Acunetix Premium Release Notes

v14.6.211207099 - 07 Dec 2021

Copy Link Copy Link

Version 14 build 14.6.211207099 for Windows, Linux and macOS – 7th December 2021

New Features

Scanner supports detecting HTTP/2 vulnerabilities

New Vulnerability Checks

New check for Reverse proxy misrouting through HTTP/2 pseudo-headers (SSRF)
New check for HTTP/2 pseudo-header server-side request forgery
New check for Web Cache Poisoning DoS through HTTP/2 headers
New check for HTTP/2 Web Cache Poisoning
New check for Ghost CMS Theme Preview XSS (CVE-2021-29484)
New check for GitLab ExifTool RCE (CVE-2021-22205)
New check for Limited Remote File Read/Include in Jira Software Server (CVE-2021-26086)
New check for Sitecore XP Deserialization RCE (CVE-2021-42237)

Updates

Improved handling of Laravel CSRF tokens
Added possibility to restrict scanning a Target using the Main Installation’s scanning engine
Added ability to configure blocking of requests to Ad services
Multiple UI updates
Multiple DeepScan updates
Multiple updates to the PHP AcuSensor

Fixes

Fixed: SQLi false negative caused when AcuSensor is installed
Fixed: Incremental scans not starting when scheduled via Jenkins plugin
Fixed: 2 issues in .NET sensor injector CLI
Fixed: Node.js sensor not working on https sites
Fixed: Not all paths are importing from specific Burp state file
Fixed: Scanner crashes when parsing specific GraphQL and Swagger 2 files
Fixed: Specific excluded paths can cause the scanner to hang
Fixed: multiple scanner hangs
Fixed: Race condition between LSR and BLR
Fixed: Imported urls ignored when site redirects from http to https
Fixed: Incorrect permissions for some Acunetix files / folders on Linux / Mac

v14.5.211115146 - 16 Nov 2021

Copy Link Copy Link

Version 14 build 14.5.211115146 for Windows, Linux and macOS – 16th November 2021

New Features

New OWASP Top 10 2021 compliance report
JAVA AcuSensor now supports JDK 11

New Vulnerability Checks

New check for GitLab ExifTool RCE (CVE-2021-22205)
New check for Sitecore XP Deserialization RCE (CVE-2021-42237)

Fixes

Fixed issue causing hang in scanner
Fixed issue causing some vulnerabilities not to be detected when AcuSensor is enabled and not installed on the web application

v14.5.211109105 - 09 Nov 2021

Copy Link Copy Link

Version 14 build 14.5.211109105 for Windows, Linux and macOS – 9th November 2021

New Vulnerability Checks

New check for Keycloak request_uri SSRF (CVE-2020-10770)
New check for Apache HTTP Server Insecure Path Normalization (CVE-2021-41773 and CVE-2021-42013)
New check for Apache mod_proxy SSRF (CVE-2021-40438)

Fixes

Fixed issue in .NET AcuSensor CLI parameter used to list the web sites in IIS
Fixed issue in Clickjacking: CSP frame-ancestors missing vulnerability check
Fixed false positive in Сockpit CMS reset password NoSQLi

v14.5.211026108 - 26 Oct 2021

Copy Link Copy Link

Version 14 build 14.5.211026108 for Windows, Linux and macOS – 26th October 2021

Updates

Removed message to “Press any key to continue” when installing .NET AcuSensor from CLI. This was hindering the automatic installation of the .NET sensor

Fixes

Fixed issue causing scans to fail when site redirets from http to https
Fixed issue causing incremental scans initiated from Jenkins plugin not to start

v14.5.211021117 - 21 Oct 2021

Copy Link Copy Link

Version 14 build 14.5.211021117 for Windows, Linux and macOS – 21st October 2021

Fixes

Fixed crash when processing swagger2 file with non-existent references

v14.5.211008143 - 11 Oct 2021

Copy Link Copy Link

Version 14 build 14.5.211008143 for Windows, Linux and macOS – 11th October 2021

New Features

Added support for URL optional fields
Added support for Brotli encoding
JAVA AcuSensor can now be used on Tomcat 10.0.x
Added support for Restify framework in Node.js Sensor
Added support for LoopBack framework in Node.js Sensor
Added support for Sequelize ORM in Node.js Sensor
Added support for Router Package in Node.js Sensor
Added support for Director Router in Node.js Sensor

New Vulnerability Checks

New check for Apache HTTP Server Source Code Disclosure
New check for ManageEngine ADSelfService Plus Authentication Bypass (CVE-2021-40539)
New check for Oracle Business Intelligence ReportTemplateService XXE (CVE-2021-2400)
New check for Jira Unauthorized User Enumeration (CVE-2020-14181)
New check for Jira Unauthorized User Enumeration via UserPickerBrowser
New check for Jira Projects accessible anonymously
New check for Payara Micro File Read (CVE-2021-41381)

Updates

Export to AWS WAF is now available in all pages which allow WAF Export
Updated Pre-request scripts, making it easier to update session header value
Updated the detection of WAFs to support new WAFs
Increased the detection of development files
Improved the JavaScript Library Audit checks

Fixes

Fixed issue in Paros import
Fixed issue in scanner causing False Negatives when processing specific pages
Fixed issue in AWS WAF Export
Fixed issue in PHP Sensor not being detected when used in a large site with many files
Fixed issue causing pre-request scripts not to be loaded by scanner
Fixed 3 issues in Postman imports
Fixed False Negative in Django Debug Mode vulnerability check
Fixed issue causing high response times in UI caused by large quantity of Targets configured
Fixed false positive in “User credentials are sent in clear text” check

v14.4.210913167 - 14 Sep 2021

Copy Link Copy Link

Version 14 build 14.4.210913167 for Windows, Linux and macOS – 14th September 2021

New vulnerability checks

Added check for Unrestricted access to Kong Gateway API
Added check for Unrestricted access to Haproxy Data Plane API
Added check for OData feed accessible anonymously
Added check for Unauthenticated OGNL injection in Confluence Server and Data Center (CVE-2021-26084)
Added check for Microsoft Exchange Server Pre-auth Path Confusion vulnerability (CVE-2021-34473)

Updates

Updated CORS Origin Validation check

v14.4.210831180 - 01 Sep 2021

Copy Link Copy Link

Version 14 build 14.4.210831180 for Windows, Linux and macOS – 1st September 2021

Fixes

Fixed: Error when adding new Targets
Fixed: Scanner crash when using a Postman import file

v14.4.210826124 - 26 Aug 2021

Copy Link Copy Link

Version 14 build 14.4.210826124 for Windows, Linux and macOS – 26th August 2021

New Vulnerability checks

New check for Cisco Adaptive Security Appliance (ASA) XSS (CVE-2020-3580)
New check for Jetty Information Disclosure (CVE-2021-34429)
New check for SAP ICF URL redirection Vulnerability

Updates

“AllOf” tag is now handled for Swagger2 schemas
Improved handling of import files for sub-domains and allowed hosts

Fixes

Fixed: Inexistant paths identified by WordPress checks
Fixed: Scanner crashing on specific content

Acunetix Standard & Premium

New Features

New Vulnerability Checks

Updates

Fixes

New Features

New Vulnerability Checks

Fixes

New Vulnerability Checks

Fixes

Updates

Fixes

Fixes

New Features

New Vulnerability Checks

Updates

Fixes

New vulnerability checks

Updates

Fixes

New Vulnerability checks

Updates

Fixes