Acunetix Standard & Premium

New Features

• API Discovery now supports retrieving OpenAPI/Swagger specs from Azure API Management → Learn more
• Added support for automated use of OTP in scans, enabling seamless scanning of 2FA-enabled web applications → Learn more
• API Discovery now supports working with RAML specs from Mulesoft Anypoint Exchange

Improvements

• Added the latest checks for outdated technology versions
• Optimised various Directory tests to make less HTTP requests
• DeepScan update which improves scan coverage and consistency
• Minor UI improvements across the app
• Removed redundant configuration option in API Discovery integration with Amazon API Gateway

Fixes

• Fixed a single occurrence edge case when a scan was crashing
• Fixed incorrectly reporting Application Build in RuntimeSCA reports

API Changes

• Corrected the baseURL for EU customers in our API documentation

New Security Checks

• Added check for CVE-2024-6842

Improvements

• Upgraded to OpenSSL
• Updates to technologies and fingerprints

New Security Check

• Apache OFBiz RCE (CVE-2024-45195)

• Apache OfBiz Authz Bypass (CVE-2024-36104, CVE-2024-38856)

Improvements

• Updated Chromium to v128.0.3316.119/.120

• Improved support for GraphQL when described in introspection JSON

• The upgraded Scan Details page is now enabled for On-Premises customers as well → Learn more

• Using API Discovery On-Premises, the admin can specify a destination URL for the Network Traffic Analyzer connection

Fixes

• Fixed a false positive in the Solr Injection check

• Resolved a rare case where the vulnerability detail was not loading properly on the new Scan Details page

• Runtime SCA PDF reports are now being generated correctly

• The scan end timestamp is now loading properly on the new Scan Details page

New Features

• Added support for Apache Tomcat 11 in JAVA IAST sensor
• RAML API specs can now be uploaded to extend the coverage of API scanning → Learn more
• Implemented support for scanning HTTP/2 websites
• Runtime SCA findings are now available on the Scan Details page (Acunetix Online only, On-Premises coming soon)
• A new scan report for SCA is now available → Learn more

New Security Checks

• Next.js image Blind SSRF
• SolarWinds Web Help Desk RCE (CVE-2024-28986)
• Apache HTTP Server Confusion Attacks (CVE-2024-38472, CVE-2024-39573, CVE-2024-38477, CVE-2024-38476, CVE-2024-38475, CVE-2024-38474, CVE-2024-38473, CVE-2023-38709)
• Jelly Template Injection Vulnerability in ServiceNow UI Macros (CVE-2024-4879, CVE-2024-5217)
• SuiteCRM SQL Injection (CVE-2024-36412)
• Odoo XSS (CVE-2023-1434)
• Mura/Masa CMS JSON API RCE
• Lucee CF_CLIENT_ RCE
• Lucee Stacktrace Information Disclosure
• Lucee Unset Admin Password
• Updated WordPress plugins vulnerabilities database
• GeoServer RCE (CVE-2024-36401)

Improvements

• Minor cosmetic UI/UX issues have been addressed across the app
• Updated list of exposed web installers reported
• The Scan Details screen for reviewing scan results has been modernized and upgraded
• Improved testing of path fragments
• The agent status now shows ‘Unknown’ instead of ‘Error’ when the agent hasn’t shared its status for some time
• API Discovery: Added the ability to start scans directly from the list of discovered and linked APIs
• API Discovery: Added functionality to change the base URL of an already linked API
• Updated scanner to handle security definitions within Swagger

Fixes

• Updated the scanner to use default scan speed settings when scan speed settings are missing
• Fixed a false positive in the detection of Possible Virtual Host Found
• Fixed a false positive in the detection of CVE-2024-6387