v24.2.240227118 - 28 Feb 2024
Copy Link
Copy Link
Release build 24.2.240227118 includes bug fixes.
Fixes
- Invitation emails are being sent correctly
- Discovered assets can be correctly assigned to target groups
v24.2.240226074 - 26 Feb 2024
Copy Link
Copy Link
Release build 24.2.240226074 includes a new PCI DSS 4.0 report, the ability to use Aria Roles to provide better coverage, as well as many new security checks. Along with a new navigational experience, we've also made some more improvements and bug fixes.
New features
- Added the ability to use Aria Roles to provide better coverage
- Introduced PCI DSS 4.0 report. Note that PCI DSS 3.2 will reach the end of its support or relevance by the end of March
- .NET IAST now supports .NET 8 (currently in Open Beta)
New security checks
- XXE in Ivanti Connect Secure, Policy Secure and Neurons (CVE-2024-22024)
- Magento 2.0-2.3 End of life
- ColdFusion Access Control bypass (CVE-2023-29298 / CVE-2023-38205)
- ColdFusion XSS (CVE-2023-44352)
- Skype for Business SSRF (CVE-2023-41763)
- VMware Aria Operations for Networks RCE (CVE-2023-20887)
- IBM Aspera Faspex RCE (CVE-2022-47986)
- GeoServer SSRF (CVE-2021-40822)
- WSO2 Management Console XSS (CVE-2022-29548)
- SSRF in Ivanti Connect Secure, Policy Secure and Neurons (CVE-2024-21893)
- LISTSERV XSS (CVE-2022-39195)
- Unrestricted access to MLflow
- KeyCloak Information Disclosure (CVE-2020-27838)
- CloudPanel file-manager Auth bypass (CVE-2023-35885)
- TestRail Information Disclosure (CVE-2021-40875)
- Grafana Snapshot Authentication Bypass (CVE-2021-39226)
- Harbor Unauthorized Access Vulnerability
- Ghost CMS Theme Path Traversal (CVE-2023-32235)
- cPanel XSS (CVE-2023-29489)
- GoAnywhere MFT Authentication Bypass (CVE-2024-0204)
- Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core API Auth bypass (CVE-2023-35082)
- Unauthenticated OGNL injection in Confluence Server and Data Center (CVE-2023-22527)
- Authentication Bypass in Ivanti Connect Secure and Policy Secure (CVE-2023-46805)
- RCE in Ivanti Connect Secure and Policy Secure (CVE-2024-21887)
- GeoServer WMS SSRF (CVE-2023-43795)
- Ivanti Sentry Authentication Bypass (CVE-2023-38035)
- SAP SAP BusinessObjects Business Intelligence Platform XXE (CVE-2022-28213)
- SysAid On-Premise RCE (CVE-2023-47246)
- Multiple ColdFusion WDDX Deserialization RCEs (CVE-2023-44353 / CVE-2023-38203 / CVE-2023-38204)
Improvements
- Updated Chromium to 121.0.6167.139/140
- Improved detection of DOM-based Cross Site Scripting (XSS)
- Improved the way that “Content Security Policy Misconfiguration” alerts are reported
- Improved detection of Client Side Prototype Pollution (CSPP)
- IAST scans will start reporting the IAST sensor version used for the scan
- New column “Result” is shown in the list of scans to provide more details about scan outcome
- Enhanced support for OTP apps by displaying the activation code next to the QR code
- Improved crawling of Single Page Applications (SPA) that are using Ionic Framework
- Added the ability to scan web applications which require browsing in a single browser tab
- Upgraded user experience of in-app notifications – Updated UX of notifications dropdown
- When accessing the application from a different location or browser, all other sessions are promptly terminated. Previously, users were notified, causing inconvenience when working from various locations
Fixes
- Fixed a bug caused by the engine not respecting Cache-Control directive
- In rare situations, a report being generated could have resulted in an Internal server error. This issue has now been fixed
- Fixed several minor user experience issues across the application
- Removed deprecated X-Frame Options check
v24.1.240131143 - 01 Feb 2024
Copy Link
Copy Link
Release build 24.1.240131143 includes support for Java 21 IAST sensor, new security checks, and bug fixes.
New features
- The Java IAST sensor now supports Java 21
New security checks
- Added checks for jslib Lodash (CVE-2020-8203, CVE-2021-23337, CVE-2020-28500, CVE-2019-10744, CVE-2019-1010266, CVE-2018-16487)
Fixes
- Fixed a bug in the processing of technologies
v24.1.240111130 - 11 Jan 2024
Copy Link
Copy Link
Release build 24.1.240111130 includes a new Java 17 IAST sensor, an update for Docker and Linux, as well as many new security checks. Along with a new navigational experience, we've also made some more improvements and bug fixes.
New features
- The Java IAST sensor has been updated to support Java 17 and removes the requirement for AspectJWeaver
- Changes to the mechanism that manages services for Acunetix On-Premises for Docker and Linux (Customers using Acunetix On-Premises for Docker or Linux need to manually update to version 24.1)
New security checks
- Improved Elmah security check to check for variants of Elmah
- OpenCms Chemistry Solr XML External Entity (XXE) (CVE-2023-42346)
- OwnCloud phpinfo Information Disclosure (CVE-2023-49103)
- TorchServe Management API SSRF (CVE-2023-43654)
- Updated vulnerabilities for WordPress Core and WordPress plugins
- Ofbiz PreAuth RCE (CVE-2023-49070)
- F5 BIG-IP Request Smuggling (CVE-2023-46747)
- Sitecore XP TemplateParser RCE (CVE-2023-35813)
- Added a check for SSRF/LFI via PDF generation
- Added a check for file inclusion/path traversal when the response is shown inside a PDF
Improvements
- Updated .NET (core) IAST sensor to hook new functions
- The scanner will now properly report when the protocol (http/https) is changed at the start of the scan
- Increased the size limit to 10kB for supported Client Certificates for authenticated scans
- Updated to Chromium 119.0.6045.199/200
- Users can opt-in to receive a direct download link instead of a PDF report attachment (On-Prem only)
- Improved crawling of Single Page Applications (SPA) that are using React
- Improved crawling of Single Page Applications (SPA) that are using the Angular Framework
- Improved crawling of Single Page Applications (SPA) that are using the Vue.js Framework
- New User Profile design
- A refreshed UI with a new navigational experience
Fixes
- Fixed an issue that was causing some vulnerabilities not to be exported to Amazon AWS WAF
- Fixed a Deepscan and LSR issue caused when a page overrides the standard window.* methods
- Notifications about scans that require manual intervention are now correctly displayed wherever the user is located (On-Prem only)
- Fixed a number of scanner crashes
v23.11.231130164 - 04 Dec 2023
Copy Link
Copy Link
Release build 23.11.231130164 contains a fix for the SSO workflow.
Fixes
- Fixed a bug in the SSO workflow
v23.11.231129195 - 30 Nov 2023
Copy Link
Copy Link
Release build 23.11.231129195 includes several improvements and bug fixes.
Improvements
- Improvements to our Elmah security check
- Improvements for Server Side Template Injection vulnerabilities (SSTI)
- Additional logs for SSO
Fixes
- Fixed a crash on Postman import
- Client Certificate for target import fix
v23.11.231123131 - 23 Nov 2023
Copy Link
Copy Link
Release build 23.11.231123131 includes a fresh color scheme, new features and enhancements to the UI, as well as new security checks, improvements, and bug fixes.
New features
- Every user can now choose which email notifications they receive by setting their individual preferences located in their User Profile
- For Acunetix On-Premises customers, email server settings have been moved under the Settings menu
- You can now open Acunetix on multiple tabs without needing to log in with every new tab you open
- We’ve added CVSS 4.0 scores to some vulnerabilities — You’ll find the CVSS 4.0 score and vector displayed next to the old score (3.1/3.0/2.0, whichever is highest) in the UI and API
- For Acunetix On-Demand customers, user management is now available under Settings > Users & Access. Here you’ll find the user list with some new filter options and a new way to create user accounts by generating an invitation link (the user specifies their own password instead of the administrator).
New security checks
- Added default JWT keys for Apache Superset: CVE-2023-27524
- Cisco IOS XE Web UI Authentication Bypass: CVE-2023-20198
- Cisco IOS XE implant detection: CVE-2023-20198
- Citrix NetScaler Information Disclosure – ‘Citrix Bleed’: CVE-2023-4966
- Confluence Data Center and Server Broken Access Control: CVE-2023-22515
- Craft CMS RCE: CVE-2023-41892
- ZK Framework AuUploader Information Disclosure: CVE-2022-36537
- ActiveMQ OpenWire RCE: CVE-2023-46604
- Juniper Junos OS J-Web RCE: CVE-2023–36845
- Openfire Path Traversal: CVE-2023-32315
- WS_FTP AHT Deserialization RCE: CVE-2023-40044
- Sangfor NGAF Authentication Bypass
- SharePoint Authentication Bypass: CVE-2023–29357
- TeamCity Authentication Bypass:CVE-2023-42793
- Updated detection of exposed installers (Openfire and Chamilo)
Improvements
- Email notifications now have the option to include a direct link for downloading PDF reports. Previously it was necessary to log in to Acunetix to download PDF reports.
- Updated the Chromium Build to 119.0.6045.123/.124
- Enhanced IAST .NET sensor detection capabilities
- Improved location detection when using LSR
- Improved scanner stability for select environments
- Improvements to handling OpenAPI specifications
- Multiple improvements to the SQL Injection vulnerability checks
Fixes
- Fixed an issue that was causing Amazon WAF exports to fail
- PDF reports now display information that was previously being cut off
v23.9.231020153 - 23 Oct 2023
Copy Link
Copy Link
Release build 23.9.231020153 includes new security checks and improvements to the SSL Engine.
New security checks
- New Security Check: CVE-2023-20198
- New Security Check: CVE-2023-22515
Improvements
- Multiple improvements to the SSL Engine
- Improvements to the detection of CVE-2023-27524
- Improvements to the detection of SQL Injection vulnerabilities when using WAFs
v23.9.231013139 - 16 Oct 2023
Copy Link
Copy Link
Release build 23.9.231013139 includes a fix for XML Export and multiple improvements to the SSL Engine.
Fixes
- Fix for XML Export
Improvements
- Multiple improvements to the SSL Engine