Acunetix Premium Changelogs

v13.0.200911154 - 14 Sep 2020

Copy Link Copy Link

Version 13 (build 13.0.200911154 for Windows and Linux and build 13.0.200911171 for macOS) 14th September 2020

New Features

New Data Retention settings, providing the ability to:
- Keep the last 3 scans for each target and archive previous scans
- Delete archived scans which are older than 2 years
- The above data retention settings are configurable
- The above settings affect vulnerabilities detected, which are archived / deleted accordingly
A default scan profile can be configured for each target
Forgot Password option for Acunetix On premise, allowing users to reset their password – Email settings need to be configured
Detect paths in JavaScript code via static method analysis
Ability to retrieve links from several HTTP headers
Scanner will try to auto-discover API definitions

New Vulnerability Checks

New check for SAP NetWeaver RECON (CVE-2020-6287)
New check for DNN (DotNetNuke) CMS Cookie Deserialization RCE (CVE-2017-9822)
New check for Insecure Referrer Policy
New check for Remote code execution of user-provided local names in Rails
New check for Cisco Adaptive Security Appliance (ASA) Path Traversal (CVE-2020-3452)
New check for Total.js Directory Traversal (CVE-2019-8903)
New check for Envoy Metadata disclosure
New checks for WordPress Core / Plugins / Themes, Drupal and Joomla vulnerabilities

Updates

Vulnerabilities are now shown as grouped by Vulnerability Type and FQDNs
Numerous improvements affecting vulnerability deduplication
Deleted Targets will not be showing in the UI by default
Malicious links detected will be highlighted in the vulnerability report
Ability to scan all Targets in a Target Group
Improved Swagger support implementation
Updated backup files/folders and possible sensitive files checks to report alerts on parent of file detected
Time zone can now be configured by each user account
User accounts can now change UI to Chinese
.NET Sensor updated to support .NET Core
Updated Session Fixation vulnerability check to avoid possible False Positives
Updated to Chromium v83

Fixes

Fixed issue with offline activation
Fixed a few crashes occurring on specific sites
Fixed issue affecting AcuMonitor when scanning certain sites
Various small UI fixes
Fixed Target Deletion issue for Consult licenses
Fixed: PDF report generation was failing in specific situations
Fixed issue causing HTTP requests passing through a proxy to fail
Fixed issue affecting relative HTTP redirects
Fixed issue causing Manual Intervention not to work on Linux
Fixed issue causing DeepScan to miss some DOMXSS vulnerabilities
Fixed text overlapping issue in reports
Fixed issue causing Telerik Web UI RadAsyncUpload Deserialization (CVE-2019-18935) to not always be detected
Fixed: ‘HTTP Strict Transport Security (HSTS) not implemented’ and ‘HTTP Strict Transport Security (HSTS) Best Practices’ where using the same name
Fixed: Sensitive files / directories checks were missing Attack details
Fixed issue caused when sorting scans by target description
fixed a few issues in the Login Sequence Recorder and Business Logic Recorder

v13.0.200807155 - 07 Aug 2020

Copy Link Copy Link

Version 13 (Windows / Linux: 13.0.200807155, macOS: 13.0.200807156) 7th August 2020

New Features

Acunetix is now available in Simplified Chinese
Path Fragments are now shown in the site structure

New Vulnerability Checks

New check for Insecure Inline Frames
New check for Remote code execution of user-provided local names in Rails
New check for SAP NetWeaver RECON auth bypass vulnerability
New check for H2 console publicly accessible
New check for PHP version disclosure
New check for Atlassian JIRA ServiceDesk misconfiguration
New test for Jolokia XML External Entity (XXE) vulnerability
New checks for WordPress core, WordPress themes, WordPress plugins, Joomla and Drupal

Updates

Created and Last Updated dates are available for vulnerabilities
Order of section in Comparison report updated to be more intuitive
Target Address is shown in full in the UI
/users/ endpoint is now available in the API

Fixes

Fixed issue when exporting vulnerabilities to WAF which contained CVSS3.1
Fixed issue causing custom user-agent to not be used in all requests during a scan
Fixed issues causing some vulnerabilities not to be well formatted when sent to JIRA issue tracker
Fixed issue when adding JIRA Issue Tracker in Acunetix Online
Fixed issue caused when adding Targets to an existing Target Group
Minor fix in Comprehensive report text
Fixed UI issue showing blank list (Scans, Targets etc) when using the browser’s back button
Fixed issue caused by scanning Targets with complex GraphQL schemas

v13.0.200715111 - 15 Jul 2020

Copy Link Copy Link

Version 13 (build 13.0.200715111 for Windows, Linux and build 13.0.200715153 for macOS) 15th July 2020

New Features

Acunetix on premise is now available for macOS

New Vulnerability Checks

New test for F5 BIG-IP Traffic Management User Interface (TMUI) RCE [CVE-2020-5902]
New test for Composer installed.json publicly accessible
New test for Symfony debug mode enabled
New test for Symfony Profiler open
New test for Directory Traversal with spring-cloud-config-server [CVE-2020-5410]
New test for Grafana avatar SSRF [CVE-2020-13379]
New test for rack-mini-profiler environment variables disclosure
New test for Telerik Web UI RadAsyncUpload Deserialization [CVE-2019-18935]

Updates

Improved UI messages when scans cannot start due to Manual Intervention
Updated interpretation and generation of XML requests / responses
New Scanning profile for High and Medium Vulnerabilities
Target Description is now available on the Scans page
Incremental Scans initiated by Jenkins plugin are correctly labelled as incremental
A number of improvements in JavaScript Libraries Audit

Fixes

Fixed issue caused when configuring Gitlab issue tracker with Impersonation Token
Fixed issue causing filter not to be available for Standard licenses
Fixed Malware Scan profile to include checks for malware links
Fixed resource allocation issue, causing scans to end unexpectedly
Comprehensive Report was incorrectly showing High Severity Threat level
Fixed issue affecting the CVSS score calculation of some vulnerabilities

v13.0.200624118 - 24 Jun 2020

Copy Link Copy Link

Version 13 (build 13.0.200624118 – Windows and Linux) 24th June 2020

New Features

Introduced support for GraphQL
Introduced support for OAuth2.0
GraphQL files can be used as Import Files
New Comprehensive Report, which includes the HTTP Response in the HTML version of the report
HTTP Response uses syntax highlighting for improved readability
Scans can now be restricted to paths/locations in import files
User can choose which columns to show in all the Acunetix lists
UI saves columns selected for each page / user (applies to Targets, Vulnerabilities, Scans and Reports)
UI saves number of items to show on each page / user (applies to Targets, Vulnerabilities, Scans and Reports)
UI saves sorting order for each page / user (applies to Targets, Vulnerabilities, Scans and Reports)

New Vulnerability Checks

New check for vBulletin 5.6.1 (and earlier) nodeId SQL injection
New check for Cmd hijack vulnerability
New check for PHP opcache-gui publicly accessible
New check for Laravel debug mode enabled
New check for Laravel Health Monitor publicly accessible
New check for Laravel Health Horizon publicly accessible
New check for Laravel Health LogViewer publicly accessible
New check for Laravel Health Telescope publicly accessible
New check for Laravel Ignition Reflected Cross-Site Scripting
New check for Laravel framework weak secret key
New check for HTML Attribute Injection
New check for Clockwork PHP dev tool enabled
New check for PHP Debug Bar enabled
New check for Broken Link Hijacking
New checks for Cookie misconfigurations leading to security issues
New vulnerabilities for WordPress Core, WordPress plugins, Joomla and Drupal

Updates

Targets with Manual Intervention cannot have a Business Logic Recording
Changed vulnerability name filter to use search as you type
Scans will start reporting pages that require HTTP Authentication
Acunetix UI notifications have been changed as follows:
- Moved to bottom right of Acunetix UI
- Stay longer on the page
- Can be closed by the user
Increased name length limit of import files to 128 characters
User can optionally specify the address to be used for Auto-login. This is useful for SSO login pages
The scanner will try to connect to the address of the target before aborting the scan after 25 consecutive network errors
Targets can be deleted and replaced on the license anniversary

Fixes

Fixed: The vulnerability name filter did not always show all vulnerabilities
Fixed incorrect error handling message when disabling the proxy settings
Hide Business Logic Recorder for Network Only targets
Fixed: Acunetix Online was showing an ID as the name of some network vulnerabilities
Fixed: Acunetix Online was not always showing the HTTP Response for some vulnerabilities
Fixed: Acunetix Online was not showing the number of licensed Targets
Fixed issue causing paths of ignored files to be ignored too
Fixed LSR issue on Safari browser
Fixed issue caused when the LSR and BLR are used on certain sites
Various minor fixes to the UI
Fixed false positives in over 25 vulnerability checks

v13.0.200519155 - 20 May 2020

Copy Link Copy Link

Version 13 (build 13.0.200519155 – Windows and Linux) 20th May 2020

Updates

Vulnerabilities filter shows correct sorting
User can now test notification settings
List of Licensed Targets can now be accessed from user profile page

Fixes

Fixed issue when using the Login Sequence Recorder remotely
ConsultLite licenses were being shown as Standard
Some vulnerabilities were not displayed correctly in Azure Devops Services

v13.0.200508159 - 11 May 2020

Copy Link Copy Link

Version 13 (build 13.0.200508159 – Windows and Linux) 11th May 2020

New Features

Business Logic Recorder – used to record logic used in multi-step forms
Export to Citrix WAF
Support for Azure DevOps Services issue tracker
CVSS3.1 score for most Acunetix vulnerabilities
Targets can now be exported to CSV
New Graph in Dashboard showing Average vulnerabilities per Target

New Vulnerability Checks

New check for Server-Side Template Injection (SSTI) in ASP.NET Razor
New check for Oracle BI AMF Deserialization RCE (CVE-2020-2950)
New check for Possible Cross Site Scripting via jquery.htmlPrefilter() (CVE-2020-11023)
New check for Stored XSS in WP theme Onetone (CVE-2019-17230 and CVE-2019-17231)
Updated detection of phpinfo pages
New checks in WordPress Core and WordPress plugins
New checks for default credentials in over 65 web applications

Updates

Manual Intervention (used for CAPTCHAs, OTP etc) is now using the integrated (web-based) LSR
As a result of the previous update, Manual Intervention is now available on Linux
Improved error reporting for network scans aborted due to network errors
Vulnerability alerts updated to show important information at the top
Updated Github issue tracker to support Personal Access Token (PAT) authentication
Improved reporting of Paused scans in the UI
Improved UI message user triggers a scan which is not allowed due to Manual Intervention
API documentation can now be downloaded from within the Acunetix UI
Added support for popup windows in the Login Sequence Recorder
Improved handling of large import files
Improved handling large requests / responses generated from import files
Decreased false positives reported for Possible username or password disclosure
Truncated large vulnerability alerts when sending to Jira issue tracker

Fixes

Fixed incorrect from email address used for monthly update emails
Fixed AcuMonitor UI notification to link to corresponding vulnerability
Fixed issue causing vulnerability checks to not be able to send empty values
Fixed a number of crashes
Fixed issue causing ASP.NET sites to be processed as ASP sites
Fixed 2 issues caused when using Swagger import files
Improved handling of txt import files using incorrect import format
Fixed Session Fixation false positive
Fixed UI issue when configuring Custom Cookies
Trend charts where not being updated for user accounts
Fixed issue in excluded hours
Fixed “Client Certificate Not Set” message incorrectly being reported

v13.0.200409107 - 09 Apr 2020

Copy Link Copy Link

Version 13 (build 13.0.200409107 – Windows and Linux) 9th April 2020

New Vulnerability Checks

New check to warn user if server sends known password to client
New check for RCE in Liferay Portal (CVE-2020-7961)

Updates

Improved detection of SQL Injection

Fixes

Fixed bbcode display issue in some alerts
Fix in Login page password-guessing attack
Fixed licensing issue caused by different case in Target address

v13.0.200401171 - 02 Apr 2020

Copy Link Copy Link

Version 13 (build 13.0.200401171 - Windows and Linux) 2nd April 2020

New Vulnerability Checks

New WordPress plugin checks

Updates

Improved XXE check
Improved internal IP disclosure check
Vulnerabilities detected with 100% Confidence get a Verified stamp

Fixes

Fixed issue with response highlighting for SQL Injection alerts
Fixed AcuMonitor alert notifications not linking to scan
Fixed page not found UI issue when trying to generate a report from Reports page
Fixed issue with scanner looping when parsing specific long JSON responses

v13.0.200326097 - 26 Mar 2020

Copy Link Copy Link

Version 13 (build 13.0.200326097 - Windows and Linux) 26th March 2020

New Features

Introduced support for processing of Swagger 2.0 files during scans
Introduced support for Swagger 2.0 files as import files
New Quarterly scheduled scan option
Users can change their password from the Acunetix UI

New Vulnerability Checks

New check for Weak key used to sign cookie in Play framework
JavaScript Library Audit now supports TinyMCE
New check for BigIP iRule command injection
New check for XSS in .NET session in URL
New check for Remote Code Execution (RCE) in Ruby on Rails (CVE-2019-5420)
New Check for Oracle E-Business Suite Deserialisation RCE
New Check for Oracle E-Business Suite SSRF (CVE-2017-10246)
New Check for Oracle E-Business Suite SSRF (CVE-2018-3167)
New Check for Oracle E-Business Suite SQL Injection (CVE-2017-3549)
New checks for WordPress Core and plugins, Joomla and Drupal

Updates

Minor UI updates
Better reporting of scans interrupted due to network errors
Client Certificate address can now be configured for a Target
HTTP Authentication address can now be configured for a Target
Abort Scan after 25 network errors
Implemented Proof of Exploit for Blind SQL Injection vulnerabilities
Improved showing Scan Duration for long scans
Acunetix can be installed in custom paths
Scan email notifications will include a PDF report if requested at start of scan
Email notifications can be configured for:
- Product updates
- Target notifications
- Scan notifications
- Report notifications
- Monthly status updates

Fixes

Fixed: On Reports page, Target address shows as N/A for Targets that do not have a Description
Fixed issue uploading import files larger than 1mb
Fixed issue whereby some addresses had missing a character in the report
Fixed false positive in Possible server path disclosure
Fixed issue causing the scanner to not following multiple redirects
Fixed 2 scanner crashes
Multiple fixes in WADL parser
Fixed: Case Sensitive Paths settings was sometimes not being taken into consideration
Fixed issue in Possible Sensitive Directories identifying incorrect locations
Fixed issue for users with expired passwords not given the option to change their password

Acunetix Standard & Premium

New Features

New Vulnerability Checks

Updates

Fixes

New Features

New Vulnerability Checks

Updates

Fixes

New Features

New Vulnerability Checks

Updates

Fixes

New Features

New Vulnerability Checks

Updates

Fixes

Updates

Fixes

New Features

New Vulnerability Checks

Updates

Fixes

New Vulnerability Checks

Updates

Fixes

New Vulnerability Checks

Updates

Fixes

New Features

New Vulnerability Checks

Updates

Fixes