Acunetix Premium Changelogs

v24.8.240828144 - 29 Aug 2024

Copy Link Copy Link

Release build 24.8.240828144 includes new features and security checks, improvements, and bug fixed.

New Features

Added support for Apache Tomcat 11 in JAVA IAST sensor
RAML API specs can now be uploaded to extend the coverage of API scanning → Learn more
Implemented support for scanning HTTP/2 websites
Runtime SCA findings are now available on the Scan Details page (Acunetix Online only, On-Premises coming soon)
A new scan report for SCA is now available → Learn more

New Security Checks

Next.js image Blind SSRF
SolarWinds Web Help Desk RCE (CVE-2024-28986)
Apache HTTP Server Confusion Attacks (CVE-2024-38472, CVE-2024-39573, CVE-2024-38477, CVE-2024-38476, CVE-2024-38475, CVE-2024-38474, CVE-2024-38473, CVE-2023-38709)
Jelly Template Injection Vulnerability in ServiceNow UI Macros (CVE-2024-4879, CVE-2024-5217)
SuiteCRM SQL Injection (CVE-2024-36412)
Odoo XSS (CVE-2023-1434)
Mura/Masa CMS JSON API RCE
Lucee CF_CLIENT_ RCE
Lucee Stacktrace Information Disclosure
Lucee Unset Admin Password
Updated WordPress plugins vulnerabilities database
GeoServer RCE (CVE-2024-36401)

Improvements

Minor cosmetic UI/UX issues have been addressed across the app
Updated list of exposed web installers reported
The Scan Details screen for reviewing scan results has been modernized and upgraded
Improved testing of path fragments
The agent status now shows ‘Unknown’ instead of ‘Error’ when the agent hasn’t shared its status for some time
API Discovery: Added the ability to start scans directly from the list of discovered and linked APIs
API Discovery: Added functionality to change the base URL of an already linked API
Updated scanner to handle security definitions within Swagger

Fixes

Updated the scanner to use default scan speed settings when scan speed settings are missing
Fixed a false positive in the detection of Possible Virtual Host Found
Fixed a false positive in the detection of CVE-2024-6387

v24.7.1 - 24 Jul 2024

Copy Link Copy Link

This release includes a new security check and a fix for a false positive detection.

New Security Checks

Added detection for Mura Masa SQLi (CVE-2024-32640)

Fixes

Fixed a False Positive on the ‘Broken access control in Confluence Server and Data Center’ vulnerability (CVE-2023-22515)

v24.7.240716084 - 16 Jul 2024

Copy Link Copy Link

Release build 24.7.240716084 includes a new feature, new security checks, improvements, and bug fixes.

New Features

Invicti API Security: multi-layered API discovery to enable comprehensive identification of known and undocumented APIs → Learn more

New security checks

Argo CD Information Disclosure (CVE-2024-37152)
Apache OFBiz SSRF (CVE-2023-50968)
Apache OFBiz RCE (CVE-2024-32113)

Improvements

Scanner: Improved processing of large files
Added support for HTTP/2 requests in Burp state import files
.NET IAST Sensor: Added support for Engine.Razor functions
Improved XFS checks
Improvements to the new Scan Detail page (Early Access)

Fixes

Minor UI/UX fixes across the application

v24.6.240701143 - 02 Jul 2024

Copy Link Copy Link

Release build 24.6.240701143 is for a Discovery service bug fix and new security checks.

Security Checks

Remote Unauthenticated Code Execution Vulnerability in the OpenSSH server (CVE-2024-6387)
Magento XXE (CVE-2024-34102)

Fixes

Fixed an issue with the Discovery service in On-Premises environments

v24.6.240626115 - 27 Jun 2024

Copy Link Copy Link

Release build 24.6.240626115 includes improved detection of DOM XSS vulnerabilities, , security features, improvements, and bug fixes.

New Features

Security checks can now be auto-updated without requiring a full product update

New Security Checks

SolarWinds Serv-U directory transversal (CVE-2024-28995)
Ivanti EPM SQL Injection / RCE (CVE-2024-29824)
Rejetto HTTP File Server SSTI / RCE (CVE-2024-23692)
PHP CGI Argument Injection (CVE-2024-4577)
Telerik Report Server – Authentication Bypass (CVE-2024-4358)
Added a new security check to identify supply chain attacks through Polyfill JS.

Improvements

Added a notification in the UI to inform users when their account does not have any permissions set up yet (Acunetix Premium+)
Updated the Scan Details page user experience with RuntimeSCA reporting (available to Early Access customers)
Improved detection of DOM XSS vulnerabilities
.NET Core IAST sensor – added hooking for System.Xml functions
Improved detection of Open Redirect vulnerabilities
Improved descriptions for verified vulnerabilities
Added a notification to the activity log when the engine is unable to communicate with the SCA service

Fixes

Fixed the issue that was causing the BLR to fail on Sequential/Slow scans
Fixed the issue that was causing duplicates in the sitemap
Logon banner messages (when configured) now display properly on the login page (Acunetix On-Premises)

v24.5.240604185 - 05 Jun 2024

Copy Link Copy Link

Release build 24.5.240604185 (Windows + Linux) enables Predictive Risk Scoring for Acunetix On-Premises.

New features

Predictive Risk Scoring is now available in Acunetix On-Premises – prioritize your web asset discovery results according to their potential risk before you scan them. Learn more in our Introduction to Predictive Risk Scoring and guide to Utilizing Predictive Risk Scoring

v24.5.240529155 - 30 May 2024

Copy Link Copy Link

Release build 24.5.240529155 includes added hooking for some functions in the .NET Core IAST sensor, new security checks, improvements, and bug fixes.

New Features

Adding hooking for the following functions in the .NET Core IAST sensor:
- System.Net.WebRequest
- System.AppDomain
- System.Type
- System.DirectoryServices
- MySql.Data.MySqlClient.MySqlDataAdapter
- SqlDataAdapter

New Security Checks

GlobalProtect PAN-OS RCE (CVE-2024-3400)
CrushFTP SSTI (CVE-2024-4040)
PaperCut NG/MF Path Traversal (CVE-2023-39143)
Fortinet Out-Of-Bound Memory Write RCE (CVE-2024-21762)
Flowise Authentication Bypass (CVE-2024-31621)
CData Jetty Path Traversal (CVE-2024-31848/CVE-2024-31849/CVE-2024-31850/CVE-2024-31851)

Improvements

Further improvements in scanning of APIs
Improved support for sites making use of HSTS
Improved coverage of Single Page Applications (SPAs) using Next.js
Improvement in SQL Injection checks
Updated the list of known weak JWT secret keys
Updated Chromium to 125.0.6422.76

Fixes

Minor usability enhancements and fixes based on user feedback
Fixed an issue that was causing a temporary hang of the LSR on certain sites
Fixed an issue when OpenVAS network scan didn’t get executed properly

v24.4.240514098 - 16 May 2024

Copy Link Copy Link

Release build 24.4.240514098 includes multiple engine improvements, new security checks, and updates to several existing security checks.

New security checks

Added check for PaperCut Path Trav (CVE-2023-39143)
Added check for CrushFTP SSTI (CVE-2024-4040)
Added check for GlobalProtect PAN-OS RCE (CVE-2024-3400)
Added check for D-Link NAS RCE (CVE-2024-3273)

Improvements

Multiple engine improvements on long scans
Updates to WordPress checks
Improved XSS detection
Improved SQL injection detection

v24.4.240427095 - 30 Apr 2024

Copy Link Copy Link

Release build 24.4.240427095 includes a new feature, numerous security checks, enhancements, and multiple bug fixes.

New features

Added the ability to link an API definition URL for adding paths to a target before scanning. Read more about how to add paths to targets and how this helps scanning.

New security checks

XWiki Platform RCE (CVE-2023-37462)
Dolibarr DB Theft (CVE-2023-33568)
ChatGPT-Next-Web SSRF (CVE-2023-49785)
OpenMetadata Auth Bypass (CVE-2024-28255)
Progress Kemp LoadMaster RCE (CVE-2024-1212)
Coldfusion Arbitrary File Read (CVE-2024-20767)

Improvements

Fixed the password reset tool for Windows for Acunetix On-Premises
.NET Core IAST Sensor: Removed dependency on NLog
Various improvements in Deepscan, lessening the time to process pages / SPAs
Deepscan updated to not interact with Google Maps
Updated detection for monitoring systems
Updated detection of web installers

Fixes

Correct warning is now displayed when attempting to add more than permitted target variations
Addressed several usability and design issues across application settings
Fixed a possible problem starting OpenVAS scans with Acunetix On-Premises
Design updates for User settings in Acunetix Online
Fixed an issue in the PHP sensor affecting PHP 8.1+ web applications
For users in a User Group, target group assignment is properly applied under all scenarios
Fixed a user permission issue when using custom roles
Invite emails from Acunetix On-Premises for Linux are properly displaying content now
Fixed the OOM (out of memory) problem when processing large PDF files

Acunetix Standard & Premium

New Features

New Security Checks

Improvements

Fixes

New Security Checks

Fixes

New Features

New security checks

Improvements

Fixes

Security Checks

Fixes

New Features

New Security Checks

Improvements

Fixes

New features

New Features

New Security Checks

Improvements

Fixes

New security checks

Improvements

New features

New security checks

Improvements

Fixes