Acunetix Standard & Premium

New Security Checks

• Added check for CVE-2024-6842

Improvements

• Upgraded to OpenSSL
• Updates to technologies and fingerprints

New Security Check

• Apache OFBiz RCE (CVE-2024-45195)

• Apache OfBiz Authz Bypass (CVE-2024-36104, CVE-2024-38856)

Improvements

• Updated Chromium to v128.0.3316.119/.120

• Improved support for GraphQL when described in introspection JSON

• The upgraded Scan Details page is now enabled for On-Premises customers as well → Learn more

• Using API Discovery On-Premises, the admin can specify a destination URL for the Network Traffic Analyzer connection

Fixes

• Fixed a false positive in the Solr Injection check

• Resolved a rare case where the vulnerability detail was not loading properly on the new Scan Details page

• Runtime SCA PDF reports are now being generated correctly

• The scan end timestamp is now loading properly on the new Scan Details page

New Features

• Added support for Apache Tomcat 11 in JAVA IAST sensor
• RAML API specs can now be uploaded to extend the coverage of API scanning → Learn more
• Implemented support for scanning HTTP/2 websites
• Runtime SCA findings are now available on the Scan Details page (Acunetix Online only, On-Premises coming soon)
• A new scan report for SCA is now available → Learn more

New Security Checks

• Next.js image Blind SSRF
• SolarWinds Web Help Desk RCE (CVE-2024-28986)
• Apache HTTP Server Confusion Attacks (CVE-2024-38472, CVE-2024-39573, CVE-2024-38477, CVE-2024-38476, CVE-2024-38475, CVE-2024-38474, CVE-2024-38473, CVE-2023-38709)
• Jelly Template Injection Vulnerability in ServiceNow UI Macros (CVE-2024-4879, CVE-2024-5217)
• SuiteCRM SQL Injection (CVE-2024-36412)
• Odoo XSS (CVE-2023-1434)
• Mura/Masa CMS JSON API RCE
• Lucee CF_CLIENT_ RCE
• Lucee Stacktrace Information Disclosure
• Lucee Unset Admin Password
• Updated WordPress plugins vulnerabilities database
• GeoServer RCE (CVE-2024-36401)

Improvements

• Minor cosmetic UI/UX issues have been addressed across the app
• Updated list of exposed web installers reported
• The Scan Details screen for reviewing scan results has been modernized and upgraded
• Improved testing of path fragments
• The agent status now shows ‘Unknown’ instead of ‘Error’ when the agent hasn’t shared its status for some time
• API Discovery: Added the ability to start scans directly from the list of discovered and linked APIs
• API Discovery: Added functionality to change the base URL of an already linked API
• Updated scanner to handle security definitions within Swagger

Fixes

• Updated the scanner to use default scan speed settings when scan speed settings are missing
• Fixed a false positive in the detection of Possible Virtual Host Found
• Fixed a false positive in the detection of CVE-2024-6387

New Features

• Invicti API Security: multi-layered API discovery to enable comprehensive identification of known and undocumented APIs → Learn more

New security checks

• Argo CD Information Disclosure (CVE-2024-37152)
• Apache OFBiz SSRF (CVE-2023-50968)
• Apache OFBiz RCE (CVE-2024-32113)

Improvements

• Scanner: Improved processing of large files
• Added support for HTTP/2 requests in Burp state import files
• .NET IAST Sensor: Added support for Engine.Razor functions
• Improved XFS checks
• Improvements to the new Scan Detail page (Early Access)

Fixes

• Minor UI/UX fixes across the application

New Features

• Security checks can now be auto-updated without requiring a full product update

New Security Checks

• SolarWinds Serv-U directory transversal (CVE-2024-28995)
• Ivanti EPM SQL Injection / RCE (CVE-2024-29824)
• Rejetto HTTP File Server SSTI / RCE (CVE-2024-23692)
• PHP CGI Argument Injection (CVE-2024-4577)
• Telerik Report Server – Authentication Bypass (CVE-2024-4358)
• Added a new security check to identify supply chain attacks through Polyfill JS.

Improvements

• Added a notification in the UI to inform users when their account does not have any permissions set up yet (Acunetix Premium+)
• Updated the Scan Details page user experience with RuntimeSCA reporting (available to Early Access customers)
• Improved detection of DOM XSS vulnerabilities
• .NET Core IAST sensor – added hooking for System.Xml functions
• Improved detection of Open Redirect vulnerabilities
• Improved descriptions for verified vulnerabilities
• Added a notification to the activity log when the engine is unable to communicate with the SCA service

Fixes

• Fixed the issue that was causing the BLR to fail on Sequential/Slow scans
• Fixed the issue that was causing duplicates in the sitemap
• Logon banner messages (when configured) now display properly on the login page (Acunetix On-Premises)