Acunetix 更新紀錄

v15.3.1.230126173 – 30 Jan 2023 (Linux Only)

Fixes

  • Fixed the Linux installations for updating issues.

v15.3.230123162 – 24 Jan 2023

New security checks

  • Added SAML anonymous assertion consumer service audit for XML external entity injection, XSLT, Server-side request forgery, and Cross-site scripting.
  • Added a SAML signature audit to test attacks on signature verification.
  • Added various checks for Content Security Policy misconfiguration.
  • New security check for ASP.NET core development mode.
  • Updated the WordPress core vulnerabilities.
  • Updated the WordPress plugin vulnerabilities.

Improvements

  • Updated .NET IAST Sensor to detect a number of server-side configuration problems which may result in a security vulnerability.
  • Improved the JSON payload tests.
  • Updated JWT secrets dictionary.

Fixes

  • Fixed a bug in the PHP IAST sensor when reporting arrays to the scanner.
  • Fixed the scan summary page that failed to show some of the results.
  • Fixed issues in the UI Notifications causing them to be unactionable.
  • Fixed a problem that caused the LSR to show the mobile version for some sites incorrectly.
  • Fixed .NET sensor issue that returns the root applications (website’s root) files although the sensor is enabled for sub-application.
  • Fixed the version information shown on the user interface after the update.
  • Fixed the routing issue for .NET Framework ASP.NET Web API because of compatibility issues.
  • Improved the login sequence recorder notification that informs users when the response max size limit is exceeded.
  • Fixed issue with pagination on the vulnerabilities page.
  • Fixed the crawler issue that the page becomes unresponsive when it contains many elements.

v15.2.221208162 – 13 Dec 2022

New security checks

  • Updated the WordPress plugin vulnerabilities.
  • Added the AjaxPro.NET Professional Deserialization RCE (CVE-2021-23758).
  • Improved the out-of-band detection.

Improvements

  • Added ability to send HTTP requests to pre-request scripts.
  • Various DeepScan improvements, generally improving the processing of JavaScript-rich web applications.
  • Updated the embedded Chromium browser to v108.0.5359.71.
  • Implemented the scan id to limit the caching, such as file list and libraries, to a scan.
  • Improved the performance of alert transmission for AcuSensor.

Fixes

  • Fixed the MongoDB injection and removed JSON parsing from the feature extraction library to avoid scan crashes.
  • Fixed the issue that sent bogus report because of inconsistent last scan id.
  • Improved the Pre-request script to send an HTTP job.
  • Fixed the formatting issue for vulnerabilities exported to GitHub Issues.
  • Fixed the unhandled exception that the IAST Bridge throws.
  • Fixed the business logic recorder issue that failed to replay the logic sequence recorder.
  • Fixed the issue that the custom scripts folder was not created during the installation.
  • Fixed the issue that failed to show the Chinese on some headings when switched to Chinese.
  • Fixed the manual intervention required information box that began to appear in the notification bar instead of being displayed as a dialog box.
  • Added cURL as a backup if NSLookup is not present.
  • Fixed the Jira integration that failed to create the epic issues.
  • Fixed the issue that long scan names overlap with the AcuSensor icon.
  • Fixed the issue that the authorization bearer was not used throughout the scan.

v15.1.221109177 – 10 Nov 2022

New features

  • New navigation menu for a better user experience.
  • Notification updates are shown for the last 30 days

New vulnerability checks

Updates

  • Updated the embedded Chromium browser to v107.0.5304.87/88.
  • Updated how scans reaching max scan time are displayed in UI.
  • Updated Issue Tracker UI to accept internal URLs.
  • Improved Log4J checks to reduce false positives.

Fixes

  • Fixed the issue causing the IAST bridge to fail to send responses to the sensor when large packets are received from the sensor.
  • Added loopback routes that returned ‘undefined’ as an HTTP method.
  • Added the keep connection alive message between AcuSensor and the web application scanner to keep the connection alive.

v15.0.221007170 – 13 Oct 2022

Note: There will be no new updates of the MacOS on premise installations. MacOS users can switch to Acunetix Premium Online, or use Acunetix On Premise in a virtual environment or on Docker.

New Features

New Vulnerability checks

  • Added check for Permissions-Policy header
  • Added check for unrestricted access to Karma monitoring interface
  • Added check for Go web application binary disclosure

Updates

  • SCA: Improved the detection of components used by JAVA web application
  • Updated to Chromium v106.0.5249.61
  • Updated PHP AcuSensor to better support web applications using the Slim Framework
  • Improved support for HTTP calls from Axios
  • Updated CWE Top 25 Most Dangerous Software Weaknesses to 2022 list of weaknesses
  • Scan results and scan reports will include the Acunetix version used to conduct the scan
  • Updated PHP sensor to report MongoDB injection
  • Updated PHP sensor to report Server-side Template Injection (SSTI)
  • Increased the detection of default GraphQL Introspection URLs
  • Implemented heartbeat for connections between scanner and AcuSensor bridge
  • Multiple DeepScan updates
  • Improved the auditing of JavaScript Libraries

Fixes

  • Fixed issue which might cause Blind SSRF in the Issue Tracker and Proxy configuration
  • Fixed 3 authorization problems
  • Fixed memory exhaustion bug in Heuristic Links Verifier
  • Fixed: Malware was being reported when invalid / unknown malware was reported by Windows Defender
  • Fixed some crashes in the scanner
  • Updated Network scans to not abort if initial ICMP ping fails
  • Fixed error when sending vulnerabilities to Jira Issue Tracker
  • Fixed UI error when filtering vulnerabilities by time

v14.9.220913107 – 14 Sep 2022

Updates

  • Updated to Chromium 105.0.5195.102

Fixes

  • Fixed DeepScan issue

v14.9.220830118 – 30 Aug 2022

New Features

  • Added support for the Zend Framework in the PHP IAST AcuSensor

New Vulnerability Checks

Updates

  • Various DeepScan Improvements
  • Updated to Chromium 104.0.5112.101 (Linux) / 104.0.5112.102 (Windows)
  • Improved XSS in URI (folder/file)
  • Improved handling of SourceMaps
  • Updated exposed web installers check
  • Updated exposed development files check
  • Updated exposed monitoring systems check

Fixes

  • Fixed issue in the PHP IAST AcuSensor when reporting SCA components
  • Fixed scanner crash

v14.9.220713150 – 14 Jul 2022

New features

  • JAVA IAST AcuSensor can now be used on WebSphere
  • HTTP requests can be copied as Curl command from the vulnerability data

New vulnerability checks

Updates

  • Multiple DeepScan updates improving crawling of Single Page Applications (SPAs)
  • Upgraded Chromium to v103.0.5060.114
  • Improved handling of installed.json by PHP IAST AcuSensor
  • SCA, AcuMonitor (OOB vulnerability checks) and URL malware checks now require the “Acunetix Online Services” to be enabled in the user profile
  • Updated the MongoDB Injection checks
  • Various UI updates and fixes

Fixes

  • Multiple fixes in the JAVA and .NET IAST AcuSensors
  • Fixed false negative in “Possible virtual host found”
  • Fixed bug causing CSRF tokens to be retrieved using HTTP
  • Fixed false positive in “Apache HTTP Server Source Code Disclosure”

v14.8.220610146 – 13 Jun 2022

Fixes

  • Fixed issue when using Acunetix on Amazon Linux 2

v14.8.220606174 – 08 Jun 2022

New Vulnerability checks

v14.8.220519149 – 23 May 2022

New Features

  • JAVA IAST sensor now supports JBoss, Jetty and Wildfly JAVA Severs
  • Improved support for Servlet3 and Jersey JAVA Frameworks

New Vulnerability Checks

Updates

  • Various UI improvements
  • Improved detection of Directory Traversal vulnerabilities
  • Improved detection of Directory Listing vulnerabilities
  • Improved detection of development files
  • Several improvements to LSR / DeepScan

Fixes

  • Fixed issue causing some vulnerabilities detected by AcuSensor not to show as AcuSensor verified
  • Fixed issue causing routes to not be listed by JAVA IAST sensor
  • Fixed 2 issues in Target CSV import
  • Fixed issue causing SCA not to be done on JAVA Spring boot web applications
  • Fixed issue causing some checks not to be executed on cookies with Secure flag

v14.7.220425114 – 26 Apr 2022

Updates

  • Upgraded Chromium to v100.0.4896.127

v14.7.220401065 – 01 Apr 2022

New Vulnerability checks

v14.7.220329162 – 30 Mar 2022

Updates

  • Upgraded Chromium to v99.0.4844.84

v14.7.220322147 – 28 Mar 2022

New Vulnerability checks

Updates

  • Engines page in UI now shows the number of Targets bound to a scanning engine
  • Vulnerabilities page in UI shows the Target Tracker Issue Id when the vulnerability is sent to an Issue Tracker
  • Upgraded Chromium to v99.0.4844.0
  • JWT audit checks are now done on GET / POST parameters

Fixes

  • Fixed several Scanner crashes
  • Numerous UI updates / fixes
  • Fixed error when configuring GitHub Issue Trackers
  • Numerous fixes related to CSRF token management
  • Better handling of imported URLs that are excluded in LSR
  • fixed issue causing pre-request scripts to be renamed, causing import scripts not to fail to be loaded

v14.7.220228146 – 01 Mar 2022

New Features

  • .NET IAST Sensor (AcuSensor) can now be installed on .NET Core v3 and v5 on Windows (with Kestrel server)
  • Acunetix Scanner updated to support Routes for frameworks supported by the IAST sensors (AcuSensor)
  • Added support for Laravel framework in PHP IAST Sensor (AcuSensor)
  • Added support for CodeIgnitor framework in PHP IAST Sensor (AcuSensor)
  • Added support for Symphony framework in PHP IAST Sensor (AcuSensor)
  • Added support for ASP.NET MVC in .NET Core IAST Sensor (AcuSensor)
  • Added support for Razor Pages in .NET Core in .NET IAST Sensor (AcuSensor)
  • Added support for Web API in .NET Framework and .NET Core IAST Sensors (AcuSensor)
  • Added support for Spring MVC in JAVA IAST Sensor (AcuSensor)
  • Added support for Spring Struts2 in JAVA IAST Sensor (AcuSensor)

New Vulnerability Checks

Updates

  • IAST Sensors (AcuSensor) capabilities have been updated to improve the detection of:
    • Arbitrary File Creation
    • Directory Traversal
    • SQL Injection
    • Remote Code Execution
  • Acunetix will start reporting when an old version of the IAST Sensor (AcuSensor) is installed on the web application
  • Considerable update to the handling of CSRF tokens
  • The Vulnerabilities page now includes a unique Vulnerability ID
  • Multiple UI updates
  • Multiple DeepScan updates

Fixes

  • Fixed issue with Gitlab issue types not showing in UI
  • Fixed issue with Amazon AWS WAF export
  • Fixed several scanner crashes
  • Fixed issue with .NET IAST AcuSensor not working on IIS prior to version 10
  • Fixed issue with Node.js IAST AcuSensor causing web application to stop working
  • Fixed ordering issue caused in PDF Comprehensive reports for multiple scans
  • Fixed timeout issue causing IAST data not to reach the Acunetix scanner