Acunetix Build History

Version 11 (build 11.0.173271618) – 24th November 2017

New Features

• Added new OWASP Top Ten 2017 report

Fixes

• Fixed: DeepScan was processing ignored scripts

Version 11 (build 11.0.173131028) – 9th November 2017

New Features and Vulnerability Tests

• Added support for Selenium scripts as Target Import files
• Introduced various vulnerability checks for CMS Made Simple including:
  • PHP Remote File Inclusion (RFI) in version 0.10 (CVE-2005-2846)
  • SQL Injection in version 1.0.5 and earlier (CVE-2007-2473)
  • Directory Traversal in version 1.8.1 and earlier (CVE-2010-2797)
  • Web Server Cache Poisoning in versions 2.1.3 and earlier and 1.12.2 and earlier (CVE-2016-2784)
  • Cross Site Request Forgery (CSRF) in version 2.1.6 and earlier (CVE-2016-7904)
  • Cross Site Scripting (XSS) in version 2.1.6 and earlier (CVE-2017-6555)
  • Cross Site Scripting (XSS) in version 2.1.6 (CVE-2017-6556)
  • Local File Inclusion in version 2.1.6 and earlier

Improvements

• Various minor UI updates
• Improved handling of aborted scans for Targets with Continuous scanning enabled
• Increased Custom Cookie size limit from 512 bytes to 10Kb (2Kb for Acunetix Online)
• Added new email templates
• Email notification now indicates if a scan has failed
• Multiple minor updates to the reports
• Updated the Error Message script to show full JAVA error messages
• Tech Admin role can now create and alter Scan types.

Fixes

• Scan Comparison was incorrectly switching the order of the scans
• Scan Comparison was incorrectly comparing with Allowed host
• Fixed bug in the licensed user limit
• Fixed bug causing scans to fail when the LSR contains Unicode characters
• Multiple fixes in XML export
• Multiple fixes in F5 WAF rules export
• Fixed 2 minor security issues in web interface
• 2 fixes affecting incorrect vulnerability count in Dashboard
• Fixed the retesting of vulnerabilities for Targets requiring manual intervention
• Fixed the Targets page incorrectly showing that the Target is being scanned, when an ongoing scan is deleted.

Version 11 (build 11.0.172901635) – 17th October 2017

New Features and Vulnerability Tests

• Added detection for XSF vulnerability in WordPress (CVE-2016-9263)

Improvements

• Updated the Joomla and WordPress vulnerability checks

Fixes

• Fixed bug causing scans to fail because of certain characters in the LSR file

Version 11 (build 11.0.172641450) – 22nd September 2017

New Features and Vulnerability Tests

• Added detection for Apache Struts Remote Code Execution (s2-052)
• Added detection for Apache Struts Remote Code Execution (s2-053) – CVE-2017-12611
• Check for Header Injection via misconfigured nginx redirects
• Check for nginx Integer Overflow vulnerability (CVE-2017-7529)

Improvements

• Improved the detection of Blind SQL Injection
• Better support for large JavaScript files
• JAVA error detection now includes the full JAVA error returned by the server
• Improved the Remote File Inclusion XSS checks
• Updated the Joomla and WordPress vulnerability checks

Fixes

• Fixed bug causing the downloading of a Target’s LSR file to fail
• Fixed bug in HTTP Digest Authentication

Version 11 (build 11.0.172371608) – 25th August 2017

Fixes

• Fixed issue causing automatic updates to fail. Updates need to be downloaded manually from https://www.acunetix.com/download/fullver11/

Version 11 (build 11.0.172351036) – 23rd August 2017

New Features and Vulnerability Tests

• Detection of Apache Struts 2 Showcase RCE (CVE-2017-9791)
• Check for .hgignore (Mercurial SCM configuration file)
• Check for Atlassian Confluence Stored XSS (CVE-2016-6283)
• Check for private key files with names based on ScanHost, e.g. “www.example.org.key”, “example.org.key”
• Check for moment.js Denial of Service (CVE-2016-4055)
• Various updates to the WordPress and Joomla checks
• Introduction of Multi-Engine functionality for Enterprise customers

Improvements

• Updated the Database backup file checks
• Improved Jquery version fingerprinting
• Updated detection of HttpOnly and Secure cookie flags
• Updated default Target list sorting

Fixes

• Fixed XSS detection issue
• Minor fix to the allow_url_fopen enabled check
• Fixed F5 BIP-AP ASM WAF XML export
• Fixed issue causing Acunetix not to be able to install on Chinese OS

Version 11 (build 11.0.171721334) – 21st June 2017

New Vulnerability Tests

• Checks for XSS vulnerabilities jQuery UI version < 1.12.0
• Checks for various jQuery vulnerabilities
• Checks for Atlassian Confluence Access Restriction Bypass
• Checks for Tiki Wiki CMS Arbitrary File Download
• Checks for Tiki Wiki CMS Calendar module RCE
• Checks for Tiki Wiki CMS file upload vulnerability leading to arbitrary code execution.

Improvements

• Improved detection of WordPress version
• Various updates to the WordPress and Joomla checks
• Updated description for Broken links alert.

Fixes

• Fixed issue causing a crash in the scanning engine
• Fix affecting the processing of xml files, resulting in scan performance improvement
• Fix in the High Risk Scan Type, resulting in scan performance improvement
• Various updates and fixes in the Acunetix web UI.

Version 11 (build 11.0.171381251) – 18th May 2017

New Vulnerability Tests

• New check for Joomla SQL Injection Vulnerability (CVE-2017-8917)

Version 11 (build 11.0.171251523) – 5th May 2017

New Vulnerability Tests

• New check for WordPress Potential Unauthorized Password Reset

Version 11 (build 11.0.171181742) – 27th April 2017

New Vulnerability Tests

• New check for Authentication bypass in Atlassian Confluence 6.x

Improvements

• Various improvements to the WordPress checks

Bug Fixes

• Fixed issue affecting checks on REST APIs
• Fixed issue with Export to Imperva SecureSphere WAF

Version 11 (build 11.0.171101535) – 20th April 2017

New Vulnerability Tests

• New check for IIS 6 WebDAV Buffer Overflow RCE

Improvements

• Improved Backup file checks
• Various improvements to the WordPress checks
• Added support for various JavaScript libraries in the Login Sequence Recorder and DeepScan

Bug Fixes

• Virtual Host Audit check was not taking into consideration the Target Port and Scheme
• Fixed DeepScan issue which caused infinite loop during auto-authentication for some web applications
• Fixed issue in Login Sequence Recorder causing it not to load settings from the correct location

Version 11 (build 11.0.170941159) – 4th April 2017

Improvements

• The IP address or hostname of the Acunetix machine can be specified during the installation. This information is used to generate the SSL certificates used for the UI. This is required to avoid SSL errors
• Update to Login Sequence Recorder and DeepScan improving compatibility with modern web applications
• Target information is shown in “Scan Done” UI notifications
• Various minor updates to the UI
• Scan email notifications now include links to the scan results. Report email notifications include links to the report
• Multiple updates to the WordPress and Joomla vulnerability checks

Bug Fixes

• Fixed false positives caused by the PHP AcuSensor
• Fixed 2 privilege escalation issues reported privately to Acunetix
• Fixed false positive in WAF detection
• Fixed UI issue caused by certain characters in the Target Description field

Version 11 (build 11.0.170751531) – 16th March 2017

Updates

• Check for Remote Code Execution (RCE) vulnerability in Apache Struts 2 (CVE-2017-5638)

Version 11 (build 11.0.170611402) – 3rd March 2017

Updates

• Multiple updates to the WordPress and Joomla vulnerability checks

Fixes

• Fixed issue caused by UTF-8 characters in the login sequence filename
• Fixed issue with Target address validation

Version 11 (build 11.0. 170540920) – 23rd February 2017

Updates

• AcuMonitor registration setting is now remembered between license activations
• Various updates to the WordPress and Joomla vulnerability checks
• Acunetix now accepts .der, .p12 and .pfx file extensions for client certificates
• Login Sequence Recorder (LSR) now better supports sites using ES6 features

Fixes

• In certain situations, the auto-login details for a Target were not correctly stored, resulting the login credentials not being used during a scan
• Fixed issue with parsing of addresses
• Fixed issue causing auto-updating of the product to not be done for some licenses. Affected customers will be notified by email.

Version 11 (build 11.0.170461052) – 15th February 2017

Updates

• Creation of custom scanning profiles is possible from the Acunetix web UI.
• Manual Intervention events can be configured as part of a Login Sequence for Captchas and two factor authentication
• Retesting of vulnerabilities discovered by Acunetix
• The ability to disable AcuMonitor at license activation
• Comparison report for two scans of the same Target
• Reports are now available in both PDF and HTML
• The site structure is now shown in a hierarchical tree view
• Excluded hours can be configured per Target, in which no scans will be performed by Acunetix
• Added information on weak SSL key ciphers
• The Acunetix license activation allows the user to opt out of AcuMonitor registration
• Various updates to the WordPress and Joomla vulnerability checks

Fixes

• Notifications for vulnerabilities discovered by AcuMonitor now include a link taking the user to the vulnerability identified
• Various bug fixes in the UI
• Changed scan status message when scanned target is not responsive
• Fix in Relative Path Overwrite vulnerability check
• Various updates and fixes related to AcuMonitor
• Improved URL validation

Version 11 (build 11.0.170341008) – 3rd February 2017

New Vulnerability Test

• Content Injection Vulnerability in WordPress

Version 11 (build 11.0.163541031) – 19th December 2016

New Features

• Acunetix Enterprise users can now generate their API key to be used for the Acunetix API (contact sales@acunetix.com for more information on the API)
• Selenium IDE files are now supported as Import files in Acunetix v11
• The Acunetix Login Sequence Recorder can now edit login sequence files.

New Vulnerability Tests

• Privilege escalation vulnerability in Joomla! Core
• Multiple vulnerabilities in Joomla! Core, including arbitrary file upload and information disclosure vulnerabilities
• WordPress Plugin Nelio AB Testing Server-Side Request Forgery (SSRF)
• WordPress Plugin WooCommerce Email Test Information Disclosure
• WordPress Plugin All In One WP Security & Firewall Cross-Site Scripting
• WordPress Plugin Podlove Podcast Publisher Cross Site Scripting and SQL Injection Vulnerabilities
• WordPress Plugin WP Support Plus Responsive Ticket System SQL Injection
• WordPress Plugin wpDataTables Lite Cross-Site Scripting
• WordPress Plugin Twitter Cards Meta Cross Site Scripting and Server Side Request Forgery Vulnerabilities
• WordPress Plugin Multisite Post Duplicator Cross-Site Request Forgery
• WordPress Plugin Social Share Buttons-Social Pug Cross-Site Scripting 
• WordPress Plugin Delete All Comments Arbitrary File Upload
• WordPress Plugin BP Profile Search PHP Object Injection
• WordPress Plugin Quiz And Survey Master (Formerly Quiz Master Next) Multiple Vulnerabilities
• WordPress Plugin Analytics Stats Counter Statistics PHP Object Injection
• WordPress Plugin Backup & Restore Dropbox PHP Object Injection and Information Disclosure Vulnerabilities
• WordPress Plugin Ultimate Member Security Bypass
• WordPress Plugin Simple Personal Message SQL Injection
• WordPress Plugin WA Form Builder SQL Injection
• WordPress Plugin WP Vault Local File Inclusion

Improvements

• The Acunetix UI will show a message when the license is not activated.
• The Login Sequence Recorder will make use of the proxy settings configured for the Target.
• Better handling of cookies.

Bug Fixes

• Fixed reports generated for targets that have not been scanned
• Fixed allowance of empty Import Files to be uploaded for a Target
• Some information returned by AcuSensor was not reflected in the vulnerability details
• Fixed false positive in the ASP.NET debug mode check
• Various minor updates and fixes

Version 11 (build 11.0.163221044) – 17th November 2016

New Features

• New web-based user interface
• Targets are now stored in Acunetix with their individual settings, and can be easily re-scanned.
• Targets can be classified by their Business Criticality
• Reports are stored in the central interface
• Users can choose between “Target reports”, “Scan reports” or “All vulnerabilities reports”
• Role-based multi-user system, allowing users to be assigned the security scanning of specific targets.
• All vulnerabilities for all the targets are now shown in one list which can be easily filtered.
• Export vulnerabilities to F5 BIG-IP ASM and Fortinet FortiWeb Web Application Firewalls directly from within Acunetix
• Acunetix now supports sending vulnerabilities to these Issue trackers: Github, JIRA and Microsoft Team Foundation Service (TFS)
• Documentation is now inbuilt into the new interface
• New Dashboard, providing an instant overview of the security status of your assets.

Improvements

• The Acunetix tools are being released as a separate installation and can be downloaded from https://www.acunetix.com/vulnerability-scanner/free-manual-pen-testing-tools/
• Various updates and bug fixes

• 1
• 2
• 3
• 4
• 5
• 6
• 7
• 8
• 9
• 10
• 11
• 12