Acunetix Premium Changelogs

v14.4.210831180 - 01 Sep 2021

Copy Link Copy Link

Version 14 build 14.4.210831180 for Windows, Linux and macOS – 1st September 2021

Fixes

Fixed: Error when adding new Targets
Fixed: Scanner crash when using a Postman import file

v14.4.210826124 - 26 Aug 2021

Copy Link Copy Link

Version 14 build 14.4.210826124 for Windows, Linux and macOS – 26th August 2021

New Vulnerability checks

New check for Cisco Adaptive Security Appliance (ASA) XSS (CVE-2020-3580)
New check for Jetty Information Disclosure (CVE-2021-34429)
New check for SAP ICF URL redirection Vulnerability

Updates

“AllOf” tag is now handled for Swagger2 schemas
Improved handling of import files for sub-domains and allowed hosts

Fixes

Fixed: Inexistant paths identified by WordPress checks
Fixed: Scanner crashing on specific content

v14.4.210816098 - 16 Aug 2021

Copy Link Copy Link

Version 14 build 14.4.210816098 for Windows, Linux and macOS – 16th August 2021

New Features

Pre-request script support
New Log Data Retention options

New Vulnerability Checks

New check for Oracle E-Business Suite Information Disclosure
New check for Alibaba Nacos Authentication Bypass (CVE-2021-29441)
New check for Gitlab CI Lint SSRF
New check for Gitlab open user registration
New check for Gitlab user disclosure via graphql endpoint
New check for Bitrix galleries_recalc.php XSS
New check for Bitrix open redirect
New check for Jetty ConcatServlet Information Disclosure (CVE-2021-28164)
New check for Jenkins open user registration
New check for Open Mikrotik stats
New check for Open Nuster stats
New check for RethinkDB administrative interface publicly exposed
New check for spring-boot-actuator-logview Path Traversal
New check for Hasura GraphQL API without authentication
New check for ForgeRock OpenAM Deserialization RCE (CVE-2021-29156)
New check for BuddyPress REST API Privilege Escalation
New check for Grandnode Path Traversal (CVE-2019-12276)
New check for SearchBlox Local File Inclusion (CVE-2020-35580)
New check for Zimbra Collaboration Suite SSRF (CVE-2020-7796)
New check for Ghost CMS Theme Preview XSS (CVE-2021-29484)
New check for qdPM Information Disclosure
New checks for vulnerabilities in WordPress Plugins

Updates

Max items shown per page can now be configured
Updated Deepscan to process hashes in URLs
Updated Chromium to v92.0.4512.0
Updated CSV export to include text only details
JavaScript Library Audit now supports merged JavaScript files
Added support for dev tools in standalone LSR
Multiple UI updates
Multiple LSR updates
Target knowledgebase will now be reset when Target settings are changed
Updated Selenium import to support selectFrame
Updated OWASP Top 10 report to include CVSS score
Updated Compliance report to include CWE
Added option to enable debuglogs for all Targets
Optimisations to the Java and Node.js AcuSensors
Improved support for Hapi framework in Node.js AcuSensor
Add support for find-my-way HTTP router in Node.js AcuSensor
Improved ionCube Loader-wizard information disclosure check
Improved cache poisoning DOS checks
Improved detection of Apache Struts2 Remote Command Execution (S2-052)
Improved detection of Directory Traversal vulnerabilities
Added option to skip testing of login form configured for the Target
Improved handling of Custom 404 pages

Fixes

Fixed multiple crashes in the scanner
Fixed issue causing some requests to be done to restricted links
Addressed multiple Deepscan issues
Paused scans can now be Aborted
Fixed XPath Injection false positive
Fixed Bitrix Open Redirect false positive
Fixed Spring Boot Actuator false negative
Fixed issue in .NET Sensor Manager not showing buttons on lower resolutions

v14.3.210628104 - 28 Jun 2021

Copy Link Copy Link

Version 14 build 14.3.210628104 for Windows, Linux and macOS – 28th June 2021

Updates

Target Knowledgebase will be reset when Target Settings are changed
Updated SSL/TLS Certificate expiry threshold notification from 30 days to 60 days

Fixes

Fixed: OWASP compliance report template to not be available in some Editions
Fixed: Some scripts where not observing Excluded paths configured in Target settings

v14.3.210615184 - 17 Jun 2021

Copy Link Copy Link

Version 14 build 14.3.210615184 for Windows, Linux and macOS – 17th June 2021

New Features

New SCA (Software Composition Analysis) for PHP, JAVA, Node.js and .NET web applications. Acunetix will report vulnerable libraries used by the web application when AcuSensor is used

New Vulnerability Checks

New check for SSRF via logo_uri in MITREid Connect (CVE-2021-26715)
New check for Oracle E-Business Suite Information Disclosure
New check for Unauthorized Access to a web app installer
New check for SAML Consumer Service XML entity injection (XXE)
New check for Grav CMS Unauthenticated RCE (CVE-2021-21425)
New check for Outsystems Upload Widget Arbitrary File Uploading (RPD-4310)
New check for Django Debug Toolbar
New check for Joomla Debug Console enabled
New check for Joomla J!Dump extension enabled
New check for Request Smuggling
New check for Unrestricted access to Caddy API interface
New check for Pyramid framework weak secret key
New check for Apache Tapestry Unauthenticated RCE (CVE-2019-0195 and CVE-2021-27850)
New check for Unrestricted access to Spring Eureka dashboard
New check for Unrestricted access to Yahei PHP Probe
New check for Unrestricted access to Envoy Dashboard
New check for Unrestricted access to Traefik2 Dashboard
New check for Dragonfly Arbitrary File Read/Write (CVE-2021-33564)
New check for Oracle E-Business Suite Frame Injection (CVE-2017-3528)
New check for Gitlab CI Lint SSRF
New check for Gitlab open user registration
New check for Gitlab user disclosure via GraphQL

Updates

Updated .NET AcuSensor
.NET AcuSensor can be now deployed from CLI
User is notified when imported URLs are out of scope
Scan events are not shown in json any more
New column for Continuous Scanning in the Targets page
New filter in Targets page to easily identify Targets with debug enabled
Vulnerabilities page shows if the vulnerability was detected by a web or network scan
Merged Add Target and Add Targets options in UI
Custom Field, labels and tags can be configured for Issue Trackers
Platform Admin can now unlock locked accounts
New column in CSV export showing details in text only
Updated the way that AcuSensor token can be updated in the Target Settings
PCI DSS compliance report updated to PCI DSS 3.2.1
Compliance Reports updated to make use of the Comprehensive report template
Browser Dev tools can be used when LSR is started from CLI
Updated XFO check
Multiple UI updates
Improved false positive detection of out of band RCE and argument injection vulnerabilities
Multiple updates to the Postman import implementation
Updated JavaScript Library Audit to support merged JavaScript files

Fixes

HSTS has been enabled for the AcuSensor bridge
Latest Alerts section of Scan results was not updated with AcuMonitor (OOB) vulnerabilities)
The Fragments was not clickable in the site structure
HSTS Best Practices was sometimes being reported multiple times
Fixed HSTS false negative
Fixed issue in the detection of Django 3 weak secret
Fixed issue causing GitHub labels not to be updated when changing Github issue Tracker Project
Fixed encoding issue in Node.js AcuSensor
Fixed issue causing corruption of Target knowledgebase
Fixed DeepScan timeout when processing Prototype JavaScript library
Fixed issue causing outdated JavaScript libraries check not to report external libraries
Fixed issue in Oauth password credentials grant

v14.2.210505179 - 06 May 2021

Copy Link Copy Link

Version 14 build 14.2.210505179 for Windows, Linux and macOS – 6th May 2021

Fixes

Fixed validation errors when sorting vulnerabilities by Issue ID
Fixed issue causing Node.js sensor to fail to start on Node v6
Fixed issue causing some operations to be listed multiple times in Scan Statistics

v14.2.210503151 - 04 May 2021

Copy Link Copy Link

Version 14 build 14.2.210503151 for Windows, Linux and macOS – 4th May 2021

New Features

Acunetix is now available on Docker
New Scan Statistics page for each Scan
Vulnerability information can now be sent to AWS WAF

New Vulnerability Checks

New check for Hashicorp Consul API is accessible without authentication [https://www.consul.io/docs/security]
Multiple new checks for Unrestricted access to a monitoring system
Improvements to JavaScript Library Audit checks
New check for Cisco RV Series Authentication Bypass (CVE-2021-1472)
New check for ntopng Authentication Bypass (CVE-2021-28073)
New check for Agentejo Сockpit CMS resetpassword NoSQLi (CVE-2020-35847)
New check for AppWeb Authentication Bypass (CVE-2018-8715)
New check for Apache OFBiz SOAPService Deserialization RCE (CVE-2021-26295)
New check for F5 iControl REST unauthenticated remote command execution vulnerability (CVE-2021-22986)
New check for Python Debugger Unauthorized Access Vulnerability
New check for Virtual Host locations misconfiguration
New check for Request Smuggling

Updates

Full rows and column selection is now possible in the Excluded Hours page
Updated UI with new Acunetix branding
Issue Tracker ID will be shown for vulnerabilities sent to any Issue Tracker
Issue Trackers can now be restricted to a specific Target Group
Target Description will be sent to the Issue Trackers
Updated Jira integration to support Jira version 9
Multiple updates to the JAVA AcuSensor
Scanning engine will now test cookies on pages which do not have any inputs
The scanner will stop testing cookies which have been found to be vulnerable
Where possible, DOM XSS vulnerabilities will show the code snippet of the vulnerable JavaScript call
CSV Export will now show the Target Address
Maximum size for a custom cookie configured in a Target increased to 4096 characters
New date filter in the Vulnerabilities page
Vulnerability severity now shows text in addition to color coded icon
Multiple updates to the LSR
Added support for BaseUrl / Global Variables in Postman import files

Fixes

Fixed extra CR in Target CSV export
Fixed DeepScan crash
Fixed: Discovery options are only shown to users with “Access All Targets” permission
Fixed: Existing user’s details shown when adding a new user
Fixed a scanner crash
Fixed: Blind XSS check is now part of the XSS scanning profile
Fixed: AcuMonitor checks where not done when scan done by an engineonly installation
Fixed issue causing AcuMonitor not to be registered when using authenticated proxy
Fixed issue when loading vulnerabilities for a Target Group
Fixed issue with Postman importer
Fixed sporadic issue when checking for new Acunetix updates on Mac
Fixed issue in WP XMLRPC pingback check

v14.1.210329187 - 30 Mar 2021

Copy Link Copy Link

Version 14 build 14.1.210329187 for Windows, Linux and macOS – 30th March 2021

Fixes

Fixed issue causing proxy authentication failures
Fixed scanner crash
Fixed indentation in Comprehensive report

v14.1.210324124 - 25 Mar 2021

Copy Link Copy Link

Version 14 build 14.1.210324124 for Windows, Linux and macOS – 25th March 2021

Updates

Updated scanner so that “Restrict scans to import files” is taken into consideration for paths coming from Target knoweldgebase

Fixes

Fixed a scanner crash
Fixed issue in Swagger 3 import feature

Acunetix Standard & Premium

Fixes

New Vulnerability checks

Updates

Fixes

New Features

New Vulnerability Checks

Updates

Fixes

Updates

Fixes

New Features

New Vulnerability Checks

Updates

Fixes

Fixes

New Features

New Vulnerability Checks

Updates

Fixes

Fixes

Updates

Fixes