v14.4.210816098 - 16 Aug 2021
Version 14 build 14.4.210816098 for Windows, Linux and macOS – 16th August 2021
New Features
- Pre-request script support
- New Log Data Retention options
New Vulnerability Checks
- New check for Oracle E-Business Suite Information Disclosure
- New check for Alibaba Nacos Authentication Bypass (CVE-2021-29441)
- New check for Gitlab CI Lint SSRF
- New check for Gitlab open user registration
- New check for Gitlab user disclosure via graphql endpoint
- New check for Bitrix galleries_recalc.php XSS
- New check for Bitrix open redirect
- New check for Jetty ConcatServlet Information Disclosure (CVE-2021-28164)
- New check for Jenkins open user registration
- New check for Open Mikrotik stats
- New check for Open Nuster stats
- New check for RethinkDB administrative interface publicly exposed
- New check for spring-boot-actuator-logview Path Traversal
- New check for Hasura GraphQL API without authentication
- New check for ForgeRock OpenAM Deserialization RCE (CVE-2021-29156)
- New check for BuddyPress REST API Privilege Escalation
- New check for Grandnode Path Traversal (CVE-2019-12276)
- New check for SearchBlox Local File Inclusion (CVE-2020-35580)
- New check for Zimbra Collaboration Suite SSRF (CVE-2020-7796)
- New check for Ghost CMS Theme Preview XSS (CVE-2021-29484)
- New check for qdPM Information Disclosure
- New checks for vulnerabilities in WordPress Plugins
Updates
- Max items shown per page can now be configured
- Updated Deepscan to process hashes in URLs
- Updated Chromium to v92.0.4512.0
- Updated CSV export to include text only details
- JavaScript Library Audit now supports merged JavaScript files
- Added support for dev tools in standalone LSR
- Multiple UI updates
- Multiple LSR updates
- Target knowledgebase will now be reset when Target settings are changed
- Updated Selenium import to support selectFrame
- Updated OWASP Top 10 report to include CVSS score
- Updated Compliance report to include CWE
- Added option to enable debuglogs for all Targets
- Optimisations to the Java and Node.js AcuSensors
- Improved support for Hapi framework in Node.js AcuSensor
- Add support for find-my-way HTTP router in Node.js AcuSensor
- Improved ionCube Loader-wizard information disclosure check
- Improved cache poisoning DOS checks
- Improved detection of Apache Struts2 Remote Command Execution (S2-052)
- Improved detection of Directory Traversal vulnerabilities
- Added option to skip testing of login form configured for the Target
- Improved handling of Custom 404 pages
Fixes
- Fixed multiple crashes in the scanner
- Fixed issue causing some requests to be done to restricted links
- Addressed multiple Deepscan issues
- Paused scans can now be Aborted
- Fixed XPath Injection false positive
- Fixed Bitrix Open Redirect false positive
- Fixed Spring Boot Actuator false negative
- Fixed issue in .NET Sensor Manager not showing buttons on lower resolutions