Acunetix Premium Release Notes

v13.0.210129162 - 02 Feb 2021

Copy Link Copy Link

Version 13 build 13.0.210129162 for Windows, Linux and macOS – 2nd February 2021

New Features

New AcuSensor for Node.js
New Target Knowledgebase records scan data which is used to improve future scans
New FQDN and Target filter in Grouped Vulnerabilities page
New FQDN column in Targets page

New Vulnerability Checks

New test for Unrestricted access to Prometheus Interface
New test for Unrestricted access to Prometheus Metrics
New test for Unrestricted access to Golang expvar
New test for Unrestricted access to Node.js status-monitor page
New test for Unrestricted access to HAProxy stats page
New test for Unrestricted access to Nginx stub_status page
New test for Unrestricted access to Nginx nginx-module-vts status page
New test for Unrestricted access to Traefik Dashboard
New test for Unrestricted access to Kafka monitoring
New test for Unrestricted access to Netdata Dashboard
New test for Typo3 Admin publicly accessible
New test for Typo3 sensitive files
Updated WordPress Plugin checks
Updated Drupal core checks

Updates

Simplified User Profile page
Improved handing of HTML comments
Improved processing of sites using dynamic links
Improved parsing of JavaScript for new paths
Form input type is taken into consideration when processing forms
Scanner now supports NTLM Authentication for proxy authentication
multiple DeepScan updates
Comprehensive report updated to use time zone configured for Acunetix user
Added setting in settings.xml to choose which SSL cipher to be used by the scanner
Integrated LSR logs are now stored for troubleshooting purposes
Notify user when client certificate is required but not configured for Target
Improvements in MAC installation
PHP AcuSensor will start including Stack Trace
Multiple LSR / BLR updates

Fixes

Filter items sorted alphabetically
Fixed minor UI glitch in multi-engine registration page
Multiple fixes in SlowLoris detection
Fixed scanner crashes
Fixed CSV injection in Target Export
Fixed UI issues in Target Groups page
Fixed formatting for issues pushed to Jira
Fixed issue when installing on Centos8

v13.0.201217092 - 17 Dec 2020

Copy Link Copy Link

Version 13 build 13.0.201217092 for Windows, Linux and macOS - 17th December 2020

New Features

Big improvement in handling of CSRF tokens
Added support for ShadowRoot
Added support for MacOS Big Sur

New Vulnerability Checks

New test for Zabbix authentication bypass / guest user
New test for Typo3 Admin publicly accessible
New test for Typo3 debug mode enabled
New test for Oracle WebLogic Remote Code Execution via IIOP
New test for Web Cache Poisoning DoS
New test for client-side prototype pollution
Improved web cache poisoning test
New test for SAP IGS XXE (CVE-2018-2392, CVE-2018-2393)
New test for Odoo LFI (CVE-2019-14322)
New test for Unrestricted access to Odoo DB manager
New test for Apache Unomi MVEL RCE (CVE-2020-13942)

Updates

Updated the UI for the multi-engine system
Multiple updates to the PHP AcuSensor
Multiple updates to the Login Sequence Recorder
Scanning engine updated to support using proxy server with NTLM Authentication

Fixes

Fixed issue causing the browser to fail to launch on Kali
Fixed issue causing AcuSensor not found message to not be displayed
Fixed false positive in Zend Framework LFI via XXE
Fixed false positive in Directory Traversal
Fixed false positive in Cookie(s) with missing, inconsistent, or contradictory properties
Fixed false positive in Apache Struts2 Remote Command Execution (S2-052)
Fixed issue in highlighting of vulnerability in response
Fixed issue with Slow Loris
Fixed issue in WADL importer
Fixed crash in scanner
Fixed minor issues in Comprehensive Report
Fixed issue causing Acunetix to lose license information

v13.0.201126145 - 27 Nov 2020

Copy Link Copy Link

Version 13 build 13.0.201126145 for Windows / Linux and 13.0.201126157 for macOS - 27th November 2020

New Features

New user role: Platform Admin, provides full access to Acunetix

Updates

Network Settings can now be confirmed using the new Check Settings button
Management of Targets by Tech Admin role can now be selectively turned off

Fixes

Fixed issue causing inability to access last continuous failed scan
Fixed UI issues causing inability to add targets to target group when target list is filtered
Acunetix is now correctly reporting progress for Network Scans
UI updated to hide specific options for the different Acunetix user roles

v13.0.201112128 - 12 Nov 2020

Copy Link Copy Link

Version 13 (build 13.0.201112128 for Windows / Linux / macOS) 12 November 2020

Updates

Updated Telerik vulnerability checks
The Tech Admin user role can now create new Targets
Renamed acu_phpaspect.php to acusensor.php
Updated Comprehensive report to indicate Verified vulnerabilities
Logon Banner now supports multi-line banners

Fixes

Fixed issue in SlowLoris vulnerability check
Fixed issue LSR hang caused when closing the LSR immediately after opening it
Fixed scan hanging issue
Fixed a couple of issues in the CSV export
Fixed issue causing incorrect threat level in Comprehensive report
Fixed false positives in Outdated JS libraries and Insecure Referrer Policy checks
Fixed UI issue with long target name causing buttons to be hidden
Fixed issue causing double input schemes
Fixed crash in scanner
Fixed issue causing vulnerability count in Dashboard to not always be updated

v13.0.201028153 - 29 Oct 2020

Copy Link Copy Link

Version 13 (build 13.0.201028153 for Windows / Linux and build 13.0.201028161 for macOS) 29th October 2020

New Features

Logon Banner can be configured for Acunetix logon page (satisfies DOD Notice and Consent Banner requirement)
Added ability to export vulnerabilities to CSV (available as WAF Export option)
Added ability to export scan locations to CSV (available as WAF Export option)

New Vulnerability Checks

New check for JavaScript Source map detected
New check for Unauthenticated Remote Code Execution via JSONWS in Liferay 6.1 (LPS-88051)
New check for Oracle WebLogic Server unauthenticated remote code execution (CVE-2020-14882)
Updated WordPress plugin checks

Updates

Improved handling of Swagger
The scanner will try to detect differences in the site using different user-agents
Various minor UI updates
Added Scan Profile used in Scan results
Business Logic Recorder cannot be used on Targets which require Manual Intervention
Updated Jira issue tracker
Improved error shown when checking for updates fails
Updated import file feature to support files using BOM
Comprehensive report tags vulnerabilities detected by AcuSensor and AcuMonitor

Fixes

Fixed issue causing multi-line session detection not to be used during scan
Updated Jira issue tracker to use proxy server if configured
Fixed issue causing gzip encoded body of HTTP responses to become invalidated
Fixed: Printing the Coverage report would not print the sitemap in the report
Fixed issue causing some login forms not to be detected during the scan
Fixed timing issue when scheduling a scan for a future date
Fixed scanner crashes caused by specific import files
Fixed issue causing DeepScan not to be used on Kali Linux
Fixed false positive in Zend Framework LFI via XXE
Fixed issue causing some scans to fail because of the client certificate
Fixed issue causing LSR playback to fail for some scans
Fixed issue in New Scan dialog for Tech Admin users

v13.0.200930102 - 30 Sep 2020

Copy Link Copy Link

Version 13 (build 13.0.200930102 for Windows, Linux and macOS) 30th September 2020

New Features

Export Scans to JSON (available as WAF Export option)
Added context-sensitive help for all pages in the UI. Clicking on the ? icon will open documentation for the specific page

New Vulnerability Checks

New test for Apache OFBiz XMLRPC Deserialization RCE (CVE-2020-9496)
New test for No HTTP Redirection
Numerous tests related to TLS / SSL, including:
- Added support for 200 new cipher suites, bringing the total number of supported cipher suites to 360
- New test for TLS/SSL Diffie-Hellman Key Reuse (prerequisite for Raccoon Attack)
- New test for TLS/SSL LOGJAM attack (CVE-2015-4000)
- New test for TLS/SSL Sweet32 attack (CVE-2016-2183 and CVE-2016-6329
- Alert if server offers cipher suites with symmetric encryption key length <128
- Alert if server offers cipher suites using symmetric encryption algorithms RC2, DES (insecure), IDEA
- Alert if server offers cipher suites using ANON, NULL, SHA-1 for authentication
- Alert if server offers cipher suites using MD5 for HMAC
New vulnerability checks for WordPress plugins and Drupal core

Updates

Numerous updates to the UI
Malware scan profile updated to check for Trojans
Scanner updated to receive newly discovered hosts from vulnerability checks
Updated Swagger 2 implementation to better cater for nested schemes/objects
Updated deduplication to better cater for network scans / vulnerabilities
Adaptive ciphersuite testing, reduces the average SSL/TLS scan duration by 90%

Fixes

Fixed issue where no data was shown for archived scans
Fixed some minor issues with default filters
Fixed issue showing wrong Target count in license page
Fixed UI issue affecting Custom Scan Profiles
Fixed Possible Sensitive Files / Folders to use the Case Sensitive Paths setting for the Target
Fixed issue in Reverse Proxy Detection check

v13.0.200911154 - 14 Sep 2020

Copy Link Copy Link

Version 13 (build 13.0.200911154 for Windows and Linux and build 13.0.200911171 for macOS) 14th September 2020

New Features

New Data Retention settings, providing the ability to:
- Keep the last 3 scans for each target and archive previous scans
- Delete archived scans which are older than 2 years
- The above data retention settings are configurable
- The above settings affect vulnerabilities detected, which are archived / deleted accordingly
A default scan profile can be configured for each target
Forgot Password option for Acunetix On premise, allowing users to reset their password – Email settings need to be configured
Detect paths in JavaScript code via static method analysis
Ability to retrieve links from several HTTP headers
Scanner will try to auto-discover API definitions

New Vulnerability Checks

New check for SAP NetWeaver RECON (CVE-2020-6287)
New check for DNN (DotNetNuke) CMS Cookie Deserialization RCE (CVE-2017-9822)
New check for Insecure Referrer Policy
New check for Remote code execution of user-provided local names in Rails
New check for Cisco Adaptive Security Appliance (ASA) Path Traversal (CVE-2020-3452)
New check for Total.js Directory Traversal (CVE-2019-8903)
New check for Envoy Metadata disclosure
New checks for WordPress Core / Plugins / Themes, Drupal and Joomla vulnerabilities

Updates

Vulnerabilities are now shown as grouped by Vulnerability Type and FQDNs
Numerous improvements affecting vulnerability deduplication
Deleted Targets will not be showing in the UI by default
Malicious links detected will be highlighted in the vulnerability report
Ability to scan all Targets in a Target Group
Improved Swagger support implementation
Updated backup files/folders and possible sensitive files checks to report alerts on parent of file detected
Time zone can now be configured by each user account
User accounts can now change UI to Chinese
.NET Sensor updated to support .NET Core
Updated Session Fixation vulnerability check to avoid possible False Positives
Updated to Chromium v83

Fixes

Fixed issue with offline activation
Fixed a few crashes occurring on specific sites
Fixed issue affecting AcuMonitor when scanning certain sites
Various small UI fixes
Fixed Target Deletion issue for Consult licenses
Fixed: PDF report generation was failing in specific situations
Fixed issue causing HTTP requests passing through a proxy to fail
Fixed issue affecting relative HTTP redirects
Fixed issue causing Manual Intervention not to work on Linux
Fixed issue causing DeepScan to miss some DOMXSS vulnerabilities
Fixed text overlapping issue in reports
Fixed issue causing Telerik Web UI RadAsyncUpload Deserialization (CVE-2019-18935) to not always be detected
Fixed: ‘HTTP Strict Transport Security (HSTS) not implemented’ and ‘HTTP Strict Transport Security (HSTS) Best Practices’ where using the same name
Fixed: Sensitive files / directories checks were missing Attack details
Fixed issue caused when sorting scans by target description
fixed a few issues in the Login Sequence Recorder and Business Logic Recorder

v13.0.200807155 - 07 Aug 2020

Copy Link Copy Link

Version 13 (Windows / Linux: 13.0.200807155, macOS: 13.0.200807156) 7th August 2020

New Features

Acunetix is now available in Simplified Chinese
Path Fragments are now shown in the site structure

New Vulnerability Checks

New check for Insecure Inline Frames
New check for Remote code execution of user-provided local names in Rails
New check for SAP NetWeaver RECON auth bypass vulnerability
New check for H2 console publicly accessible
New check for PHP version disclosure
New check for Atlassian JIRA ServiceDesk misconfiguration
New test for Jolokia XML External Entity (XXE) vulnerability
New checks for WordPress core, WordPress themes, WordPress plugins, Joomla and Drupal

Updates

Created and Last Updated dates are available for vulnerabilities
Order of section in Comparison report updated to be more intuitive
Target Address is shown in full in the UI
/users/ endpoint is now available in the API

Fixes

Fixed issue when exporting vulnerabilities to WAF which contained CVSS3.1
Fixed issue causing custom user-agent to not be used in all requests during a scan
Fixed issues causing some vulnerabilities not to be well formatted when sent to JIRA issue tracker
Fixed issue when adding JIRA Issue Tracker in Acunetix Online
Fixed issue caused when adding Targets to an existing Target Group
Minor fix in Comprehensive report text
Fixed UI issue showing blank list (Scans, Targets etc) when using the browser’s back button
Fixed issue caused by scanning Targets with complex GraphQL schemas

v13.0.200715111 - 15 Jul 2020

Copy Link Copy Link

Version 13 (build 13.0.200715111 for Windows, Linux and build 13.0.200715153 for macOS) 15th July 2020

New Features

Acunetix on premise is now available for macOS

New Vulnerability Checks

New test for F5 BIG-IP Traffic Management User Interface (TMUI) RCE [CVE-2020-5902]
New test for Composer installed.json publicly accessible
New test for Symfony debug mode enabled
New test for Symfony Profiler open
New test for Directory Traversal with spring-cloud-config-server [CVE-2020-5410]
New test for Grafana avatar SSRF [CVE-2020-13379]
New test for rack-mini-profiler environment variables disclosure
New test for Telerik Web UI RadAsyncUpload Deserialization [CVE-2019-18935]

Updates

Improved UI messages when scans cannot start due to Manual Intervention
Updated interpretation and generation of XML requests / responses
New Scanning profile for High and Medium Vulnerabilities
Target Description is now available on the Scans page
Incremental Scans initiated by Jenkins plugin are correctly labelled as incremental
A number of improvements in JavaScript Libraries Audit

Fixes

Fixed issue caused when configuring Gitlab issue tracker with Impersonation Token
Fixed issue causing filter not to be available for Standard licenses
Fixed Malware Scan profile to include checks for malware links
Fixed resource allocation issue, causing scans to end unexpectedly
Comprehensive Report was incorrectly showing High Severity Threat level
Fixed issue affecting the CVSS score calculation of some vulnerabilities

Acunetix Standard & Premium

New Features

New Vulnerability Checks

Updates

Fixes

New Features

New Vulnerability Checks

Updates

Fixes

New Features

Updates

Fixes

Updates

Fixes

New Features

New Vulnerability Checks

Updates

Fixes

New Features

New Vulnerability Checks

Updates

Fixes

New Features

New Vulnerability Checks

Updates

Fixes

New Features

New Vulnerability Checks

Updates

Fixes

New Features

New Vulnerability Checks

Updates

Fixes