A new Acunetix update has been released for Windows and Linux: 13.0.200911154, and macOS: 13.0.200911171.
This Acunetix update introduces data retention policies for scans and vulnerabilities allowing users to focus on current vulnerabilities. It also introduces the detection of paths in JavaScript code using static method analysis, the ability to retrieve links from several HTTP headers, numerous improvements to vulnerability deduplication, user-based timezone settings, and other important updates. The new build includes new vulnerability checks for SAP NetWeaver, Rails, Cisco ASA, and others. In addition, there are numerous updates and fixes, detailed below, all of which are available for all editions of Acunetix.
New Features
- New data retention settings, providing the ability to:
- Keep the last 3 scans for each target and archive previous scans
- Delete archived scans that are older than 2 years
- The above data retention settings are configurable
- The above settings affect vulnerabilities detected, which are archived/deleted accordingly
- A default scan profile can be configured for each target
- Forgot password option for Acunetix on-premises, allowing users to reset their password – email settings need to be configured
- Detect paths in JavaScript code via static method analysis
- Ability to retrieve links from several HTTP headers
New Vulnerability Checks
- New check for SAP NetWeaver RECON (CVE-2020-6287)
- New check for DNN (DotNetNuke) CMS cookie deserialization RCE (CVE-2017-9822)
- New check for insecure referrer policy
- New check for remote code execution of user-provided local names in Rails
- New check for Cisco Adaptive Security Appliance (ASA) path traversal (CVE-2020-3452)
- New check for Total.js directory traversal (CVE-2019-8903)
- New check for Envoy metadata disclosure
- New checks for WordPress core/plugins/themes, Drupal, and Joomla vulnerabilities
Updates
- Vulnerabilities are now shown as grouped by vulnerability type and FQDNs
- Numerous improvements affecting vulnerability deduplication
- Deleted targets will not be shown in the UI by default
- Malicious links detected will be highlighted in the vulnerability report
- Ability to scan all targets in a target group
- Improved Swagger support implementation
- Updated backup files/folders and possible sensitive file checks to report alerts on a parent of file detected
- Time zone can now be configured by each user account
- User accounts can now change UI to Chinese
- .NET Sensor updated to support .NET core
- Updated session fixation vulnerability check to avoid possible false positives
- Updated to Chromium v83
Fixes
- Fixed issue with offline activation
- Fixed a few crashes occurring on specific sites
- Fixed issue affecting AcuMonitor when scanning certain sites
- Various small UI fixes
- Fixed target deletion issue for consult licenses
- Fixed: PDF report generation was failing in specific situations
- Fixed issue causing HTTP requests passing through a proxy to fail
- Fixed issue affecting relative HTTP redirects
- Fixed issue causing manual intervention not to work on Linux
- Fixed issue causing Deep Scan to miss some DOM XSS vulnerabilities
- Fixed text overlapping issue in reports
- Fixed issue causing Telerik Web UI RadAsyncUpload deserialization (CVE-2019-18935) to not always be detected
- Fixed: HTTP Strict Transport Security (HSTS) not implemented and HTTP Strict Transport Security (HSTS) best practices were using the same name
- Fixed: sensitive files/directories checks were missing attack details
- Fixed issue caused when sorting scans by target description
- Fixed a few issues in the Login Sequence Recorder and Business Logic Recorder
Get the latest content on web security
in your inbox each week.