v24.8.240828144 - 29 Aug 2024
Release build 24.8.240828144 includes new features and security checks, improvements, and bug fixed.
New Features
- Added support for Apache Tomcat 11 in JAVA IAST sensor
- RAML API specs can now be uploaded to extend the coverage of API scanning → Learn more
- Implemented support for scanning HTTP/2 websites
- Runtime SCA findings are now available on the Scan Details page (Acunetix Online only, On-Premises coming soon)
- A new scan report for SCA is now available → Learn more
New Security Checks
- Next.js image Blind SSRF
- SolarWinds Web Help Desk RCE (CVE-2024-28986)
- Apache HTTP Server Confusion Attacks (CVE-2024-38472, CVE-2024-39573, CVE-2024-38477, CVE-2024-38476, CVE-2024-38475, CVE-2024-38474, CVE-2024-38473, CVE-2023-38709)
- Jelly Template Injection Vulnerability in ServiceNow UI Macros (CVE-2024-4879, CVE-2024-5217)
- SuiteCRM SQL Injection (CVE-2024-36412)
- Odoo XSS (CVE-2023-1434)
- Mura/Masa CMS JSON API RCE
- Lucee CF_CLIENT_ RCE
- Lucee Stacktrace Information Disclosure
- Lucee Unset Admin Password
- Updated WordPress plugins vulnerabilities database
- GeoServer RCE (CVE-2024-36401)
Improvements
- Minor cosmetic UI/UX issues have been addressed across the app
- Updated list of exposed web installers reported
- The Scan Details screen for reviewing scan results has been modernized and upgraded
- Improved testing of path fragments
- The agent status now shows ‘Unknown’ instead of ‘Error’ when the agent hasn’t shared its status for some time
- API Discovery: Added the ability to start scans directly from the list of discovered and linked APIs
- API Discovery: Added functionality to change the base URL of an already linked API
- Updated scanner to handle security definitions within Swagger
Fixes
- Updated the scanner to use default scan speed settings when scan speed settings are missing
- Fixed a false positive in the detection of Possible Virtual Host Found
- Fixed a false positive in the detection of CVE-2024-6387