Acunetix Standard & Premium

Fixes

• Fixed a bug in the SSO workflow

New features

• Every user can now choose which email notifications they receive by setting their individual preferences located in their User Profile
• For Acunetix On-Premises customers, email server settings have been moved under the Settings menu
• You can now open Acunetix on multiple tabs without needing to log in with every new tab you open
• We’ve added CVSS 4.0 scores to some vulnerabilities — You’ll find the CVSS 4.0 score and vector displayed next to the old score (3.1/3.0/2.0, whichever is highest) in the UI and API
• For Acunetix On-Demand customers, user management is now available under Settings > Users & Access. Here you’ll find the user list with some new filter options and a new way to create user accounts by generating an invitation link (the user specifies their own password instead of the administrator).

New security checks

• Added default JWT keys for Apache Superset: CVE-2023-27524
• Cisco IOS XE Web UI Authentication Bypass: CVE-2023-20198
• Cisco IOS XE implant detection: CVE-2023-20198
• Citrix NetScaler Information Disclosure – ‘Citrix Bleed’: CVE-2023-4966
• Confluence Data Center and Server Broken Access Control: CVE-2023-22515
• Craft CMS RCE: CVE-2023-41892
• ZK Framework AuUploader Information Disclosure: CVE-2022-36537
• ActiveMQ OpenWire RCE: CVE-2023-46604
• Juniper Junos OS J-Web RCE: CVE-2023–36845
• Openfire Path Traversal: CVE-2023-32315
• WS_FTP AHT Deserialization RCE: CVE-2023-40044
• Sangfor NGAF Authentication Bypass
• SharePoint Authentication Bypass: CVE-2023–29357
• TeamCity Authentication Bypass:CVE-2023-42793
• Updated detection of exposed installers (Openfire and Chamilo)

Improvements

• Email notifications now have the option to include a direct link for downloading PDF reports. Previously it was necessary to log in to Acunetix to download PDF reports.
• Updated the Chromium Build to 119.0.6045.123/.124
• Enhanced IAST .NET sensor detection capabilities
• Improved location detection when using LSR
• Improved scanner stability for select environments
• Improvements to handling OpenAPI specifications
• Multiple improvements to the SQL Injection vulnerability checks

Fixes

• Fixed an issue that was causing Amazon WAF exports to fail
• PDF reports now display information that was previously being cut off

Fixes

• Fix for XML Export

Improvements

• Multiple improvements to the SSL Engine

New features

• Added critical severity as a new vulnerability classification and reclassified select high vulnerabilities to critical severity – more information on the Acunetix blog
• Added the ability to specify proxy settings for the Internal Scanning Agent

New security checks

• Acunetix now detects the following SSL vulnerabilities:
• Certificate signed using a weak signature algorithm
• Revoked SSL certificate
• Anonymous ciphers supported
• SSL untrusted root certificate
• Confirm validity of Certificate Authority (CA) signature

Improvements

• Updated the user agent string to Chromium 117
• Updated Chromium to 117.0.5938.63
• Fixed misbehaving scrolling behavior in the LSR recorder screen
• Improved detection of DOM-based XSS vulnerabilities
• Moved license subscription details from the Profile section to Settings > Subscription
• Improvements to DeepScan coverage
• Improvements to the UI during scan configuration
• Set client certificate import default format to PFX

Fixes

• Engine/Open SSL: Fixed scanning sites that require connection with enabled legacy unsafe renegotiation
• Minor UI navigation fixes
• Fixed occasional crash on importing Postman files
• Fixed false positive “ASP.NET expired session IDs are not regenerated“ when <sessionState> section of web.config is encrypted

New features

• Added critical severity as a new vulnerability level (for more information, check out our blog)

New security checks

• Added security check for appwrite SSRF: CVE-2023-27159
• Added security check for Metabase RCE: CVE-2023-38646
• Updated WAF detection
• Added security check for Ivanti EPMM Unauthenticated API Access: CVE-2023-35078
• Added security check for MinIO Information Disclosure: CVE-2023-28432
• Added security check for KeyCloak XSS: CVE-2021-20323
• Added security check for Strapi Cognito provider Auth Bypass: CVE-2023-22893
• Added security check for ServiceNow XSS: CVE-2022-38463
• Added security check for SAP NetWeaver KW XSS: CVE-2021-42063
• Added security check for XProber Information Disclosure
• Added security check for SAP NetWeaver DI SSRF: CVE-2021-33690
• Added security check for open Consul API detection
• Updates to vulnerable WordPress plugins

Improvements

• Upgraded to OpenSSL 3.1.2 (On-Premises only)
• Improved LSR restrictions
• Improved scanning so that repeated links with the same content are not detected
• Improved scanning of recursive relative links
• Crawling improvements by excluding repeated inexistent paths
• When an issue is pushed to the issue tracker, the vulnerability detail shows the issue’s  URL for easier navigation
• Updated the Software Composition Analysis (SCA) database
• IAST – moved the .NET folder from ProgramData\Acunetix to ProgramData\Invicti folder. The Injector.exe (IAST .NET framework automatic installation tool) will force upgrade if an older version of IAST .NET Sensor is installed.

Fixes

• Fixed a bug that was preventing starting a scan from Target Groups
• Fixed a bug that was preventing System Admins from adding targets to Target Groups