Acunetix 360 On-Premises

New features

• Added the option to remove Request/Response details from the detailed template to avoid the character limit error when sending vulnerabilities
• Added the option for customers to display their company name on the PCI report (new scan settings field under General settings)
• Enabled the ability to re-scan a previously scanned target, which allows the application of previous exclusions on the scan and helps avoid false positives on the PCI ASV scan
• Added the option to enable enhanced logging of failed logins
• Added functionality to the UI for users to obtain logs from failed scans (previously, only system administrators were able to do that)
• ServiceNow Application Vulnerability Response integration is now available in the ServiceNow store

New security checks

• Added a check for dotCMS CVE-2022-26352
• Added a check for the Ultimate Member WordPress plugin CVE-2023-3460
• Added a new mXSS pattern
• Added new signatures to detect JWKs
• Implemented a detection and reporting mechanism for the Backup Migration WordPress plugin CVE-2023-6553
• Added detection for TinyMCE
• Implemented a detection and reporting mechanism for the Backup Migration WordPress plugin CVE-2023-46604

Improvements

• Improved the recommendations for the Weak Ciphers Enabled vulnerability
• Improved detection of swagger.json vulnerabilities
• Updated the “Insecure Transportation Security Protocol Supported (TLS 1.0)” vulnerability to High Severity
• Implemented support for scanning sites with location permission pop-ups
• Implemented support for FreshService API V2
• Revised the labeling of the active vulnerabilities information on the Scan Summary page to provide greater clarity
• Removed obsolete X-Frame-Options Header security checks
• Improved ServiceNow Vulnerability Response integration

Fixes

• Fixed a bug in the cloning report policies functionality
• Fixed an error that was occurring with the API endpoint: list-scheduled
• Fixed a bug with the Jira integration
• Fixed a bug with custom scheduled scans that were not updating the Next Execution Time field correctly
• Fixed an issue with the HashiCorp Vault integration token validation path
• Fixed the missing ‘Known Issues’ tab from scan summary issue details
• Fixed an issue with the severity trend chart on the Dashboard
• Fixed a problem with importing WDSL files
• Fixed a bug in the Request/Response tab of Version Disclosure vulnerabilities
• Corrected an issue in the technical reports where vulnerabilities identified in Korean are now reported in English
• Changed the ID parameter from ‘optional’ to ‘required’ within the Scan Policy Update API
• Removed the target URL from the scope control list
• Resolved a bug in the filtering of vulnerabilities on the Issues page
• Fixed a bug in the marking of issues as a false positive
• Resolved an issue where the agent would become unavailable after receiving a 401 error
• Fixed the issue with uploading a Swagger file into a scan profile
• Removed the “Export all attributes” option from Scan Profiles, Report Policies, Manage Members, and Scan Policies
• Fixed the system to halt subsequent tests if a scan is aborted from Jenkins
• Upgraded Microsoft.Owin package to version number 4.2.2

New features

• Added CVSS 4.0 categorization of vulnerabilities
• Added support for PCI DSS 4.0

New security checks

• Google ProtocolBuffers: CVE-2022-1941

Improvements

• Added descriptions to the agent warning messages on the Scan Summary page
• Updated messaging around the functionality of the Team Administrator role
• Improved the request body rating algorithm
• Improved the Postman collection parsing algorithm
• Improved the vulnerability calculator for Boolean MongoDB
• Resolved an issue with adding a client certificate to set up a scan

Fixes

• Fixed a bug that was preventing customers from adding back previously deleted targets
• Increased character length for the Jira and Snow integration URL validation regex to ensure it accommodates Top-Level Domains (TLDs)
• Paused scheduled scans that were resuming automatically will now remain paused until manually resumed
• Removed the previous limit on the number of supported second-level domains in the Discovery feature
• Fixed an error that was occurring when updating an issue from Fixed (confirmed) to Accepted Risk status
• Fixed discrepancies in the numbers displayed on the Dashboard
• Fixed an issue with the agent auto-updater
• Fixed a behavioral issue with the SSO login process
• Added a missing control for SSO users while editing members
• Fixed a bug in the communication between Acunetix 360 and ServiceNow
• Fixed a bug that was preventing administrators from creating new notifications or editing built-in notifications
• Fixed an issue that was causing verifiers to not use scan policy proxy settings
• Fixed an auth verifier client certificate authentication path error
• Fixed the Invicti crawler that wasn’t getting JS endpoints correctly
• Resolved issues with importing API documentation from a link
• Fixed a bug in the Jenkins plugin that was causing the ‘Stop The Scan When Build Fails’ option to not work correctly
• Fixed insecure Windows service permissions that were vulnerable to privilege escalation attacks

NEW FEATURES

• Added the ability to pull a PCI Report from the CloneSystem itself by using API endpoints
• Added the option for customers to define a namespace for their HashiCorp integration
• Enhanced reporting capabilities with more attributes available in .csv exports and the option to do a .csv export in more places in the UI
• Added an option under New Scan Policy > Ignored Parameters to allow customers to set ‘Cookie’ as a type of ignored parameter
• Added a setting for administrators to enable internal agents to get VDB updates from the WebApp to avoid routing and proxy issues
• Added the option for administrators to hide sensitive data (passwords, tokens, session IDs, etc.) from the UI
• Added functionality to the Dashboard so that you can drill down to view more information when clicking on the Severities and Securities Overview section
• Added an option under General > Settings to require a password for edit access to custom scripts
• Added an option under General > Settings to set a session timeout limit for all users
• We now support AWS IAM Roles as an authentication method

NEW SECURITY CHECKS

• Added new checks for the WordPress Login with Phone Number Plugin: CVE-2023-23492
• Added new checks for the WordPress JupiterX Core Plugin: CVE-2023-38389, CVE-2023-38388

IMPROVEMENTS

• Added support for custom authentication tokens without token type
• Improved LFI attack patterns for better accuracy
• Fixed some vulnerabilities in the Docker image
• Stricter sensitive data rules
• Improved bot detection bypass scenarios
• Added a warning message when selecting or assigning the Team Administrator role

FIXES

• Fixed a sensitive data issue when uploading a pre-request script
• Fixed a bug that was preventing scheduling group scans using API
• Fixed custom header values in scan profiles so that they are masked
• Docker Cloud Stack check has been updated to reduce noise
• SSL/TLS classification updated from CWE-311 to CWE-319
• Fixed a bug in scheduling group scans with API
• Removed 401 to 500 status code conversion for internal agent requests
• Changed the IP range limitation for excluded IPs in Discovery Settings to fix the Invalid IP address error
• Fixed an issue with scheduled scans not following the scan time window
• Fixed the problem with scan failed logs not appearing in activity logs
• Fixed the broken verify login and logout function in scan profiles
• Updated the vulnerability severity ranking so that issues are correctly sent to integrated issue tracking systems
• Changed the Active Issue count on the dashboard so that it is consistent with the number when you click on it
• Fixed an issue with accessing a scan profile
• Fixed an issue related to having multiple integrations with the same project but with different issue types
• Fixed an issue in the ‘Basic, Digest, NTLM/Kerberos, Negotiate Authentication’ settings for scans
• Fixed the Jira Server integration issue that was causing only some Jira users to display when configuring Jira Field Mappings
• Fixed an incorrect timezone setting
• Fixed a bug that was causing URL rewrite rules to not be included in the Export Knowledge Base report
• Fixed a problem with the internal agent not sending a heartbeat to the web app when in archiving state
• Fixed an issue with Jira-related integration information being removed from the issue history when a previous scan is deleted
• Fixed an internal agent issue that was causing an exception when registering a vulnerability
• Fixed an issue that was causing the Knowledgebase, Crawled URLs, and Scanned URLs to fail when there is no content
• Fixed the missing mapping for Proxy Bypass On Local that was not saving when a scan policy was saved
• Fixed a bug that was duplicating roles when a Team Administrator modified another Team Administrator direct role assignment
• Fixed version information reported in Web App Fingerprint Vulnerabilities

New features

• Added the option to set a Custom HTTP Authorization Header under Scan policy > HTTP > Request
• Adjusted agent download parameters to allow installation of internal scanner agents using the Docker client via the Invicti registry service
• Changed the compression tool and default compression format for log files from 7zip to Tar
• Added functionality to enable entering multiple IP addresses and IP ranges into the IP Address Restrictions setting. Previously, only single-entry IP addresses were permitted.
• Added TLS certificate authentication as an option when integrating with HashiCorp Vault. Previously, we only supported token authentications.

New security checks

• Added new patterns to detect XSS

Improvements

• Improved notification delivery with integration services
• [Closed Beta] Protected visibility of passwords within custom scripts
• Improved detection and reporting of File Inclusion vulnerabilities
• Improved detection and reporting of Sensitive Data Exposure vulnerabilities
• Improved detection and reporting of Dockerfiles
• Disabled caching from the boolean-based MongoDB security engine to avoid possible false positives
• Improved the content-type exemption for non-HTML content types in the CSP engine
• Improved the typehead.js check to increase stability
• Removed the X-XSS-Protection header check because it is deprecated by modern browsers
• Added functionalities to prevent bot detection and fixed an issue that was causing cookie loss after authentication
• Improved the remediation part for the JetBrains .idea detected vulnerability
• Added information to the UI about the functionality of the ‘Edit My Team’s Role’ permission
• Added bypass list functionality for scan policies

Fixes

• Fixed a bug in the date filter that was causing incorrect information to display on the dashboard
• Fixed the external SOAP web service import problem
• Fixed a problem that was causing default values to be filled incorrectly, resulting in false negatives
• Fixed Vulnerabilities visible from the UI but not via API in certain failed scan situations
• Fixed inconsistent scan states in rare deleted scan scenarios
• Fixed missing Next Execution Time for certain scheduled scans
• Fixed an issue that prevented saving scheduled scans in some scenarios
• Fixed inconsistencies in the Resource Finder with certain hidden files and backup files
• Improved updating of groups in Azure Provisioning scenarios

Improvements

• Changed compression tool from 7zip to Tar

Fixes

• Fixed lost license information in unstable network conditions