Acunetix Premium Changelogs

v12.0.190404166 - 05 Apr 2019

Copy Link Copy Link

Version 12 (build 12.0.190404166 - Windows and Linux) – 5th April 2019

New Vulnerability Checks

Test for Remote code execution in bootstrap-sass 3.2.0.3 (CVE-2019-10842)
Test for Magento (2.2.0 to 2.3.0) Unauthenticated SQL Injection Vulnerability

Updates

Minor update improving efficiency of PerFolder checks
LSR: Disabled spellcheck for fields loaded
Deepscan: Improved exclusion of clicks on logout elements
LSR: clicks on some SVG elements where not being recorded
LSR: Session Pattern Detection now uses session headers provided by webapp

Fixes

Fixed 2 issues causing the scanner to stop unexpectedly
Scan progress was not always correctly saved when scan is paused
Session Pattern Detection was not always using the session headers provided by the webapp

v12.0.190325161 - 26 Mar 2019

Copy Link Copy Link

Version 12 (build 12.0.190325161 - Windows and Linux) – 26th March 2019

New Features

Verified vulnerabilities are now indicated by Acunetix

New Vulnerability Checks

Test for PHP opcache-status page
Test for Arbitrary File Read in Next.js
Test for Nagios XI Magpie_debug.php Unauthenticated RCE (CVE-2018-15708)
Test for Horde Imp Unauthenticated Remote Command Execution
Test for Cisco Identity Service Engine XSS (CVE-2018-15440)
Test for publicly available Apache balancer-manager application
Test for Rails File Content Disclosure in Action View (CVE-2019-5418)
Test for Apache Solr Deserialization of untrusted data via jmx.serviceUrl (CVE-2019-0192)
Added a test for /jolokia
Updated XSS checks to detect vulnerabilities on newer versions of Apache Tomcat
Added new WordPress Core and WordPress Plugins vulnerability checks

Updates

Updated Directory Traversal vulnerability check
Improved detection of Blind SQL Injection
On Linux, OOM Killer will now stop less important processes
Improve handling of XHR requests in Deepscan
Multiple improvements to the LSR and Session detection
Scan Stats are now retained between Pause/Resume
Improved the detection of paths from JSON and XML
Improve techniques used to detect type of input in web form
Multiple minor UI updates

Fixes

Fixed multiple instances of scanner stopping unexpectedly
Fixed false positive reported by WordPress plugin All in One SEO Pack privielege escalation check
Fixed issue causing the same web application to be detected multiple times
Some vulnerability alerts did not show the HTTP Response
Fixed issue causing incorrect processing of default values in forms
HTTP redirects were not being detected
Fixed issue in File Upload XSS vulnerability check
Fixed issue causing PerFolder scripts not to be executed on all folders
Fixed issue causing HAR file importing to fail
Fixed issue causing LSR to fail to load Target with uppercase address
Fixed issue causing SharePoint Reflected Cross-Site Scripting (CVE-2017-8514) not to be reported

v12.0.190227132 - 27 Feb 2019

Copy Link Copy Link

Version 12 (build 12.0.190227132 - Windows and Linux) – 27th February 2019

New Vulnerability Checks

Test for Drupal REST Remote Code Execution (CVE-2019-6340)
Tests for vBulletin 5 routestring Local File Inclusion Vulnerability
Tests for ThinkPHP v5.0.22/5.1.29 Remote Code Execution Vulnerability
Tests for uWSGI Unauthorized Access Vulnerability
Tests for FastGI Unauthorized Access Vulnerability
Test for Typo3 Restler 1.7.0 Local File Disclosure
A number of new vulnerability checks for WordPress Core and Plugins and Drupal Core

Updates

Update Source Code Disclosure checks to prevent False Positives
Unused paths are filtered out from AcuSensor data

Fixes

Fixed false positive in Expression Language Injection vulnerability check
Fixed issue in LSR / Deepscan when processing scripts overriding toJSON on Object

v12.0.190214162 - 15 Feb 2019

Copy Link Copy Link

Version 12 (build 12.0.190214162 - Windows and Linux) – 15th February 2019

Updates

Improved scanning of .NET web applications
Improved processing of CSS files
40% speed improvement when parsing pages
Various updates to WSDL processing

Fixes

Some invalid URLs were being incorrectly reported as external hosts
Fixed issue causing communication problem between scanner and backend
Allowed hosts were not always being scanned
Integrated LSR was not always working on Internet Explorer 11
Fixed LSR display problem when browser window is zoomed or resized
Fixed issue when importing Burp State file

v12.0.190206130 - 07 Feb 2019

Copy Link Copy Link

Version 12 (build 12.0.190206130 - Windows and Linux) – 7th February 2019

New Features

New Integrated Login Sequence Recorder – Login Sequences can be recorded directly from the Acunetix UI
Swagger (JSON and YAML) and WSDL can be used as import files

New Vulnerability checks

New checks for a number of WebBackdoors
New checks for elmah.axd information disclosure
New test for Stack Trace Disclosure in Django
New test for Stack Trace Disclosure in ASP.NET
New test for Stack Trace Disclosure in ColdFusion
New test for Stack Trace Disclosure in Python
New test for Stack Trace Disclosure in Ruby
New test for Stack Trace Disclosure in Tomcat
New test for Stack Trace Disclosure in Grails
New test for Stack Trace Disclosure in Apache MyFaces
New test for Stack Trace Disclosure in Java
New test for Stack Trace Disclosure in GWT
New test for Stack Trace Disclosure in Laravel
New test for Stack Trace Disclosure in Rails
New test for Stack Trace Disclosure in CakePHP
New test for Stack Trace Disclosure in CherryPy
New Directory Listing vulnerability checks
New Error Message vulnerability checks
New test for Oracle Reports RWServlet showenv
New test for Docker Engine API publicly accessible
New test for Docker Registry API publicly accessible
New test for Jenkins server user enumeration
New test for Jenkins server weak credentials
Added the following new tests for Adobe Experience Manager
- Day CQ WCM Debug Filter enabled
- LoginStatusServlet exposed (allows to bruteforce credentials)
- Bruteforce a set of default AEM credentials if LoginStatusServlet is exposed
- QueryBuilderFeedServlet public accessible, sensitive information might be exposed
- Implemented tests for a bunch of SWF files that are exposed by AEM code that are vulnerable to Reflected XSS
- Test if the AEM Groovy Console is publicly accessible. Permits RCE
- Added a test for exposed AEM ACS Tools (a set of tools for AEM developers) – RCE is possible
- Test if GQLServlet is publicly accessible. Sensitive information could be exposed
- Test if Adobe Experience Manager AuditLogServlet is publicly accessible. Audit log records could be exposed
- Test for Server Side Request Forgery (SSRF) via SalesforceSecretServlet (CVE-2018-5006)
- Test for Server Side Request Forgery (SSRF) via ReportingServicesServlet
- Test for Server Side Request Forgery (SSRF) via SiteCatalystServlet was detected

Updates

Improved the scanning of sites using SOAP
Improved parsing of paths
TXT import now takes precedence over excluded paths
Improved the adherence of the scan scope
Improved the detection of the version of WordPress plugins
Improved the automatic session pattern detection in the LSR
LocalStorage / SessionStorage is retained between LSR and Deepscan Sessions

Fixes

Fixed: Scan scope was not always respected
Technology detected during the scan was not being reported
Fixed several scanner unexpected termination issues
Fixed issue causing large PDF reports not to be generated
Fixed: AcuSensor file data is better filtered by scanner

v12.0.190121124 - 22 Jan 2019

Copy Link Copy Link

Version 12 (build 12.0.190121124 - Windows and Linux) – 22nd January 2019

Updates

HTTP response size limit has been increased to 20Mb
Swagger parser now supports yml files

Fixes

Fixed a scanner crash
Fixed: Login Sequence Recorder was not using the User-Agent configured for the Target
Fixed issue causing false positives in ‘User controllable charset’ and ‘User controllable script source’
Fixed issue with BURP state file importer
Fixed: Users could not update an expired POC license

v12.0.181218140 - 18 Dec 2018

Copy Link Copy Link

Version 12 (build 12.0.181218140 - Windows and Linux) – 18th December 2018

New Vulnerability checks

New test for Apache Solr XXE (CVE-2017-12629)
New test for RCE in Spring Security OAuth (CVE-2016-4977)
New test for Apache mod_jk access control bypass (CVE-2018-11759)
New test for Unauthenticated Stored XSS in WordPress Plugin WPML (CVE-2018-18069)
New test for ACME mini_httpd (web server) arbitrary file read (CVE-2018-18778)
New test for OSGi Management Console Default Credentials
New test for Flex BlazeDS AMF Deserialization RCE (CVE-2017-5641)
New test for common misconfigurations in ColdFusion
New test for AMF Deserialization RCE in ColdFusion (CVE-2017-3066)
New test for JNDI injection in ColdFusion (CVE-2018-15957)
New test for unauthenticated File uploading in ColdFusion (CVE-2018-15961)
New WordPress / WordPress plugin vulnerability checks

Updates

Improved the injection of payloads and other improvements in the handling of JSON data
Updated Chromium to fix Chromium vulnerability
Improved web application detection

Fixes

Corrected LSR launch message for Linux installations
Fixed Update License issue on Internet Explorer
Fixed several memory leaks/scanner closing unexpectedly
Fixed issue affecting the processing of some content types
Some cookies were being added multiple times during the scan
Some redirects were not being correctly handled
Some requests generated by the scanner incorrectly contained two backslashes (‘//’)
Fixed issue in the Backup Folders checks going out of scope
Several minor fixes

v12.0.181203110 - 04 Dec 2018

Copy Link Copy Link

Version 12 (Windows build 12.0.181203110, Linux build 12.0.181204095) – 4th December 2018

New features

Deepscan has been updated to make use of Chromium (Windows only – already included in Linux)
Login Sequence Recorder has been updated to make use of Chromium (Windows only – already included in Linux)
Acunetix can now test APIs document using Swagger (Windows only – already included in Linux)
Introduced support for NTLM HTTP Authentication on Linux release (already included on Windows)
Introduced support for Kerberos HTTP Authentication (Windows only)

New vulnerability checks

A huge update increasing the detection of Stored XSS
New test for possible file creation using the HTTP PUT method
New test for Apache Tomcat Remote Code Execution Vulnerability (CVE-2017-12615)
New test for Ektron Content Management System (CMS) 9.20 SP2, remote re-enabling users (CVE-2018–12596)
New test for httpoxy vulnerability
New test checks if CouchDB REST API is publicly accessible
New test checks if CouchDB is vulnerable to Remote Privilege Escalation resulting in Remote Code Execution (CVE-2017-12635)
New test for Apache ActiveMQ default credentials
New test for Node.js Path validation vulnerability (CVE-2017-14849)
New test for GoAhead web server RCE via unsafe environment initialization of forked CGI scripts (CVE-2017-17562)
New test for publicly accessible Hadoop YARN ResourceManager WebUI
New test for jQuery-File-Upload <= v9.22.0 unauthenticated arbitrary file upload vulnerability
New test looks for Google Firebase Databases URLs in the response and checks if the Firebase Databases are accessible without authentication
New test for Oracle WebLogic Remote Code Execution vulnerability via T3 (CVE-2018-3245)
New test for Oracle WebLogic Authentication Bypass vulnerability (CVE-2018-2894)
New test checks if Jupyter Notebook is publicly accessible
New test for Apache Log4j socket receiver deserialization vulnerability
New test for NGINX range filter integer overflow (CVE-2017-7529)
New test for Xdebug remote code execution via xdebug.remote_connect_back
Numerous new checks for WordPress Core, WordPress plugins, Joomla Core and Drupal Core.

Updates

Numerous memory management improvements
Multiple updates to LSR and session detection improving scanning of restricted areas
Improved speed of SQL Injection vulnerability checks
The new LSR / Deepscan will improve support of JavaScript rich sites
Added mock geo-location support to support scanning sites that require geo-location
Improved analysis of XML and JSON

Fixes

Fixed scanner crash when scan was resumed from paused state
Fixed some issues in the handling of cookies
Custom cookies were not always used
Content-Type header was not always being sent. This affected the detection of some vulnerabilities
Fixed a false positive in SSL weak key length vulnerability check
Fixed issue in the Social Security Number and Credit Card number check
Fixed issue with AcuSensor download on Linux release
Fixed issue causing scans to be aborted when server returns an invalid charset
Fixed a number of other issues causing the scanner to close unexpectedly
Sensitive and Backup files were not being checked for in the site root
Fixed issue with jquery version extractor
Fixed 2 internally reported security issues
Fixed issue with re-installation of Linux installations

v12.0.181115088 - 15 Nov 2018

Copy Link Copy Link

Version 12 (Linux release build 12.0.181115088) – 15th November 2018

New Features

Acunetix release for Linux
Acunetix can now test APIs document using Swagger
Deepscan has been updated to make use of Chromium
Login Sequence Recorder has been updated to make use of Chromium

Acunetix Standard & Premium

New Vulnerability Checks

Updates

Fixes

New Features

New Vulnerability Checks

Updates

Fixes

New Vulnerability Checks

Updates

Fixes

Updates

Fixes

New Features

New Vulnerability checks

Updates

Fixes

Updates

Fixes

New Vulnerability checks

Updates

Fixes

New features

New vulnerability checks

Updates

Fixes

New Features