pages
• Scanner hang when crawling caused by DeepScan
• No links parsed from pages without Content-Type header
• Some vulnerability checks duplicated the query values
• Sitemap was always being detected
• Fixed validation issues in Security Settings > Account Lockout > Lockout timeout
• License checks was failing for some installations

Version 12 (build 12.0.180521161) – 22nd May 2018

Updates

• DeepScan has been updated to ignore images resulting in faster scans

Fixes

• Excluded paths not taken into consideration
• Parts of the scan were not using the Custom 404
• Some paths where not identified correctly

Version 12 (build 12.0.180517125) – 17th May 2018

New Features and Vulnerability tests

• Added new WordPress vulnerabilities checks
• Added tests for Drupal SA-CORE-2018-004 and Drupal SA-CORE-2018-002

Updates

• Updated detection of Drupal installations
• Changed to a more moderate definition of a Target for licensing purposes
• Number of Targets and Users configured are now shown in the UI > Licensing section
• UI now shows if the latest build is being used, and allows the user to check for updates manually

Fixes

• Multiple updates and fixes to the HTML parser
• Multiple updates and fixes to the Acunetix UI
• Auto-login was making unnecessary requests
• Some vulnerabilities were showing ‘null’ URL
• Data from AcuSensor was not being interpreted correctly
• Account lockout settings were not being saved
• Fix in the scanner which was making some vulnerability checks not to work
• Some vulnerability checks making unnecessary requests
• Some vulnerability details where not being encoded correctly
• Custom 404 detection was not working
• Fix in AcuMonitor affecting some tests
• DeepScan was not interpreting correctly paths containing a dot

Version 12 (build 12.0.180509176) – 10th May 2018

New Features

• New faster Engine
• Scans can now be Paused and Resumed
• Targets can be imported from CSV
• New JAVA AcuSensor
• Support for latest JavaScript (ES6 and ES7) in DeepScan and Login Sequence Recorder
• Configurable Password Policies including Password History, Auto Password Expiry and Account Lockout
• 2 Factor Authentication in the Acunetix UI
• Exclude what to scan directly from Crawl results or previous scans

Updates and Fixes

• Too many to enumerate
• Multiple updates to the vulnerability checks

• 1
• 2
• 3
• 4
• 5
• 6
• 7
• 8
• 9
• 10