Acunetix Web Vulnerability Scanner Changelog

What's new in Acunetix Web Vulnerability Scanner 24.3.2

Apr 16, 2024

Improvements:
Replaced an expiring Invicti Signing Code Certificate for Windows binaries

New in Acunetix Web Vulnerability Scanner 24.2.240227118 (Feb 29, 2024)

New in Acunetix Web Vulnerability Scanner 24.2.240226074 (Feb 26, 2024)

New features:
Added the ability to use Aria Roles to provide better coverage
Introduced PCI DSS 4.0 report. Note that PCI DSS 3.2 will reach the end of its support or relevance by the end of March
.NET IAST now supports .NET 8 (currently in Open Beta)
New security checks:
XXE in Ivanti Connect Secure, Policy Secure and Neurons (CVE-2024-22024)
Magento 2.0-2.3 End of life
ColdFusion Access Control bypass (CVE-2023-29298 / CVE-2023-38205)
ColdFusion XSS (CVE-2023-44352)
Skype for Business SSRF (CVE-2023-41763)
VMware Aria Operations for Networks RCE (CVE-2023-20887)
IBM Aspera Faspex RCE (CVE-2022-47986)
GeoServer SSRF (CVE-2021-40822)
WSO2 Management Console XSS (CVE-2022-29548)
SSRF in Ivanti Connect Secure, Policy Secure and Neurons (CVE-2024-21893)
LISTSERV XSS (CVE-2022-39195)
Unrestricted access to MLflow
KeyCloak Information Disclosure (CVE-2020-27838)
CloudPanel file-manager Auth bypass (CVE-2023-35885)
TestRail Information Disclosure (CVE-2021-40875)
Grafana Snapshot Authentication Bypass (CVE-2021-39226)
Harbor Unauthorized Access Vulnerability
Ghost CMS Theme Path Traversal (CVE-2023-32235)
cPanel XSS (CVE-2023-29489)
GoAnywhere MFT Authentication Bypass (CVE-2024-0204)
Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core API Auth bypass (CVE-2023-35082)
Unauthenticated OGNL injection in Confluence Server and Data Center (CVE-2023-22527)
Authentication Bypass in Ivanti Connect Secure and Policy Secure (CVE-2023-46805)
RCE in Ivanti Connect Secure and Policy Secure (CVE-2024-21887)
GeoServer WMS SSRF (CVE-2023-43795)
Ivanti Sentry Authentication Bypass (CVE-2023-38035)
SAP SAP BusinessObjects Business Intelligence Platform XXE (CVE-2022-28213)
SysAid On-Premise RCE (CVE-2023-47246)
Multiple ColdFusion WDDX Deserialization RCEs (CVE-2023-44353 / CVE-2023-38203 / CVE-2023-38204)
Improvements:
Updated Chromium to 121.0.6167.139/140
Improved detection of DOM-based Cross Site Scripting (XSS)
Improved the way that “Content Security Policy Misconfiguration” alerts are reported
Improved detection of Client Side Prototype Pollution (CSPP)
IAST scans will start reporting the IAST sensor version used for the scan
New column “Result” is shown in the list of scans to provide more details about scan outcome
Enhanced support for OTP apps by displaying the activation code next to the QR code
Improved crawling of Single Page Applications (SPA) that are using Ionic Framework
Added the ability to scan web applications which require browsing in a single browser tab
Upgraded user experience of in-app notifications – Updated UX of notifications dropdown
When accessing the application from a different location or browser, all other sessions are promptly terminated. Previously, users were notified, causing inconvenience when working from various locations
Fixes:
Fixed a bug caused by the engine not respecting Cache-Control directive
In rare situations, a report being generated could have resulted in an Internal server error. This issue has now been fixed
Fixed several minor user experience issues across the application

New in Acunetix Web Vulnerability Scanner 24.1.240131143 (Feb 2, 2024)

New in Acunetix Web Vulnerability Scanner 24.1.2 (Jan 11, 2024)

New in Acunetix Web Vulnerability Scanner 23.11.2 (Dec 4, 2023)

New in Acunetix Web Vulnerability Scanner 23.11.1 (Nov 30, 2023)

New in Acunetix Web Vulnerability Scanner 23.11.0 (Nov 24, 2023)

New in Acunetix Web Vulnerability Scanner 23.9.231013139 (Oct 16, 2023)

New in Acunetix Web Vulnerability Scanner 23.9.231005181 (Oct 11, 2023)

New in Acunetix Web Vulnerability Scanner 23.8.230918154 (Sep 19, 2023)

New in Acunetix Web Vulnerability Scanner 23.8.230905089 (Sep 5, 2023)

New in Acunetix Web Vulnerability Scanner 23.7.230728157 (Jul 31, 2023)

New in Acunetix Web Vulnerability Scanner 23.6.230628115 (Jun 30, 2023)

New in Acunetix Web Vulnerability Scanner 15 Build 15.7.230616162 (Jun 20, 2023)

New in Acunetix Web Vulnerability Scanner 15 Build 15.7.230613078 (Jun 14, 2023)

New in Acunetix Web Vulnerability Scanner 15 Build 15.7.230603143 (Jun 6, 2023)

New in Acunetix Web Vulnerability Scanner 15 Build 15.6.230505122 (May 9, 2023)

New in Acunetix Web Vulnerability Scanner 15 Build 15.0.230406089 (Apr 15, 2023)

New in Acunetix Web Vulnerability Scanner 15 Build 15.0.221007170 (Oct 15, 2022)

New in Acunetix Web Vulnerability Scanner 14 Build 14.9.220830118 (Aug 30, 2022)

New in Acunetix Web Vulnerability Scanner 14 Build 14.9.220713150 (Jul 14, 2022)

New in Acunetix Web Vulnerability Scanner 14 Build 14.8.220606174 (Jun 8, 2022)

New in Acunetix Web Vulnerability Scanner 14 Build 14.8.220519149 (May 25, 2022)

New in Acunetix Web Vulnerability Scanner 14 Build 14.7.220425114 (Apr 26, 2022)

New in Acunetix Web Vulnerability Scanner 14 Build 14.7.220401065 (Apr 1, 2022)

New in Acunetix Web Vulnerability Scanner 14 Build 14.7.220329162 (Mar 30, 2022)

New in Acunetix Web Vulnerability Scanner 14 Build 14.7.220322147 (Mar 29, 2022)

New in Acunetix Web Vulnerability Scanner 14 Build 14.7.220228146 (Mar 2, 2022)

New Features:
NET IAST Sensor (AcuSensor) can now be installed on .NET Core v3 and v5 on Windows (with Kestrel server)
Acunetix Scanner updated to support Routes for frameworks supported by the IAST sensors (AcuSensor)
Added support for Laravel framework in PHP IAST Sensor (AcuSensor)
Added support for CodeIgnitor framework in PHP IAST Sensor (AcuSensor)
Added support for Symphony framework in PHP IAST Sensor (AcuSensor)
Added support for ASP.NET MVC in .NET Core IAST Sensor (AcuSensor)
Added support for Razor Pages in .NET Core in .NET IAST Sensor (AcuSensor)
Added support for Web API in .NET Framework and .NET Core IAST Sensors (AcuSensor)
Added support for Spring MVC in JAVA IAST Sensor (AcuSensor)
Added support for Spring Struts2 in JAVA IAST Sensor (AcuSensor)
New Vulnerability Checks:
Acunetix has been updated to detect the following vulnerabilities using IAST:
LDAP Injection
Unsafe Reflection of Untrusted Data
XPath Injection
Email Header Injection
Deserialization of Untrusted Data
MongoDB Injection
Server-side template injection (SSTI)
Server-side request forgery (SSRF)
Acunetix IAST (AcuSensor) has been updated to detect over 30 new misconfigurations across all sensors
li>New check for Magento Config File Disclosure
New check for BillQuick Web Suite SQL injection (CVE-2021-42258)
New check for Apache Airflow Experimental API Auth Bypass (CVE-2020-13927)
New check for Apache Airflow default credentials
New check for Apache Airflow Exposed configuration
New check for Apache Airflow Unauthorized Access Vulnerability
New check for GoCD information disclosure (CVE-2021-43287)
New check for Grafana Plugin Dir Traversal (CVE-2021-43798)
New check for NodeBB Arbitrary JSON File Read (CVE-2021-43788)
New check for ManageEngine Desktop Central Deserialization RCE (CVE-2020–10189)
New check for SolarWinds Orion API Auth bypass (CVE-2020-10148)
New check for Citrix ADC NetScaler Local File Inclusion (CVE-2020-8193)
New check for VMware vCenter vcavbootstrap Arbitrary File Read
New check for Pentaho API Auth bypass (CVE-2021-31602)
New check for Sonicwall SMA 100 Unintended proxy (CVE-2021-20042)
New check for VMware vCenter Log4Shell RCE
New check for VMware Horizon Log4Shell RCE
New check for MobileIron Log4Shell RCE
New check for Ubiquiti Unifi Log4Shell RCE
New check for Apache OFBiz Log4Shell RCE
New check for Apache Struts2 Log4Shell RCE
New check for Apache Solr Log4Shell RCE
New check for Apache JSPWiki Log4Shell RCE
New WordPress Core and WordPress plugins checks
Updates:
IAST Sensors (AcuSensor) capabilities have been updated to improve the detection of:
Arbitrary File Creation
Directory Traversal
SQL Injection
Remote Code Execution
Acunetix will start reporting when an old version of the IAST Sensor (AcuSensor) is installed on the web application
Considerable update to the handling of CSRF tokens
The Vulnerabilities page now includes a unique Vulnerability ID
Multiple UI updates
Multiple DeepScan updates
Fixes:
Fixed issue with Gitlab issue types not showing in UI
Fixed issue with Amazon AWS WAF export
Fixed several scanner crashes
Fixed issue with .NET IAST AcuSensor not working on IIS prior to version 10
Fixed issue with Node.js IAST AcuSensor causing web application to stop working
Fixed ordering issue caused in PDF Comprehensive reports for multiple scans
Fixed timeout issue causing IAST data not to reach the Acunetix scanner

New in Acunetix Web Vulnerability Scanner 14 Build 14.6.220117111 (Jan 18, 2022)

New in Acunetix Web Vulnerability Scanner 14 Build 14.6.211220100 (Dec 20, 2021)

New in Acunetix Web Vulnerability Scanner 14 Build 14.6.211213163 (Dec 13, 2021)

New in Acunetix Web Vulnerability Scanner 14 Build 14.6.211207099 (Dec 8, 2021)

New in Acunetix Web Vulnerability Scanner 14 Build 14.5.211207099 (Dec 7, 2021)

New in Acunetix Web Vulnerability Scanner 14 Build 14.5.211115146 (Nov 18, 2021)

New in Acunetix Web Vulnerability Scanner 14 Build 14.5.211109105 (Nov 15, 2021)

New in Acunetix Web Vulnerability Scanner 14 Build 14.5.211026108 (Oct 27, 2021)

New in Acunetix Web Vulnerability Scanner 14 Build 14.5.211008143 (Oct 13, 2021)

New in Acunetix Web Vulnerability Scanner 14 Build 14.4.210913167 (Sep 17, 2021)

New in Acunetix Web Vulnerability Scanner 14 Build 14.4.210831180 (Sep 1, 2021)

New in Acunetix Web Vulnerability Scanner 14 Build 14.4.210826124 (Aug 27, 2021)

New in Acunetix Web Vulnerability Scanner 14 Build 14.4.210816098 (Aug 18, 2021)

New Features:
Pre-request script support
New Log Data Retention options
New Vulnerability Checks:
New check for Oracle E-Business Suite Information Disclosure
New check for Alibaba Nacos Authentication Bypass (CVE-2021-29441)
New check for Gitlab CI Lint SSRF
New check for Gitlab open user registration
New check for Gitlab user disclosure via graphql endpoint
New check for Bitrix galleries_recalc.php XSS
New check for Bitrix open redirect
New check for Jetty ConcatServlet Information Disclosure (CVE-2021-28164)
New check for Jenkins open user registration
New check for Open Mikrotik stats
New check for Open Nuster stats
New check for RethinkDB administrative interface publicly exposed
New check for spring-boot-actuator-logview Path Traversal
New check for Hasura GraphQL API without authentication
New check for ForgeRock OpenAM Deserialization RCE (CVE-2021-29156)
New check for BuddyPress REST API Privilege Escalation
New check for Grandnode Path Traversal (CVE-2019-12276)
New check for SearchBlox Local File Inclusion (CVE-2020-35580)
New check for Zimbra Collaboration Suite SSRF (CVE-2020-7796)
New check for Ghost CMS Theme Preview XSS (CVE-2021-29484)
New check for qdPM Information Disclosure
New checks for vulnerabilities in WordPress Plugins
Updates:
Max items shown per page can now be configured
Updated Deepscan to process hashes in URLs
Updated Chromium to v92.0.4512.0
Updated CSV export to include text only details
Java Script Library Audit now supports merged JavaScript files
Added support for dev tools in standalone LSR
Multiple UI updates
Multiple LSR updates
Target knowledgebase will now be reset when Target settings are changed
Updated Selenium import to support selectFrame
Updated OWASP Top 10 report to include CVSS score
Updated Compliance report to include CWE
Added option to enable debuglogs for all Targets
Optimisations to the Java and Node.js AcuSensors
Improved support for Hapi framework in Node.js AcuSensor
Add support for find-my-way HTTP router in Node.js AcuSensor
Improved ionCube Loader-wizard information disclosure check
Improved cache poisoning DOS checks
Improved detection of Apache Struts2 Remote Command Execution (S2-052)
Improved detection of Directory Traversal vulnerabilities
Added option to skip testing of login form configured for the Target
Improved handling of Custom 404 pages
Fixes:
Fixed multiple crashes in the scanner
Fixed issue causing some requests to be done to restricted links
Addressed multiple Deepscan issues
Paused scans can now be Aborted
Fixed XPath Injection false positive
Fixed Bitrix Open Redirect false positive
Fixed Spring Boot Actuator false negative
Fixed issue in .NET Sensor Manager not showing buttons on lower resolutions
Fixed issue with Postman imports

New in Acunetix Web Vulnerability Scanner 14 Build 14.3.210816098 (Aug 18, 2021)

New Features:
Pre-request script support
New Log Data Retention options
New Vulnerability Checks:
New check for Oracle E-Business Suite Information Disclosure
New check for Alibaba Nacos Authentication Bypass (CVE-2021-29441)
New check for Gitlab CI Lint SSRF
New check for Gitlab open user registration
New check for Gitlab user disclosure via graphql endpoint
New check for Bitrix galleries_recalc.php XSS
New check for Bitrix open redirect
New check for Jetty ConcatServlet Information Disclosure (CVE-2021-28164)
New check for Jenkins open user registration
New check for Open Mikrotik stats
New check for Open Nuster stats
New check for RethinkDB administrative interface publicly exposed
New check for spring-boot-actuator-logview Path Traversal
New check for Hasura GraphQL API without authentication
New check for ForgeRock OpenAM Deserialization RCE (CVE-2021-29156)
New check for BuddyPress REST API Privilege Escalation
New check for Grandnode Path Traversal (CVE-2019-12276)
New check for SearchBlox Local File Inclusion (CVE-2020-35580)
New check for Zimbra Collaboration Suite SSRF (CVE-2020-7796)
New check for Ghost CMS Theme Preview XSS (CVE-2021-29484)
New check for qdPM Information Disclosure
New checks for vulnerabilities in WordPress Plugins
Updates:
Max items shown per page can now be configured
Updated Deepscan to process hashes in URLs
Updated Chromium to v92.0.4512.0
Updated CSV export to include text only details
Java Script Library Audit now supports merged JavaScript files
Added support for dev tools in standalone LSR
Multiple UI updates
Multiple LSR updates
Target knowledgebase will now be reset when Target settings are changed
Updated Selenium import to support selectFrame
Updated OWASP Top 10 report to include CVSS score
Updated Compliance report to include CWE
Added option to enable debuglogs for all Targets
Optimisations to the Java and Node.js AcuSensors
Improved support for Hapi framework in Node.js AcuSensor
Add support for find-my-way HTTP router in Node.js AcuSensor
Improved ionCube Loader-wizard information disclosure check
Improved cache poisoning DOS checks
Improved detection of Apache Struts2 Remote Command Execution (S2-052)
Improved detection of Directory Traversal vulnerabilities
Added option to skip testing of login form configured for the Target
Improved handling of Custom 404 pages
Fixes:
Fixed multiple crashes in the scanner
Fixed issue causing some requests to be done to restricted links
Addressed multiple Deepscan issues
Paused scans can now be Aborted
Fixed XPath Injection false positive
Fixed Bitrix Open Redirect false positive
Fixed Spring Boot Actuator false negative
Fixed issue in .NET Sensor Manager not showing buttons on lower resolutions
Fixed issue with Postman imports

New in Acunetix Web Vulnerability Scanner 14 Build 14.3.210628104 (Jun 30, 2021)

New in Acunetix Web Vulnerability Scanner 14 Build 14.3.210615184 (Jun 17, 2021)

New Features:
New SCA (Software Composition Analysis) for PHP, JAVA, Node.js and .NET web applications. Acunetix will report vulnerable libraries used by the web application when AcuSensor is used
New Vulnerability Checks:
New check for SSRF via logo_uri in MITREid Connect (CVE-2021-26715)
New check for Oracle E-Business Suite Information Disclosure
New check for Unauthorized Access to a web app installer
New check for SAML Consumer Service XML entity injection (XXE)
New check for Grav CMS Unauthenticated RCE (CVE-2021-21425)
New check for Outsystems Upload Widget Arbitrary File Uploading (RPD-4310)
New check for Django Debug Toolbar
New check for Joomla Debug Console enabled
New check for Joomla J!Dump extension enabled
New check for Request Smuggling
New check for Unrestricted access to Caddy API interface
New check for Pyramid framework weak secret key
New check for Apache Tapestry Unauthenticated RCE (CVE-2019-0195 and CVE-2021-27850)
New check for Unrestricted access to Spring Eureka dashboard
New check for Unrestricted access to Yahei PHP Probe
New check for Unrestricted access to Envoy Dashboard
New check for Unrestricted access to Traefik2 Dashboard
New check for Dragonfly Arbitrary File Read/Write (CVE-2021-33564)
New check for Oracle E-Business Suite Frame Injection (CVE-2017-3528)
New check for Gitlab CI Lint SSRF
New check for Gitlab open user registration
New check for Gitlab user disclosure via GraphQL
Updates:
Updated .NET AcuSensor
.NET AcuSensor can be now deployed from CLI
User is notified when imported URLs are out of scope
Scan events are not shown in json any more
New column for Continuous Scanning in the Targets page
New filter in Targets page to easily identify Targets with debug enabled
Vulnerabilities page shows if the vulnerability was detected by a web or network scan
Merged Add Target and Add Targets options in UI
Custom Field, labels and tags can be configured for Issue Trackers
Platform Admin can now unlock locked accounts
New column in CSV export showing details in text only
Updated the way that AcuSensor token can be updated in the Target Settings
PCI DSS compliance report updated to PCI DSS 3.2.1
Compliance Reports updated to make use of the Comprehensive report template
Browser Dev tools can be used when LSR is started from CLI
Updated XFO check
Multiple UI updates
Improved false positive detection of out of band RCE and argument injection vulnerabilities
Multiple updates to the Postman import implementation
Updated JavaScript Library Audit to support merged JavaScript files
Fixes:
HSTS has been enabled for the AcuSensor bridge
Latest Alerts section of Scan results was not updated with AcuMonitor (OOB) vulnerabilities)
The Fragments was not clickable in the site structure
HSTS Best Practices was sometimes being reported multiple times
Fixed HSTS false negative
Fixed issue in the detection of Django 3 weak secret
Fixed issue causing GitHub labels not to be updated when changing Github issue Tracker Project
Fixed encoding issue in Node.js AcuSensor
Fixed issue causing corruption of Target knowledgebase
Fixed DeepScan timeout when processing Prototype JavaScript library
Fixed issue causing outdated JavaScript libraries check not to report external libraries
Fixed issue in Oauth password credentials grant

New in Acunetix Web Vulnerability Scanner 14 Build 14.2.210503151 (May 4, 2021)

New Features:
Acunetix is now available on Docker
New Scan Statistics page for each Scan
Vulnerability information can now be sent to AWS WAF
New Vulnerability Checks:
New check for Hashicorp Consul API is accessible without authentication [https://www.consul.io/docs/security]
Multiple new checks for Unrestricted access to a monitoring system
Improvements to JavaScript Library Audit checks
New check for Cisco RV Series Authentication Bypass (CVE-2021-1472)
New check for ntopng Authentication Bypass (CVE-2021-28073)
New check for Agentejo Сockpit CMS resetpassword NoSQLi (CVE-2020-35847)
New check for AppWeb Authentication Bypass (CVE-2018-8715)
New check for Apache OFBiz SOAPService Deserialization RCE (CVE-2021-26295)
New check for F5 iControl REST unauthenticated remote command execution vulnerability (CVE-2021-22986)
New check for Python Debugger Unauthorized Access Vulnerability
New check for Virtual Host locations misconfiguration
New check for Request Smuggling
Updates:
Full rows and column selection is now possible in the Excluded Hours page
Updated UI with new Acunetix branding
Issue Tracker ID will be shown for vulnerabilities sent to any Issue Tracker
Issue Trackers can now be restricted to a specific Target Group
Target Description will be sent to the Issue Trackers
Updated Jira integration to support Jira version 9
Multiple updates to the JAVA AcuSensor
Scanning engine will now test cookies on pages which do not have any inputs
The scanner will stop testing cookies which have been found to be vulnerable
Where possible, DOM XSS vulnerabilities will show the code snippet of the vulnerable JavaScript call
CSV Export will now show the Target Address
Maximum size for a custom cookie configured in a Target increased to 4096 characters
New date filter in the Vulnerabilities page
Vulnerability severity now shows text in addition to color coded icon
Multiple updates to the LSR
Added support for BaseUrl / Global Variables in Postman import files
Fixes:
Import files
Fixed extra CR in Target CSV export
Fixed DeepScan crash
Fixed: Discovery options are only shown to users with “Access All Targets” permission
Fixed: Existing user’s details shown when adding a new user
Fixed a scanner crash
Fixed: Blind XSS check is now part of the XSS scanning profile
Fixed: AcuMonitor checks where not done when scan done by an engineonly installation
Fixed issue causing AcuMonitor not to be registered when using authenticated proxy
Fixed issue when loading vulnerabilities for a Target Group
Fixed issue with Postman importer
Fixed sporadic issue when checking for new Acunetix updates on Mac
Fixed issue in WP XMLRPC pingback check

New in Acunetix Web Vulnerability Scanner 14 Build 14.1.210329187 (Mar 31, 2021)

New in Acunetix Web Vulnerability Scanner 14 Build 14.1.210324124 (Mar 26, 2021)

New in Acunetix Web Vulnerability Scanner 14 Build 14.1.210316110 (Mar 17, 2021)

New Features:
Web Asset Discovery, allowing users to discover domains related to their organisation or web assets already configured in Acunetix
New page showing all the Target FQDNs consuming a target license
New Vulnerability Checks:
New test for SonicWall SSL-VPN 8.0.0.0 RCE via ShellShock exploit
New test for Node.js Debugger Unauthorized Access Vulnerability
New test for Node.js Inspector Unauthorized Access Vulnerability
New test for Apache Shiro authentication bypass (CVE-2020-17523)
New test for Reflected Cross-Site Scripting (XSS) vulnerability in PAN-OS management web interface (CVE-2020-2036)
New test for Missing Authentication Check in SAP Solution Manager (CVE-2020-6207)
New test for VMware vCenter Server Unauthorized Remote Code Execution (CVE-2021-21972)
New test for Delve Debugger Unauthorized Access Vulnerability
New check for HTTP response splitting with cloud storage
New tests for WordPress plugins
Updates:
Acunetix updated to fully support NTLM Authentication for proxy authentication
Multiple LSR/BLR and DeepScan updates and fixes
Updated Chromium to v88.0.4298.0
Updated Postgres database to v13.2
Engines page has been updated to show the following:
Status (online or otherwise) for each Engine
The build number for each Engine
Any license issues are reported as part of the status for each Engine
Multi-Engine setups will start to automatically update the Engine only installations when the Main installation is updated
The UI will reload after Acunetix is upgraded
‘WAF Export’ button renamed to ‘Export to’, and feature added to the Scans Page
Multiple updates to the Comprehensive report
Proxy Settings can now be specified for each Issue Tracker
Updated JavaScript Library Audit check to cover libraries not hosted on the scanned target
Users can now be created from the API
Updated CORS check
Fixes:
Fixed bug in “Vulnerabilities in SharePoint could allow elevation of privilege” check
Fixed issue causing check for updates to occasionally fail on MacOS
Fixed issue causing DOM XSS sink to not always be show the in the code extract displayed in the alert
Fixed issue caused when a custom collection is used in a TFS issue tracker configuration
Fixed issue in WordPress XML-RPC pingback abuse check
Fixed Deepscan crash
Fixed False Positive in Broken Link Hijacking check
Vulnerability CSV export now includes URL where vulnerability was detected

New in Acunetix Web Vulnerability Scanner 13 Build 13.0.210308088 (Mar 8, 2021)

New in Acunetix Web Vulnerability Scanner 13 Build 13.0.210226118 (Mar 1, 2021)

New in Acunetix Web Vulnerability Scanner 13 Build 13.0.210129162 (Feb 2, 2021)

New in Acunetix Web Vulnerability Scanner 13 Build 13.0.201217092 (Dec 18, 2020)

New in Acunetix Web Vulnerability Scanner 13 Build 13.0.201126145 (Nov 27, 2020)

New in Acunetix Web Vulnerability Scanner 13 Build 13.0.201112128 (Nov 16, 2020)

New in Acunetix Web Vulnerability Scanner 13 Build 13.0.201028153 (Oct 30, 2020)

New in Acunetix Web Vulnerability Scanner 13 Build 13.0.200911154 (Sep 15, 2020)

New Features:
New Data Retention settings, providing the ability to:
Keep the last 3 scans for each target and archive previous scans
Delete archived scans which are older than 2 years
The above data retention settings are configurable
The above settings affect vulnerabilities detected, which are archived / deleted accordingly
A default scan profile can be configured for each target
Forgot Password option for Acunetix On premise, allowing users to reset their password – Email settings need to be configured
Detect paths in JavaScript code via static method analysis
Ability to retrieve links from several not so popular HTTP headers
New Vulnerability Checks:
New check for SAP NetWeaver RECON (CVE-2020-6287)
New check for DNN (DotNetNuke) CMS Cookie Deserialization RCE (CVE-2017-9822)
New check for Insecure Referrer Policy
New check for Remote code execution of user-provided local names in Rails
New check for Cisco Adaptive Security Appliance (ASA) Path Traversal (CVE-2020-3452)
New check for Total.js Directory Traversal (CVE-2019-8903)
New check for Envoy Metadata disclosure
New checks for WordPress Core / Plugins / Themes, Drupal and Joomla vulnerabilities
Updates:
Vulnerabilities are now shown as grouped by Vulnerability Type and FQDNs
Numerous improvements affecting vulnerability deduplication
Deleted Targets will not be showing in the UI by default
Malicious links detected will be highlighted in the vulnerability report
Ability to scan all Targets in a Target Group
Improved Swagger support implementation
Updated backup files/folders and possible sensitive files checks to report alerts on parent of file detected
Time zone can now be configured by each user account
User accounts can now change UI to Chinese
.NET Sensor updated to support .NET Core
Updated Session Fixation vulnerability check to avoid possible False Positives:
Updated to Chromium v83
Fixes:
Fixed issue with offline activation
Fixed a few crashes occurring on specific sites
Fixed issue affecting AcuMonitor when scanning certain sites
Various small UI fixes
Fixed Target Deletion issue for Consult licenses
Fixed: PDF report generation was failing in specific situations
Fixed issue causing HTTP requests passing through a proxy to fail
Fixed issue affecting relative HTTP redirects
Fixed issue causing Manual Intervention not to work on Linux
Fixed issue causing DeepScan to miss some DOMXSS vulnerabilities
Fixed text overlapping issue in reports
Fixed issue causing Telerik Web UI RadAsyncUpload Deserialization (CVE-2019-18935) to not always be detected
Fixed: ‘HTTP Strict Transport Security (HSTS) not implemented’ and ‘HTTP Strict Transport Security (HSTS) Best Practices’ where using the same name
Fixed: Sensitive files / directories checks were missing Attack details
Fixed issue caused when sorting scans by target description
fixed a few issues in the Login Sequence Recorder and Business Logic Recorder

New in Acunetix Web Vulnerability Scanner 13 Build 13.0.200807155 (Aug 8, 2020)

New in Acunetix Web Vulnerability Scanner 13 Build 13.0.200715111 (Aug 6, 2020)

New in Acunetix Web Vulnerability Scanner 13 Build 13.0.200519155 (May 20, 2020)

New in Acunetix Web Vulnerability Scanner 13 Build 13.0.200409107 (Apr 13, 2020)

New in Acunetix Web Vulnerability Scanner 13.0.13.0.200401171 (Apr 10, 2020)

New in Acunetix Web Vulnerability Scanner 13.0.13.0.200326097 (Mar 26, 2020)

New in Acunetix Web Vulnerability Scanner 13.0.13.0.200205121 (Feb 5, 2020)

New Features:
New Acunetix web UI
Improved Network Scanner integration
Malware Detection using Windows Defender on Windows and ClamAv on Linux
Smart Scan
New scanning algorithm prioritises scanning tasks and reduces scanning time
Proof of exploit is reported in the vulnerability alerts
Incremental Scans
Vulnerability Confidence Rating for web vulnerabilities
New GitLab Issue Tracker Integration
New Bugzilla Issue Tracker Integration
New Mantis Issue Tracker Integration
Ability to create Login Sequence from Selenium script
New WADL import file
New ASP.NET Webforms import file
New Postman import file
New Paros import file
Ability to create custom checks
Highlighting of vulnerability in HTTP response
DeepScan provides better support for Angular 2, Vue and React JavaScript Frameworks
Unlimited network scanning for Acunetix Premium customers
Account Session Timeout settings
Account Maximum Consecutive Login Failure settings
New Vulnerability Checks:
New check for publicly accessible Bitrix server test script
New check for publicly accessible NGINX+ dashboard
New check for unrestricted access to NGINX+ API endpoints
New check for outdated TLS version
New check for Citrix Netscaler Unauthenticated Remote Code Execution (CVE-2019-19781)
New check for Kentico CMS Deserialization RCE
New check for Cross site scripting via Bootstrap
New check for Django weak secret key
New check for Oracle Weblogic T3 XXE (CVE-2019-2888)
New check for leakage of API keys
New check for JWT weak secret key
New check for JWT none algorithm
New check for publicly exposed .NET HTTP Remoting
New check for .NET BinaryFormatter Object Deseralization vulnerabilities
New check for Apache Solr Parameter Injection
New check for Ruby framework weak secret key
New check for Tornado weak secret key
New check for BottlePy weak secret key
New WordPress Core and plugin vulnerability checks
New Joomla Core vulnerability checks
New Drupal Core vulnerability checks
Updates:
Improved memory consumption for the scanner
PDF reports now have page numbers
Generic User-agent will be used for communication with issue trackers
All lists in Acunetix UI can be sorted
Easier filtering options in the Acunetix UI
Settings can now be accessed from the side-bar
Links discovered by AcuSensor are given more prominence
Improved processing of XML and JSON POST input schemes
Scanner will try to replay the LSR playback actions a number of times before failing
Improved Auto-Login
Multiple updates in the Login Sequence Recorder
Developer report updated to include Source file, line number and other details provided by AcuSensor
Acunetix now supports scanning domains with international characters
Increase page size limit to 20Mb in scanner and LSR
Improved detection of Possible Sensitive Files
Improved detection of email addresses
Improved detection of Command Injection
Improved detection of database backup files
Improved detection of XXE
Fixes:
Fixed issue in Developer report showing incorrect parameter name for detected vulnerabilities
Fixed: “Tester” user role will not be able to create reports
upgrades on Linux were not removing all files from previous installation
Fixed issue with Manual Intervention
Fixed: Session cookies where not always collected by LSR
Fixed: Incorrect processing of URLs with “{” character
Fixed a number of crashes in scanner
Fixed issue causing scanner proxy to unintentionally transform parts of the HTTP request
Fixed false positive in the detection of Apache Tomcat Remote Code Execution
Fixed issues causing some links not to be properly imported by the importer
Fixed issue with license activation when proxy and authentication is used
Fixed issue causing session to get lost when Deepscan is used

New in Acunetix Web Vulnerability Scanner 12.0.191121158 (Nov 25, 2019)

New Features:
New scanning algorithm resulting in faster scans
Scanner will give higher priority to locations which are dissimilar to ones that have already been scanned
New Vulnerability Checks:
New check for Ruby on Rails Code Injection
New check for Perl Code Injection
AcuMonitor can now detect OOB PHP evaluation of user input
New check for Prototype Pollution
New check for Blind XSS via CSP report-uri
New check for Jira Unauthorized SSRF via REST API
New check for Apache Tapestry weak secret key
New check for Oracle PeopleSoft SSO weak secret key
New check for Yii2 weak secret key
New check for Web2py weak secret key
New check for Golang runtime profiling data
New check for Adminer 4.6.2 file disclosure vulnerability
New check for Apache mod_rewrite open redirect (CVE-2019-10098)
New check for Flask weak secret key
New check for Express express-session weak secret key
New check for vBulletin 5.x 0day pre-auth RCE
New check for Argument Injection
Updates:
Deepscan is now caching static assets. This will result in faster scans
Improved memory consumption by the scanner
Improved processing of forms and form handling
Improved detection of paths
Scanner will now process commented out html
Updated command injection payloads
Fixes:
Fixed scanner crash
Fixed WAF detection false positive
Fixed: Check for Sensitive files was accessing restricted links
Fixed issue causing scanner to multi-line session validation pattern
Fixed: Some locations where incorrectly detected by DeepScan
Fixed issue causing integrated LSR to close due to Ad blocking
Fixed issue with HAR import files
Fixed issue in the detection of Weak authentication credentials
Fixed issue affecting the detection of DOM XSS vulnerabilities
Fixed issue in the detection of possible username and password disclosure
Fixed issue with recording restricted links in Internet Explorer
Fixed: Tech Admin can now configure the engine to be used for a Target
Fixed issue affecting scanning of domains with international characters

New in Acunetix Web Vulnerability Scanner 12.0.190927120 (Sep 30, 2019)

New Features:
Introduced new Scan Type: New Web Vulnerabilities to scan for new vulnerabilities introduced in the latest Acunetix update
Introduced ad-blocking in the scanner, resulting in faster scans
Implemented support for Session HTTP headers when logging in to the site
Introduced custom_settings.xml to configure settings from settings.xml, which are not overwritten on upgrade
New Vulnerability Checks:
New test for insecure Java deserialization causing RCE in SAP Commerce Cloud (CVE-2019-0344)
New test for a weak key used to sign a cookie in Yii2
New test for a weak key used to sign a cookie in Mojolicious
New test for Webmin 0day remote code execution (CVE-2019-15107)
Updated WordPress Core and WordPress Plugin vulnerability checks
Updates:
The scan will now report when an invalid Selenium script is used as an import file
Improved detection of the type of Burp import file being used
Increased limit on Custom Headers
Multiple improvements in DeepScan
The LSR Record button is disabled during Login Action playback
Acunetix will start reporting login forms when no login credentials are configured
The tester user will not be able to create or view reports
Fixes:
Fixed: Directory Traversal vulnerabilities were sometimes incorrectly reported as found with AcuSensor
Fixed: Several broken references in the vulnerability alerts
Fixed: HTTP Response was not shown in some vulnerability alerts
Fixed an issue causing DeepScan to take too long to process some locations
Fix in PHP Hash Collision DOS vulnerability check
Fixed: Integrated LSR was not working on IE11
Fixed: Selenium script playback fails for some scripts
Fixed: Session Detection fails if session pattern spans multiple lines
Fixed: LSR keeps showing the spinner on some pages
Fixed: LSR Session pattern was not always saved when detected using the navigation
Fixed: LSR Session pattern check might fail for in body / not in body patterns
Fixed: On some systems, Chromium processes cannot be terminated when generating PDF reports
Fixed: Passwords were recoverable from the UI
Better handling of HTTP timeouts by vulnerability checks

New in Acunetix Web Vulnerability Scanner 12.0.190827161 (Aug 28, 2019)

New Features:
Implemented support for OpenSearch
Acunetix will try to discover hidden parameters and test them
Acunetix can now check base64 encoded JSON inputs for vulnerabilities
New Vulnerability Checks:
New test for Oracle Business Intelligence Convert XXE (CVE-2019-2767)
New test for Oracle Business Intelligence Adfresource Path traversal (CVE-2019-2588)
New test for Oracle Business Intelligence AuthBypass (CVE-2019-2768)
New test for Oracle Business Intelligence ReportTemplateService XXE (CVE-2019-2616)
New test for Jira RCE (CVE-2019-11581)
New test for Test for Atlassian Crowd RCE (CVE-2019-11580)
New tests for Python Code Injection
New test for Apache Spark RCE [https://spark.apache.org/security.html] (CVE-2018-11770)
New test for ColdFusion Deserialization RCE (CVE-2019-7091)
Implemented support for OpenID Connect Discovery
Detect and report Apple application association files
Added new checks for WordPress plugins, Drupal core and Joomla core
Updates:
Updated UI to accept IPv6 addresses
Multiple improvements to DeepScan
Improved the Directory Traversal check
Updated the scan limits, reducing repeated requests to larger sites
Acunetix will now extract and process gzipped files
Multiple updates to parsing and heuristic crawler features
Improved the vulnerability deduplification – similar vulnerabilities will be reported once
Improved reporting of the cause of scan failures (e.g. website is unresponsive, invalid import file etc)
Credentials provided to Auto-Login or LSR will not be used for vulnerability tests
Improved processing of Selenium scripts
Improved login form detection by Auto-Login feature
Improved WebLogic detection, and testing for default WebLogic credentials
Improved detection of Vulnerable JavaScript libraries check
Fixes:
Fixed a number of issues causing the scanner to stop unexpectedly
Fixed issue causing AcuMonitor checks to be done when AcuMonitor is not enabled
Fixed issue with WSDL parsing
Fixed: Reflected tests (e.g. reflected XSS) was not done on JSON inputs
Fixed issue causing 100% CPU usage when processing certain pages
Fixed hang in the Acunetix Administrative Password utility on Windows
Fixed: DeepScan was not processing XHTML pages
Fixed issue causing Chromiumn process to remain active after PDF report generation
Fixed issue caused by background requests when recording a login sequence
Fixed issue when recording a login sequence on a site that uses cross-domain iframes
Fixed issue when parsing WADL
Fixed issue causing Host Header Attack false negatives

New in Acunetix Web Vulnerability Scanner 12.0.190703137 (Jul 4, 2019)

New in Acunetix Web Vulnerability Scanner 12.0.190515149 (May 16, 2019)

New Features:
Network Scanning via OpenVAS integration
Introduced support for IPv6 domains (IPv6 addresses not supported yet)
Dynamic resource allocation for when multiple scanners are started on the same machine
Improved resource usage for string comparison functions
Selenium scripts can now be used as import files
Added support for Burp v2 saved files as import files
New Vulnerability Checks:
NEW check for Memcached Unauthorized Access Vulnerability
NEW check for Redis Unauthorized Access Vulnerability
NEW check for SAP ICF /sap/public/info sensitive information disclosure
NEW check for SAP NetWeaver server info information disclosure
NEW check for SAP NetWeaver ConfigServlet remote command execution
NEW check for SAP Portal directory traversal vulnerability
NEW check for SAP NetWeaver ipcpricing server side request forgery
NEW check for SAP Management Console list logfiles
NEW check for SAP Management Console get user list
NEW check for SAP NetWeaver server info information disclosure
NEW check for SAP Knowledge Management and Collaboration (KMC) incorrect permissions
NEW check for SAP NetWeaver Java AS WD_CHAT information disclosure vulnerability
NEW check for SAP weak/predictable user credentials
NEW check for OpenCms Solr XML External Entity (XXE) vulnerability
NEW check for Confluence Widget Connector SSTI
New check for Ruby source code disclosure
NEW check for Python source code disclosure
Added new WordPress Core and WordPress Plugins vulnerability checks
Added new Drupal Core vulnerability checks
Added new Joomla Core vulnerability checks
Updates:
Improved text comparison functions
Multiple improvements to the detection of Blind SQL Injection
Improved the Error Messages vulnerability check
Improved the Adobe Experience Manager tests
Improved detection of Java Deserialization and Mongo alert deduplication
Improved detection of Rails accept file content disclosure
Updated alert details for Oracle WebLogic Remote Code Execution via T3 (CVE-2018-3245)
Improved detection of Confluence
Improved PHP AcuSensor when used on nginx
Improved detection of PHP code injection
Updated Directory Traversal Check to make less requests
Multiple improvements to DeepScan and the LSR
Fixes:
Fixed a few crashes
Fixed issue causing Postcrawl scripts to not be executed on folders
Fixed: Custom cookies could be used twice when the application sets the same cookies
Cookie processing now ignores leading . in domain
Fixed issue with LSR when used on Internet Explorer
Fixed issue with HTTP Authentication
Fixed false positive in Struts_RCE_S2-052_CVE-2017-9805
Fixed severity level for CSRF vulnerability check
Fixed False Negative in Mercurial repository found check
Fixed issue causing site structure not to be updated with locations identified by vulnerability scripts

New in Acunetix Web Vulnerability Scanner 12.0.190325161 (Mar 26, 2019)

New in Acunetix Web Vulnerability Scanner 12.0.190227132 (Feb 28, 2019)

New in Acunetix Web Vulnerability Scanner 12.0.190214162 (Feb 15, 2019)

New in Acunetix Web Vulnerability Scanner 12.0.190206130 (Feb 8, 2019)

New Features:
New Integrated Login Sequence Recorder – Login Sequences can be recorded directly from the Acunetix UI
Swagger (JSON and YAML) and WSDL can be used as import files
Updates:
Improved the scanning of sites using SOAP
Improved parsing of paths
TXT import now takes precedence over excluded paths
Improved the adherence of the scan scope
Improved the detection of the version of WordPress plugins
Improved the automatic session pattern detection in the LSR
LocalStorage / SessionStorage is retained between LSR and Deepscan Sessions
Fixes:
Fixed: Scan scope was not always respected
Technology detected during the scan was not being reported
Fixed several scanner unexpected termination issues
Fixed issue causing large PDF reports not to be generated
Fixed: AcuSensor file data is better filtered by scanner
New Vulnerability checks:
New checks for a number of WebBackdoors
New checks for elmah.axd information disclosure
New test for Stack Trace Disclosure in Django
New test for Stack Trace Disclosure in ASP.NET
New test for Stack Trace Disclosure in ColdFusion
New test for Stack Trace Disclosure in Python
New test for Stack Trace Disclosure in Ruby
New test for Stack Trace Disclosure in Tomcat
New test for Stack Trace Disclosure in Grails
New test for Stack Trace Disclosure in Apache MyFaces
New test for Stack Trace Disclosure in Java
New test for Stack Trace Disclosure in GWT
New test for Stack Trace Disclosure in Laravel
New test for Stack Trace Disclosure in Rails
New test for Stack Trace Disclosure in CakePHP
New test for Stack Trace Disclosure in CherryPy
New Directory Listing vulnerability checks
New Error Message vulnerability checks
New test for Oracle Reports RWServlet showenv
New test for Docker Engine API publicly accessible
New test for Docker Registry API publicly accessible
New test for Jenkins server user enumeration
New test for Jenkins server weak credentials
Added the following new tests for Adobe Experience Manager:
Day CQ WCM Debug Filter enabled
LoginStatusServlet exposed (allows to bruteforce credentials)
Bruteforce a set of default AEM credentials if LoginStatusServlet is exposed
QueryBuilderFeedServlet public accessible, sensitive information might be exposed
Implemented tests for a bunch of SWF files that are exposed by AEM code that are vulnerable to Reflected XSS
Test if the AEM Groovy Console is publicly accessible. Permits RCE
Added a test for exposed AEM ACS Tools (a set of tools for AEM developers) – RCE is possible
Test if GQLServlet is publicly accessible. Sensitive information could be exposed
Test if Adobe Experience Manager AuditLogServlet is publicly accessible. Audit log records could be exposed
Test for Server Side Request Forgery (SSRF) via SalesforceSecretServlet (CVE-2018-5006)
Test for Server Side Request Forgery (SSRF) via ReportingServicesServlet
Test for Server Side Request Forgery (SSRF) via SiteCatalystServlet was detected

New in Acunetix Web Vulnerability Scanner 12.0.190121124 (Jan 23, 2019)

New in Acunetix Web Vulnerability Scanner 12.0.181218140 (Dec 19, 2018)

New in Acunetix Web Vulnerability Scanner 12.0.181012141 (Oct 13, 2018)

New in Acunetix Web Vulnerability Scanner 12.0.180911134 (Sep 12, 2018)

New in Acunetix Web Vulnerability Scanner 12.0.180801120 (Aug 2, 2018)

New in Acunetix Web Vulnerability Scanner 12.0.180725169 (Jul 30, 2018)

New Features:
HTTP responses is not shown for vulnerabilities detected (only affects new scans)
Manual Intervention has been implemented in v12
New Vulnerability checks
Updated WordPress Plugin vulnerability detection
Added detection of Java Object Deserialization vulnerabilities
Added detection for Cisco ASA Path Traversal (CVE-2018-0296)
Added tests for misconfigured Nginx aliases that can lead to a path traversal
Added detection of Spring Security Authentication Bypass Vulnerability (CVE-2016-5007)
Added detection of weak/insecure permissions for Atlassian Jira REST interface
Added detection of Apache Tomcat Information Disclosure (CVE-2017-12616)
Added detection of Spring Data REST Remote Code Execution (CVE-2017-8046)
Added detection of Insecure Odoo Web Database Manager
Added detection of JBoss Remote Code Execution (CVE-2015-7501 and CVE-2017-7504)
Added detection of WebSphere Remote Code Execution (CVE-2015-7450)
Updates:
Password is no longer required when configuring client certificate for a Target
Additional memory optimisations
Scanner will not report when the LSR cannot login
Application Error Message vulnerability check updated to provide more details on the error
Reports, XML exports and WAF exports now use a more meaningful filename
Reports now show the status of a scan
Scan debug logs now include imported files
Increase maximum number of issues trackers that can be configured
Fixes:
multiple crashes while scanning
Scanner will now re-authenticate when website invalidates authentication during scan (applies to HTTP authentication only)
Scanner sometimes fails to decode LSR output, leading to an unauthenticated scan
Fixed manty issues causing vulnerabilities not to be detected or to be detected incorrectly
Two fixes affecting the setting of Cookies
Fixed issue in RSS parsing
Fields with certain characters in the name (such as $) or were not being tested
Some out of scope paths were still being crawled
Fix in the Autologin
Upon upgrade, user is asked to “Logout from Other Session”
Target and Vulnerabilities reports were failing
Recurrent scans for Standard licenses were being disabled
some reports were generated without file extension

New in Acunetix Web Vulnerability Scanner 12.0.180709159 (Jul 9, 2018)

New in Acunetix Web Vulnerability Scanner 12.0.180628131 (Jul 2, 2018)

New in Acunetix Web Vulnerability Scanner 12.0.180619111 (Jun 22, 2018)

New in Acunetix Web Vulnerability Scanner 12.0.180615107 (Jun 18, 2018)

New in Acunetix Web Vulnerability Scanner 12.0.180611183 (Jun 13, 2018)

New in Acunetix Web Vulnerability Scanner 12.0.180521161 (May 30, 2018)

New in Acunetix Web Vulnerability Scanner 12.0.180517125 (May 30, 2018)

New in Acunetix Web Vulnerability Scanner 12.0.180509176 (May 30, 2018)

New in Acunetix Web Vulnerability Scanner 11.0.173271618 (Nov 24, 2017)

New in Acunetix Web Vulnerability Scanner 11.0.173131028 (Nov 9, 2017)

New in Acunetix Web Vulnerability Scanner 11.0.172901635 (Oct 18, 2017)

New in Acunetix Web Vulnerability Scanner 11.0.172641450 (Sep 22, 2017)

New in Acunetix Web Vulnerability Scanner 11.0.172371608 (Sep 1, 2017)

New in Acunetix Web Vulnerability Scanner 11.0.172351036 (Aug 23, 2017)

New in Acunetix Web Vulnerability Scanner 11.0.171381251 (May 18, 2017)

New in Acunetix Web Vulnerability Scanner 11.0.171251523 (May 9, 2017)

New in Acunetix Web Vulnerability Scanner 11.0.171181742 (May 3, 2017)

New in Acunetix Web Vulnerability Scanner 11.0.170941159 (Apr 4, 2017)

New in Acunetix Web Vulnerability Scanner 11.0.170751531 (Mar 22, 2017)

New in Acunetix Web Vulnerability Scanner 11.0.170611402 (Mar 3, 2017)

New in Acunetix Web Vulnerability Scanner 11.0.170471153 (Feb 23, 2017)

New in Acunetix Web Vulnerability Scanner 11.0.170461052 (Feb 15, 2017)

New in Acunetix Web Vulnerability Scanner 11.0.170341008 (Feb 13, 2017)

New in Acunetix Web Vulnerability Scanner 11.0.163541031 (Dec 21, 2016)

New Features:
Acunetix Enterprise users can now generate their API key to be used for the Acunetix API (contact [email protected] for more information on the API)
Selenium IDE files are now supported as Import files in Acunetix v11
The Acunetix Login Sequence Recorder can now edit login sequence files.
New Vulnerability Tests:
Privilege escalation vulnerability in Joomla! Core
Multiple vulnerabilities in Joomla! Core, including arbitrary file upload and information disclosure vulnerabilities
WordPress Plugin Nelio AB Testing Server-Side Request Forgery (SSRF)
WordPress Plugin WooCommerce Email Test Information Disclosure
WordPress Plugin All In One WP Security & Firewall Cross-Site Scripting
WordPress Plugin Podlove Podcast Publisher Cross Site Scripting and SQL Injection Vulnerabilities
WordPress Plugin WP Support Plus Responsive Ticket System SQL Injection
WordPress Plugin wpDataTables Lite Cross-Site Scripting
WordPress Plugin Twitter Cards Meta Cross Site Scripting and Server Side Request Forgery Vulnerabilities
WordPress Plugin Multisite Post Duplicator Cross-Site Request Forgery
WordPress Plugin Social Share Buttons-Social Pug Cross-Site Scripting
WordPress Plugin Delete All Comments Arbitrary File Upload
WordPress Plugin BP Profile Search PHP Object Injection
WordPress Plugin Quiz And Survey Master (Formerly Quiz Master Next) Multiple Vulnerabilities
WordPress Plugin Analytics Stats Counter Statistics PHP Object Injection
WordPress Plugin Backup & Restore Dropbox PHP Object Injection and Information Disclosure Vulnerabilities
WordPress Plugin Ultimate Member Security Bypass
WordPress Plugin Simple Personal Message SQL Injection
WordPress Plugin WA Form Builder SQL Injection
WordPress Plugin WP Vault Local File Inclusion
Improvements:
The Acunetix UI will show a message when the license is not activated.
The Login Sequence Recorder will make use of the proxy settings configured for the Target.
Better handling of cookies.
Bug Fixes:
Fixed reports generated for targets that have not been scanned
Fixed allowance of empty Import Files to be uploaded for a Target
Some information returned by AcuSensor was not reflected in the vulnerability details
Fixed false positive in the ASP.NET debug mode check
Various minor updates and fixes

New in Acunetix Web Vulnerability Scanner 11.0.163221044 (Nov 24, 2016)

New in Acunetix Web Vulnerability Scanner 10.5 Build 20160215 (Feb 22, 2016)

New in Acunetix Web Vulnerability Scanner 10.0 Build 20151125 (Jan 18, 2016)

New in Acunetix Web Vulnerability Scanner 10.0 Build 20151028 (Oct 29, 2015)

New in Acunetix Web Vulnerability Scanner 10.0 Build 20151026 (Oct 26, 2015)

New in Acunetix Web Vulnerability Scanner 10.0 Build 20150921 (Sep 25, 2015)

New in Acunetix Web Vulnerability Scanner 10.0 Build 20150820 (Aug 26, 2015)

New in Acunetix Web Vulnerability Scanner 10.0 Build 20150706 (Jul 11, 2015)

New in Acunetix Web Vulnerability Scanner 9.5 Build 20141120 (Nov 24, 2014)

New in Acunetix Web Vulnerability Scanner 9.5 Build 20140902 (Oct 8, 2014)

New Features:
Implemented a test for format strings vulnerabilities in web applications
Implemented support for Hibernate Query Injection
Implemented a check for MySQL username disclosure in error messages
Implemented a test looking for vBulletin 5 SQL injection
Implemented detection of Multiple Vulnerabilities in Parallels Plesk Sitebuilder
Implemented a test looking for WordPress XMLRPC bruteforce
Implemented a test for Remote File Upload vulnerability in Mailpoet/Wysija newsletters popular WordPress plugin
Implemented a test for Insecure Nonce Generation in popular WordPress plugin WPTouch
Implemented a test looking for various JSP access restriction bypasses in Java web applications
Implemented detection of multiple vulnerabilities in Kunena Forum for Joomla
Implemented a test checking if applets are permitted when file uploads are possible (this will lead to XSS vulnerabilities)
Added a test for Java Debug Wire Protocol vulnerabilities
Added a test for Zabbix XXE
Added a test looking for Weblogic console default credentials
Added a test for Symphony debugging console enabled
Added a test for some MongoDB vulnerabilities
Added a test looking for Chrome Logger information disclosure
Added a generic script looking for unsecured mail forms that could lead to spam
Added a test to check if ASP.NET Viewstate MAC is enabled
Implemented a test for WordPress/Drupal/… XML quadratic blowup denial of service attack
Added a test looking for HTML injection with unterminated tag
Added a test for WordPress plugin Custom Contact Forms.
Improvements:
Various optimisations to Amazon S3 related scripts such as XXE and SSRF
Improved the script looking for possible sensitive files
XSS script can now find less common XSS variants such as double encode payloads
SQL injection script checks for other variants such as SQL injection in order by, group by
XSS script now checks for many user controllable tag attributes
Various optimizations in the generation of reports
Improved Server Directory Traversal script
Improved Host Header Attack script
Bug Fixes:
Fixed JS errors that appear in HTTP editor.
Restricted links matching was not working in some situations.
Fixed the slow response time alert – moved alert details from description.
Fixed a false positive with Struts2_Development_Mode script.
Auto login crash if requests were failing after a long time.
Existing cookies from manual browsing were ignored by crawler.
Reduced some false positives in Backup file reporting.
Login Sequence Recorder will delete the cookies it collected in the wizard.
Crawler will use cookies from LSR in manual mode.

New in Acunetix Web Vulnerability Scanner 9.5 Build 20140602 (Jun 4, 2014)

New Features:
Added a check for Open Flash Chart 'ofc_upload_image.php' Remote PHP Code Execution Vulnerability which affects various web applications including WordPress plugins, Joomla! components, piwik, and others
Added a test for Joomla! v3.2.2 SQL Injection vulnerability
Added a script which checks for various known Drupal vulnerabilities (in Drupal modules and Drupal core)
Added a test for SFTP/FTP credentials exposure. Various SFTP/FTP clients are storing connection credentials in plain text files (such as sftp-config.json, recentservers.xml, etc.) that are later uploaded on the web server
Added a test for "Same Site" Scripting
Added a test for Parallels Plesk SSO (Single sign-on) XXE (XML External Entity) and XSS (Cross-Site Scripting) vulnerabilities
Added a test for systems running PHP versions < 5.5.12, 5.4.28 (multiple vulnerabilities fixed in these versions including the Heartbleed bug affecting PHP)
Added a test looking if the Elasticsearch service is accessible
Added a test for Elasticsearch remote code execution
Added a test for nginx SPDY heap buffer overflow (CVE-2014-0133)
Added a test for Adobe ColdFusion 9 Administrative Login Bypass
Added a test for multiple vulnerabilities affecting Ioncube loader-wizard.php file
Added a test looking for Apache Roller OGNL Injectio
Added a test for Apache Tomcat JK Web Server Connector security bypass.
Added a test looking for XSS vulnerabilities in GWT Google Web Toolkit - CVE-2012-4563, CVE-2012-5920, CVE-2013-4204
Added detection of PHP framework CodeIgniter
Added a test that checks for server-side redirects from http:// to file://
Added a test looking for weak encryption keys in CodeIgniter-based web applications
Added a test looking for insecure Django strip_tags implementation
Added a test for JBoss Seam 2.3.1 Remoting Vulnerabilities
Added detection and a check for the latest version of Typo3 web application
Added a test looking for Adobe Cold Fusion directory traversal and information disclosure (CVE-2013-3336)
Added the following Cross Domain Data Hijacking vulnerability checks: ?Through file uploads,
Through unsafe JSONP callback
Through control over the top of the response page
Added a test looking for Database connection strings information disclosure
Added a test for CodeIgniter

New in Acunetix Web Vulnerability Scanner 9.5 Build 20140505 (May 5, 2014)

New in Acunetix Web Vulnerability Scanner 9.0 Build 20140313 (Apr 18, 2014)

New in Acunetix Web Vulnerability Scanner 9.0 Build 20140206 (Apr 18, 2014)

New in Acunetix Web Vulnerability Scanner 9.0 Build 20140115 (Apr 18, 2014)

New in Acunetix Web Vulnerability Scanner 9.0 Build 20131216 (Apr 18, 2014)

New Features:
Added a new Compliance Report Template for PCI 3.0
Added support for HTML5 button of type submit (which acts as an HTML input of type submit).
Added a test for Ruby on Rails CookieStore Session Cookie Persistence vulnerability
Added a test for Umbraco CMS TemplateService Remote Code Execution vulnearbilities
Added a test for WordPress OptimizePress unrestricted file upload
Added application detection profile for Nagios.
Added a test for Nagios Core Config Manager SQLi vulnerability
Added a test for Zend Framework application.ini Information Disclosure
Added a test for a XSS vulnerability in clipboard.swf used in WordPress SyntaxHighlighter Evolved Plugin.
Added tests for multiple vulnerabilities in Oracle JavaServer Faces
Added a test for Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution.
Added a test for Insecure Flash embed parameter (AllowScriptAccess).
Added a test for Nginx memory disclosure vulnerability
Added filename (from file uploads) as an input scheme for a number of tests (XSS, Directory Traversal, SQL Injection, XXE Injection and others)
Implemented a test looking for Java Authentication and Authorization Service (JAAS) authentication bypass (when using a security-constrain section with http-method definitions).
Implemented a test looking for Ruby on Rails weak/known secret tokens.
Now it's possible to read cookie information from scripting (getCookies function).
Implemented a test which checks for JavaScript libraries with known vulnerabilities.
Added a new console parameter /Timestamps to print the current timestamp with each console output line.
Improvements:
Improved test for WordPress OptimizePress Theme file upload vulnerability.
The scanner will now indicate that a scan can take long time to complete, allowing the user to tweak the scan settings if needed.
Various improvements to the Login Sequence Recorder
Improved the test looking for possible form caching (look for missing "pragma: no-cache" header).
It is now possible to use multiple input values for HTML inputs using the format: $(choice1,choice2). These can be configured from Configuration > Scan Settings > Input Fields.
Speed improvements gained by streamlining the number of requests performed by some checks.
Better handling of some uncommon HTTP status codes.
The user-agent of the Login Sequence Recorder can now be configured to use the one configured in WVS (by default, it uses Internet Explorer)
Directory Traversal script now provides better handling of Java Web Applications.
Improved the calculation of the average response time during a scan
Bug Fixes:
Sites with a high response time were showing incorrect scan statistics.
Fixed rewrite detection on nginx servers with phpfastcgi.
Fixed some false positives in SQL Statement in comment.
Better handling of very long VIEWSTATE strings.
Improved handling of Windows based websites by providing better support for case insensitive filesystems
Scan from HTTP Proxy log entry was not working correctly
Fixed a crash caused by specific characters in the URL Encoded Post Data
Fixed a false positive in Script_Source_Code_Disclosure.script
Fixed some false positives in error messages.
Web Services: fixed Out of Bounds error when importing invalid WSDLs.