New updates have been released that test for a new Joomla! remote code execution vulnerability affecting versions 1.5.0 through 3.4.5 CVE-2015-8562. Other updates also include improved XML External Entity (XXE) testing, multiple Cross-site Scripting tests in commonly used libraries and other improvements/bug fixes. Below is the full list of updates.

New Features

  • Added a test for Joomla! CMS remote code execution vulnerability CVE-2015-8562.
  • Added a test for multiple vulnerabilities in older versions of Uploadify SWF.
  • Added tests for XXE (XML External Entity) vulns via WebDAV methods such as PROPFIND, PROPPATCH and LOCK.
  • Added a test looking for multiple XSS vulnerabilities in older version of flowplayer SWF.
  • Added a test for multiple vulnerabilities in older versions of jPlayer SWF.
  • Added tests for various XSS vulnerabilities in older JW Player versions.
  • Added a test for Open Flash Chart ‘get-data’ Parameter Cross-Site Scripting Vulnerability.
  • Added a test looking for MediaWiki SVG XSS.
  • Added a test looking for cross-site scripting vulnerabilities in SimpleViewer.
  • Added a test looking for older versions of the ZeroClipboard SWF library that are vulnerable to a cross-site scripting vulnerability.

Improvements

  • Updated WordPress plugins and WordPress core checks.
  • Major improvements for XXE vulnerability testing on custom HTTP methods.
  • Improved WebDAV vulnerability testing.

Bug fixes

  • Bug fix relating to incorrect WADL file handling.

How to Update

If you are running Acunetix Web Vulnerability Scanner v10, you will be notified that a new build is available to download when you start the application. Navigate to the General > Program Updates node in the Tools explorer, click on Download and Install the new build.

If you are running Acunetix WVS v8 or v9, you should follow the upgrade instructions available in the article “Upgrading from a previous version of Acunetix Web Vulnerability Scanner”.

You can see the complete Acunetix WVS change log here.

SHARE THIS POST
THE AUTHOR
Ian Muscat

Ian Muscat used to be a technical resource and speaker for Acunetix. More recently, his work centers around cloud security and phishing simulation.