v15.3.230126173 - 30 Jan 2023
Copy Link
Copy Link
Version 15 build 15.3.230126173 for Windows and Linux – 30 January 2023
Fixes
- Fixed the Linux installations for updating issues.
v15.3.230123162 - 24 Jan 2023
Copy Link
Copy Link
Version 15 build 15.3.230123162 for Windows and Linux – 23 January 2023
New security checks
- Added SAML anonymous assertion consumer service audit for XML external entity injection, XSLT, Server-side request forgery, and Cross-site scripting.
- Added a SAML signature audit to test attacks on signature verification.
- Added various checks for Content Security Policy misconfiguration.
- New security check for ASP.NET core development mode.
- Updated the WordPress core vulnerabilities.
- Updated the WordPress plugin vulnerabilities.
Improvements
- Updated .NET IAST Sensor to detect a number of server-side configuration problems which may result in a security vulnerability.
- Improved the JSON payload tests.
- Updated JWT secrets dictionary.
Fixes
- Fixed a bug in the PHP IAST sensor when reporting arrays to the scanner.
- Fixed the scan summary page that failed to show some of the results.
- Fixed issues in the UI Notifications causing them to be unactionable.
- Fixed a problem that caused the LSR to show the mobile version for some sites incorrectly.
- Fixed .NET sensor issue that returns the root applications (website’s root) files although the sensor is enabled for sub-application.
- Fixed the version information shown on the user interface after the update.
- Fixed the routing issue for .NET Framework ASP.NET Web API because of compatibility issues.
- Improved the login sequence recorder notification that informs users when the response max size limit is exceeded.
- Fixed issue with pagination on the vulnerabilities page.
- Fixed the crawler issue that the page becomes unresponsive when it contains many elements.
v15.2.221208162 - 12 Dec 2022
Copy Link
Copy Link
Version 15 build 15.2.221208162 for Windows and Linux – 12 December 2022
New security checks
- Updated the WordPress plugin vulnerabilities.
- Added the AjaxPro.NET Professional Deserialization RCE (CVE-2021-23758).
- Improved the out-of-band detection.
Improvements
- Added ability to send HTTP requests to pre-request scripts.
- Various DeepScan improvements, generally improving the processing of JavaScript-rich web applications.
- Updated the embedded Chromium browser to v108.0.5359.71.
- Implemented the scan id to limit the caching, such as file list and libraries, to a scan.
- Improved the performance of alert transmission for AcuSensor.
Fixes
- Fixed the MongoDB injection and removed JSON parsing from the feature extraction library to avoid scan crashes.
- Fixed the issue that sent bogus report because of inconsistent last scan id.
- Improved the Pre-request script to send an HTTP job.
- Fixed the formatting issue for vulnerabilities exported to GitHub Issues.
- Fixed the unhandled exception that the IAST Bridge throws.
- Fixed the business logic recorder issue that failed to replay the logic sequence recorder.
- Fixed the issue that the custom scripts folder was not created during the installation.
- Fixed the issue that failed to show the Chinese on some headings when switched to Chinese.
- Fixed the manual intervention required information box that began to appear in the notification bar instead of being displayed as a dialog box.
- Added cURL as a backup if NSLookup is not present.
- Fixed the Jira integration that failed to create the epic issues.
- Fixed the issue that long scan names overlap with the AcuSensor icon.
- Fixed the issue that the authorization bearer was not used throughout the scan.
v15.1.221109177 - 10 Nov 2022
Copy Link
Copy Link
Version 15 build 15.1.221109177 for Windows and Linux – 10 November 2022
New features
- New navigation menu for a better user experience.
- Notification updates are shown for the last 30 days
New vulnerability checks
- New check for Swagger UI DOM XSS vulnerability.
- New test for Fortinet Authentication bypass on the administrative interface (CVE-2022-40684).
- New test for Insecure usage of Version 1 UUID/GUID.
- New test for Text4shell: Apache Commons Text RCE via insecure interpolation (CVE-2022-42889).
- New test for OpenSSL X.509 Email Address Buffer Overflows (CVE-2022-3786).
- Updated test for Open Monitoring Interfaces.
- Updated the software composition analysis database.
- Updated the WordPress plugin vulnerabilities.
Updates
- Updated the embedded Chromium browser to v107.0.5304.87/88.
- Updated how scans reaching max scan time are displayed in UI.
- Updated Issue Tracker UI to accept internal URLs.
- Improved Log4J checks to reduce false positives.
Fixes
- Fixed the issue causing the IAST bridge to fail to send responses to the sensor when large packets are received from the sensor.
- Added loopback routes that returned ‘undefined’ as an HTTP method.
- Added the keep connection alive message between AcuSensor and the web application scanner to keep the connection alive.
v15.0.221007170 - 13 Oct 2022
Copy Link
Copy Link
Version 15 build 15.0.221007170 for Windows and Linux – 13th October 2022
Note: There will be no new updates of the MacOS on premise installations. MacOS users can switch to Acunetix Premium Online, or use Acunetix On Premise in a virtual environment or on Docker.
New Features
- Acunetix can now be installed on Redhat Enterprise Linux (RHEL) 9
New Vulnerability checks
- Added check for Permissions-Policy header
- Added check for unrestricted access to Karma monitoring interface
- Added check for Go web application binary disclosure
Updates
- SCA: Improved the detection of components used by JAVA web application
- Updated to Chromium v106.0.5249.61
- Updated PHP AcuSensor to better support web applications using the Slim Framework
- Improved support for HTTP calls from Axios
- Updated CWE Top 25 Most Dangerous Software Weaknesses to 2022 list of weaknesses
- Scan results and scan reports will include the Acunetix version used to conduct the scan
- Updated PHP sensor to report MongoDB injection
- Updated PHP sensor to report Server-side Template Injection (SSTI)
- Increased the detection of default GraphQL Introspection URLs
- Implemented heartbeat for connections between scanner and AcuSensor bridge
- Multiple DeepScan updates
- Improved the auditing of JavaScript Libraries
Fixes
- Fixed issue which might cause Blind SSRF in the Issue Tracker and Proxy configuration
- Fixed 3 authorization problems
- Fixed memory exhaustion bug in Heuristic Links Verifier
- Fixed: Malware was being reported when invalid / unknown malware was reported by Windows Defender
- Fixed some crashes in the scanner
- Updated Network scans to not abort if initial ICMP ping fails
- Fixed error when sending vulnerabilities to Jira Issue Tracker
- Fixed UI error when filtering vulnerabilities by time
v14.9.220913107 - 14 Sep 2022
Copy Link
Copy Link
Version 14 build 14.9.220913107 for Windows, Linux and macOS – 14th September 2022
Updates
- Updated to Chromium 105.0.5195.102
Fixes
- Fixed DeepScan issue
v14.9.220830118 - 30 Aug 2022
Copy Link
Copy Link
Version 14 build 14.9.220830118 for Windows, Linux and macOS – 30th August 2022
New Features
- Added support for the Zend Framework in the PHP IAST AcuSensor
New Vulnerability Checks
- New check for Oracle E-Business Suite iStore open user registration
- New check for InfluxDB Unauthorized Access Vulnerability
- New check for Bonita Authorization Bypass (CVE-2022-25237)
- New check for Oracle ADF Faces ‘Miracle’ RCE (CVE-2022-21445)
Updates
- Various DeepScan Improvements
- Updated to Chromium 104.0.5112.101 (Linux) / 104.0.5112.102 (Windows)
- Improved XSS in URI (folder/file)
- Improved handling of SourceMaps
- Updated exposed web installers check
- Updated exposed development files check
- Updated exposed monitoring systems check
Fixes
- Fixed issue in the PHP IAST AcuSensor when reporting SCA components
- Fixed scanner crash
v14.9.220713150 - 14 Jul 2022
Copy Link
Copy Link
Version 14 build 14.9.220713150 for Windows, Linux and macOS – 14th July 2022
New features
- JAVA IAST AcuSensor can now be used on WebSphere
- HTTP requests can be copied as Curl command from the vulnerability data
New vulnerability checks
- New check for DotCMS unrestricted file upload (CVE-2022-26352)
- New check for .NET JSON.NET Deserialization RCE
- New check for Unauthenticated RCE in Confluence Server and Data Center (CVE-2022-26134)
- New check for Authentication bypass via MongoDB operator injection
- New check for MongoDB $where operator JavaScript injection
Updates
- Multiple DeepScan updates improving crawling of Single Page Applications (SPAs)
- Upgraded Chromium to v103.0.5060.114
- Improved handling of installed.json by PHP IAST AcuSensor
- SCA, AcuMonitor (OOB vulnerability checks) and URL malware checks now require the “Acunetix Online Services” to be enabled in the user profile
- Updated the MongoDB Injection checks
- Various UI updates and fixes
Fixes
- Multiple fixes in the JAVA and .NET IAST AcuSensors
- Fixed false negative in “Possible virtual host found”
- Fixed bug causing CSRF tokens to be retrieved using HTTP
- Fixed false positive in “Apache HTTP Server Source Code Disclosure”
v14.8.220610146 - 13 Jun 2022
Copy Link
Copy Link
Version 14 build 14.8.220610146 for Linux (only) – 13th June 2022
Fixes
- Fixed issue when using Acunetix on Amazon Linux 2