Acunetix Premium Release Notes

v13.0.200715111 - 15 Jul 2020

Copy Link Copy Link

Version 13 (build 13.0.200715111 for Windows, Linux and build 13.0.200715153 for macOS) 15th July 2020

New Features

Acunetix on premise is now available for macOS

New Vulnerability Checks

New test for F5 BIG-IP Traffic Management User Interface (TMUI) RCE [CVE-2020-5902]
New test for Composer installed.json publicly accessible
New test for Symfony debug mode enabled
New test for Symfony Profiler open
New test for Directory Traversal with spring-cloud-config-server [CVE-2020-5410]
New test for Grafana avatar SSRF [CVE-2020-13379]
New test for rack-mini-profiler environment variables disclosure
New test for Telerik Web UI RadAsyncUpload Deserialization [CVE-2019-18935]

Updates

Improved UI messages when scans cannot start due to Manual Intervention
Updated interpretation and generation of XML requests / responses
New Scanning profile for High and Medium Vulnerabilities
Target Description is now available on the Scans page
Incremental Scans initiated by Jenkins plugin are correctly labelled as incremental
A number of improvements in JavaScript Libraries Audit

Fixes

Fixed issue caused when configuring Gitlab issue tracker with Impersonation Token
Fixed issue causing filter not to be available for Standard licenses
Fixed Malware Scan profile to include checks for malware links
Fixed resource allocation issue, causing scans to end unexpectedly
Comprehensive Report was incorrectly showing High Severity Threat level
Fixed issue affecting the CVSS score calculation of some vulnerabilities

v13.0.200624118 - 24 Jun 2020

Copy Link Copy Link

Version 13 (build 13.0.200624118 – Windows and Linux) 24th June 2020

New Features

Introduced support for GraphQL
Introduced support for OAuth2.0
GraphQL files can be used as Import Files
New Comprehensive Report, which includes the HTTP Response in the HTML version of the report
HTTP Response uses syntax highlighting for improved readability
Scans can now be restricted to paths/locations in import files
User can choose which columns to show in all the Acunetix lists
UI saves columns selected for each page / user (applies to Targets, Vulnerabilities, Scans and Reports)
UI saves number of items to show on each page / user (applies to Targets, Vulnerabilities, Scans and Reports)
UI saves sorting order for each page / user (applies to Targets, Vulnerabilities, Scans and Reports)

New Vulnerability Checks

New check for vBulletin 5.6.1 (and earlier) nodeId SQL injection
New check for Cmd hijack vulnerability
New check for PHP opcache-gui publicly accessible
New check for Laravel debug mode enabled
New check for Laravel Health Monitor publicly accessible
New check for Laravel Health Horizon publicly accessible
New check for Laravel Health LogViewer publicly accessible
New check for Laravel Health Telescope publicly accessible
New check for Laravel Ignition Reflected Cross-Site Scripting
New check for Laravel framework weak secret key
New check for HTML Attribute Injection
New check for Clockwork PHP dev tool enabled
New check for PHP Debug Bar enabled
New check for Broken Link Hijacking
New checks for Cookie misconfigurations leading to security issues
New vulnerabilities for WordPress Core, WordPress plugins, Joomla and Drupal

Updates

Targets with Manual Intervention cannot have a Business Logic Recording
Changed vulnerability name filter to use search as you type
Scans will start reporting pages that require HTTP Authentication
Acunetix UI notifications have been changed as follows:
- Moved to bottom right of Acunetix UI
- Stay longer on the page
- Can be closed by the user
Increased name length limit of import files to 128 characters
User can optionally specify the address to be used for Auto-login. This is useful for SSO login pages
The scanner will try to connect to the address of the target before aborting the scan after 25 consecutive network errors
Targets can be deleted and replaced on the license anniversary

Fixes

Fixed: The vulnerability name filter did not always show all vulnerabilities
Fixed incorrect error handling message when disabling the proxy settings
Hide Business Logic Recorder for Network Only targets
Fixed: Acunetix Online was showing an ID as the name of some network vulnerabilities
Fixed: Acunetix Online was not always showing the HTTP Response for some vulnerabilities
Fixed: Acunetix Online was not showing the number of licensed Targets
Fixed issue causing paths of ignored files to be ignored too
Fixed LSR issue on Safari browser
Fixed issue caused when the LSR and BLR are used on certain sites
Various minor fixes to the UI
Fixed false positives in over 25 vulnerability checks

v13.0.200519155 - 20 May 2020

Copy Link Copy Link

Version 13 (build 13.0.200519155 – Windows and Linux) 20th May 2020

Updates

Vulnerabilities filter shows correct sorting
User can now test notification settings
List of Licensed Targets can now be accessed from user profile page

Fixes

Fixed issue when using the Login Sequence Recorder remotely
ConsultLite licenses were being shown as Standard
Some vulnerabilities were not displayed correctly in Azure Devops Services

v13.0.200508159 - 11 May 2020

Copy Link Copy Link

Version 13 (build 13.0.200508159 – Windows and Linux) 11th May 2020

New Features

Business Logic Recorder – used to record logic used in multi-step forms
Export to Citrix WAF
Support for Azure DevOps Services issue tracker
CVSS3.1 score for most Acunetix vulnerabilities
Targets can now be exported to CSV
New Graph in Dashboard showing Average vulnerabilities per Target

New Vulnerability Checks

New check for Server-Side Template Injection (SSTI) in ASP.NET Razor
New check for Oracle BI AMF Deserialization RCE (CVE-2020-2950)
New check for Possible Cross Site Scripting via jquery.htmlPrefilter() (CVE-2020-11023)
New check for Stored XSS in WP theme Onetone (CVE-2019-17230 and CVE-2019-17231)
Updated detection of phpinfo pages
New checks in WordPress Core and WordPress plugins
New checks for default credentials in over 65 web applications

Updates

Manual Intervention (used for CAPTCHAs, OTP etc) is now using the integrated (web-based) LSR
As a result of the previous update, Manual Intervention is now available on Linux
Improved error reporting for network scans aborted due to network errors
Vulnerability alerts updated to show important information at the top
Updated Github issue tracker to support Personal Access Token (PAT) authentication
Improved reporting of Paused scans in the UI
Improved UI message user triggers a scan which is not allowed due to Manual Intervention
API documentation can now be downloaded from within the Acunetix UI
Added support for popup windows in the Login Sequence Recorder
Improved handling of large import files
Improved handling large requests / responses generated from import files
Decreased false positives reported for Possible username or password disclosure
Truncated large vulnerability alerts when sending to Jira issue tracker

Fixes

Fixed incorrect from email address used for monthly update emails
Fixed AcuMonitor UI notification to link to corresponding vulnerability
Fixed issue causing vulnerability checks to not be able to send empty values
Fixed a number of crashes
Fixed issue causing ASP.NET sites to be processed as ASP sites
Fixed 2 issues caused when using Swagger import files
Improved handling of txt import files using incorrect import format
Fixed Session Fixation false positive
Fixed UI issue when configuring Custom Cookies
Trend charts where not being updated for user accounts
Fixed issue in excluded hours
Fixed “Client Certificate Not Set” message incorrectly being reported

v13.0.200409107 - 09 Apr 2020

Copy Link Copy Link

Version 13 (build 13.0.200409107 – Windows and Linux) 9th April 2020

New Vulnerability Checks

New check to warn user if server sends known password to client
New check for RCE in Liferay Portal (CVE-2020-7961)

Updates

Improved detection of SQL Injection

Fixes

Fixed bbcode display issue in some alerts
Fix in Login page password-guessing attack
Fixed licensing issue caused by different case in Target address

v13.0.200401171 - 02 Apr 2020

Copy Link Copy Link

Version 13 (build 13.0.200401171 - Windows and Linux) 2nd April 2020

New Vulnerability Checks

New WordPress plugin checks

Updates

Improved XXE check
Improved internal IP disclosure check
Vulnerabilities detected with 100% Confidence get a Verified stamp

Fixes

Fixed issue with response highlighting for SQL Injection alerts
Fixed AcuMonitor alert notifications not linking to scan
Fixed page not found UI issue when trying to generate a report from Reports page
Fixed issue with scanner looping when parsing specific long JSON responses

v13.0.200326097 - 26 Mar 2020

Copy Link Copy Link

Version 13 (build 13.0.200326097 - Windows and Linux) 26th March 2020

New Features

Introduced support for processing of Swagger 2.0 files during scans
Introduced support for Swagger 2.0 files as import files
New Quarterly scheduled scan option
Users can change their password from the Acunetix UI

New Vulnerability Checks

New check for Weak key used to sign cookie in Play framework
JavaScript Library Audit now supports TinyMCE
New check for BigIP iRule command injection
New check for XSS in .NET session in URL
New check for Remote Code Execution (RCE) in Ruby on Rails (CVE-2019-5420)
New Check for Oracle E-Business Suite Deserialisation RCE
New Check for Oracle E-Business Suite SSRF (CVE-2017-10246)
New Check for Oracle E-Business Suite SSRF (CVE-2018-3167)
New Check for Oracle E-Business Suite SQL Injection (CVE-2017-3549)
New checks for WordPress Core and plugins, Joomla and Drupal

Updates

Minor UI updates
Better reporting of scans interrupted due to network errors
Client Certificate address can now be configured for a Target
HTTP Authentication address can now be configured for a Target
Abort Scan after 25 network errors
Implemented Proof of Exploit for Blind SQL Injection vulnerabilities
Improved showing Scan Duration for long scans
Acunetix can be installed in custom paths
Scan email notifications will include a PDF report if requested at start of scan
Email notifications can be configured for:
- Product updates
- Target notifications
- Scan notifications
- Report notifications
- Monthly status updates

Fixes

Fixed: On Reports page, Target address shows as N/A for Targets that do not have a Description
Fixed issue uploading import files larger than 1mb
Fixed issue whereby some addresses had missing a character in the report
Fixed false positive in Possible server path disclosure
Fixed issue causing the scanner to not following multiple redirects
Fixed 2 scanner crashes
Multiple fixes in WADL parser
Fixed: Case Sensitive Paths settings was sometimes not being taken into consideration
Fixed issue in Possible Sensitive Directories identifying incorrect locations
Fixed issue for users with expired passwords not given the option to change their password

v13.0.200205121 - 05 Feb 2020

Copy Link Copy Link

Version 13 (build 13.0.200205121 - Windows and Linux) 5th February 2020

New Features

New Acunetix web UI
Improved Network Scanner integration
Malware Detection using Windows Defender on Windows and ClamAv on Linux
Smart Scan
New scanning algorithm prioritises scanning tasks and reduces scanning time
Proof of exploit is reported in the vulnerability alerts
Incremental Scans
Vulnerability Confidence Rating for web vulnerabilities
New GitLab Issue Tracker Integration
New Bugzilla Issue Tracker Integration
New Mantis Issue Tracker Integration
Ability to create Login Sequence from Selenium script
New WADL import file
New ASP.NET Webforms import file
New Postman import file
New Paros import file
Ability to create custom checks
Highlighting of vulnerability in HTTP response
DeepScan provides better support for Angular 2, Vue and React JavaScript Frameworks
Unlimited network scanning for Acunetix Premium customers
Account Session Timeout settings
Account Maximum Consecutive Login Failure settings

New Vulnerability Checks

New check for publicly accessible Bitrix server test script
New check for publicly accessible NGINX+ dashboard
New check for unrestricted access to NGINX+ API endpoints
New check for outdated TLS version
New check for Citrix Netscaler Unauthenticated Remote Code Execution (CVE-2019-19781)
New check for Kentico CMS Deserialization RCE
New check for Cross site scripting via Bootstrap
New check for Django weak secret key
New check for Oracle Weblogic T3 XXE (CVE-2019-2888)
New check for leakage of API keys
New check for JWT weak secret key
New check for JWT none algorithm
New check for publicly exposed .NET HTTP Remoting
New check for .NET BinaryFormatter Object Deseralization vulnerabilities
New check for Apache Solr Parameter Injection
New check for Ruby framework weak secret key
New check for Tornado weak secret key
New check for BottlePy weak secret key
New WordPress Core and plugin vulnerability checks
New Joomla Core vulnerability checks
New Drupal Core vulnerability checks

Updates

Improved memory consumption for the scanner
PDF reports now have page numbers
Generic User-agent will be used for communication with issue trackers
All lists in Acunetix UI can be sorted
Easier filtering options in the Acunetix UI
Settings can now be accessed from the side-bar
Links discovered by AcuSensor are given more prominence
Improved processing of XML and JSON POST input schemes
Scanner will try to replay the LSR playback actions a number of times before failing
Improved Auto-Login
Multiple updates in the Login Sequence Recorder
Developer report updated to include Source file, line number and other details provided by AcuSensor
Acunetix now supports scanning domains with international characters
Increase page size limit to 20Mb in scanner and LSR
Improved detection of Possible Sensitive Files
Improved detection of email addresses
Improved detection of Command Injection
Improved detection of database backup files
Improved detection of XXE

Fixes

Fixed issue in Developer report showing incorrect parameter name for detected vulnerabilities
Fixed: “Tester” user role will not be able to create reports
upgrades on Linux were not removing all files from previous installation
Fixed issue with Manual Intervention
Fixed: Session cookies where not always collected by LSR
Fixed: Incorrect processing of URLs with “{” character
Fixed a number of crashes in scanner
Fixed issue causing scanner proxy to unintentionally transform parts of the HTTP request
Fixed false positive in the detection of Apache Tomcat Remote Code Execution
Fixed issues causing some links not to be properly imported by the importer
Fixed issue with license activation when proxy and authentication is used
Fixed issue causing session to get lost when Deepscan is used

v12.0.191121158 - 25 Nov 2019

Copy Link Copy Link

Version 12 (build 12.0.191121158 - Windows and Linux) 25th November 2019

New Features

New scanning algorithm resulting in faster scans
Scanner will give higher priority to locations which are dissimilar to ones that have already been scanned
JAVA AcuSensor now supports JAVA Spring Framework

New Vulnerability Checks

New check for Ruby on Rails Code Injection
New check for Perl Code Injection
AcuMonitor can now detect OOB PHP evaluation of user input
New check for Prototype Pollution
New check for Blind XSS via CSP report-uri
New check for Jira Unauthorized SSRF via REST API
New check for Apache Tapestry weak secret key
New check for Oracle PeopleSoft SSO weak secret key
New check for Yii2 weak secret key
New check for Web2py weak secret key
New check for Golang runtime profiling data
New check for Adminer 4.6.2 file disclosure vulnerability
New check for Apache mod_rewrite open redirect (CVE-2019-10098)
New check for Flask weak secret key
New check for Express express-session weak secret key
New check for vBulletin 5.x 0day pre-auth RCE
New check for Argument Injection

Updates

Deepscan is now caching static assets. This will result in faster scans
Improved memory consumption by the scanner
Improved processing of forms and form handling
Improved detection of paths
Scanner will now process commented out html
Updated command injection payloads

Fixes

Fixed scanner crash
Fixed WAF detection false positive
Fixed: Check for Sensitive files was accessing restricted links
Fixed issue causing scanner to multi-line session validation pattern
Fixed: Some locations where incorrectly detected by DeepScan
Fixed issue causing integrated LSR to close due to Ad blocking
Fixed issue with HAR import files
Fixed issue in the detection of Weak authentication credentials
Fixed issue affecting the detection of DOM XSS vulnerabilities
Fixed issue in the detection of possible username and password disclosure
Fixed issue with recording restricted links in Internet Explorer
Fixed: Tech Admin can now configure the engine to be used for a Target
Fixed issue affecting scanning of domains with international characters

Acunetix Standard & Premium

New Features

New Vulnerability Checks

Updates

Fixes

New Features

New Vulnerability Checks

Updates

Fixes

Updates

Fixes

New Features

New Vulnerability Checks

Updates

Fixes

New Vulnerability Checks

Updates

Fixes

New Vulnerability Checks

Updates

Fixes

New Features

New Vulnerability Checks

Updates

Fixes

New Features

New Vulnerability Checks

Updates

Fixes

New Features

New Vulnerability Checks

Updates

Fixes