v24.4.0 - 17 Apr 2024
This release includes improvements and bug fixes.
Improvements
- Improved AWS Secret Key ID detection security checks
- Improved Google Cloud API Key detection security checks
- Updated remediation information for Angular JS related vulnerabilities
- Improved Boolean-Based MongoDB Injection detection method
Fixes
- Fixed a validation error when validating Shark settings
- Fixed an issue with duplicate custom user agents that was preventing scanning
- Fixed an issue where authentication would fail when started with an Authentication profile
- Fixed an issue that caused proxy usage for Chromium even when no proxy was selected from the scan policy settings
v24.3.1 - 28 Mar 2024
This release includes new features, new security checks, some improvements, and bug fixes.
New features
- Provided a new encryption method of API Token for Agent/Verifier Agent
- Added a pre-request script to generate AWS Signature token
New security checks
- Added a new security check for TLS/SSL certificate key size too small issue
- Improved WP Config detection over backup files
- Added a new security check for CVE-2023-46805 / CVE-2024-21887
- Added detection for exposed WordPress configuration files
- Added a new Security Check that allows to report two vulnerabilities: TorchServe Management API Publicly Exposed and TorchServe Management API SSRF
- Command Injection in VMware Aria Operations for Networks can now be detected
Improvements
- Implemented enhancements: Highlighting and Verification of Response Status Codes
- Disabled the BREACH Security Engine
- Report template of Possible XSS is updated to cover mime sniffing
- Increased the default Severity level of Version Disclosure (Varnish) from ‘Information’ to ‘Low’
Fixes
- Fixed the issue where the customer couldn’t scan their target with the additional website properly
- Fixed an issue that was causing a memory issue in Javascript Parser
- Fixed the inability of the custom script editor to load the form authentication fields
v24.3.0 - 12 Mar 2024
This release includes new features, new security checks, and bug fixes.
New features
- Added the ability to force authentication verifier agents to use incognito mode by default on Chromium browsers
New security checks
- Added detection for ActiveMQ RCE to the OOB RCE Attack Pattern (CVE-2023-46604)
Fixes
- Added a Cookie Source field to the Knowledge Base Cookies screen
v24.2.0.43677 - 20 Feb 2024
This release includes new features, new security checks, improvements, and bug fixes.
New features
- Added a new BLR log providing details on BLR execution
New security checks
- Implemented a detection and reporting mechanism for the Backup Migration WordPress plugin (CVE-2023-6553)
- Added detection for TinyMCE
Improvements
- Updated the “Insecure Transportation Security Protocol Supported (TLS 1.0)” vulnerability to High Severity
- Updated the WSDL serialization mechanism
- Implemented support for scanning sites with location permission pop-ups
- Added support for FreshService API V2
- Removed obsolete X-Frame-Options Header security checks
Fixes
- Fixed a bug in the Request/Response tab of Version Disclosure vulnerabilities
- Removed the target URL from the scope control list
v24.1.0.43434 - 30 Jan 2024
This release includes new security checks, improvements, and bug fixes.
New security checks
- Added a check for dotCMS
- Added a check for the Ultimate Member WordPress plugin
- Added a new mXSS pattern
- Added new signatures to detect JWKs
Improvements
- Improved the recommendations for the Weak Ciphers Enabled vulnerability
- Improved detection of swagger.json vulnerabilities
- Added support for AWS WAFv2 rules
- Improved more of our error and warning messages so they are more user friendly
- Added Sentry implementation into the Agent repository
Fixes
- Fixed a proxy issue that was impacting the detection of weak ciphers
- Fixed a problem with importing WDSL files
v24.1.0.43434 - 09 Jan 2024
This release includes new features, improvements, and bug fixes.
New features
- In the scan settings section, we’ve added a checkbox (under Authentication > Form) to collect all logs about the authentication progress
- Enhanced reporting of DOM XSS vulnerabilities
Improvements
- Updated the Shark Dotnet Sensor to .NET Core 6
- Improved site-logout detection
Fixes
- Resolved a problem with missing information in the report policy database
- Fixed an issue with the import of scan data from Invicti Enterprise to Invicti Standard
- Fixed a bug in the importing of links
- Fixed some vulnerabilities on our Invicti Docker Image by updating the packages
- Fixed reporting of some false/positive passive out-of-date vulnerabilities
v23.12.0.43017 - 13 Dec 2023
This release includes the addition of CVSS 4.0 categorization of vulnerabilities and support for PCI DSS 4.0. New security checks have been added for HSQLDB and Typo3 vulnerabilities and report templates.
New features
- Added CVSS 4.0 categorization of vulnerabilities
- Added support for PCI DSS 4.0
- Added new messaging for when scans fail due to mistyped http/https protocols
New security checks
- Added new HSQLDB vulnerabilities and report templates
- Added new Typo3 vulnerabilities and report templates
Improvements
- Improved the vulnerability calculator for Boolean MongoDB
- Improved the signature for .dockerignore file detected issues
- Improved the request body rating algorithm
- Improved the signature for Joomla detection
- Improved the signature for other docker-related signatures
- Improved the Postman collection parsing algorithm
- Resolved an issue with adding a client certificate to set up a scan
- Added logs for better traceability of BLR playbacks
Fixes
- Fixed the NRE in the agent log if any authentication is adjusted
- Fixed an issue that was causing verifiers to not use scan policy proxy settings
- Fixed an auth verifier client certificate authentication path error
v23.11.0.42728 - 16 Nov 2023
This release includes a new ignored parameter type for scan policies, new security checks for WordPress, along with several improvements and fixes
New features
- Added an option under New Scan Policy > Ignored Parameters to allow customers to set ‘Cookie’ as a type of ignored parameter
New security checks
- Added new checks for the WordPress Login with Phone Number Plugin: CVE-2023-23492
- Added new checks for the WordPress JupiterX Core Plugin: CVE-2023-38389, CVE-2023-38388
Improvements
- Added support for custom authentication tokens without token type
- Improved LFI attack patterns for better accuracy
- Fixed some vulnerabilities in the Docker image
- Stricter sensitive data rules
- Improved bot detection bypass scenarios
Fixes
- Fixed custom header values in scan profiles so that they are masked
- Docker Cloud Stack check has been updated to reduce noise
- Fixed an issue with adding configuration files to scan profiles
- SSL/TLS classification updated from CWE-311 to CWE-319
v23.10.0.42447 - 18 Oct 2023
This release includes improvements and bug fixes.
Improvements
- Added a MaxAuthenticationTime configuration and set the default value as 480 seconds
Fixes
- Fixed a bug that was preventing the import of WSDL files to Invicti Standard
- Fixed version information reported in Web App Fingerprint Vulnerabilities
v23.9.0.42218 - 28 Sep 2023
This release includes two new features and some new security checks, along with multiple improvements and bug fixes.
New features
- Added encoding for sensitive data
- Added the option to enable CSRF checks for authenticated scans only
- Added a sensitive data (password, session cookie, token etc.) encoder
New security checks
- Added JQuery placeholder detection methods
- Added a new security check for the Missing X-Content-Type-Options vulnerability
Improvements
- Improved the JS Delivery CDN disclosure check to increase stability
- Improved the remediation part for the Weak Ciphers Enabled vulnerability
- Reduced the certainty value to 90 for the Robot Attack Detected vulnerability
- Improved the detection method for CSP
- Improved the detection method for the Dockerignore File Detected vulnerability
- Improved the detection method for the Docker Cloud Stack File Detected vulnerability
Fixes
- Improved our XSS capabilities
- Fixed an NTLM login issue
- Fixed a bug that was overwriting proxy settings in scan policies
- Fixed a unique analyzer bug for the WSDL importer
- Fixed a custom proxy bypass list issue
v23.9.0 - 06 Sep 2023
This release includes a new feature that lets you set proxy configurations to Docker Agent as an environment variable when creating a container. We also made several improvements and fixed some bugs.
New feature
- We’ve added the ability to set proxy configurations to Docker Agent as an environment variable when creating a container
Improvements
- Disabled caching from the boolean-based MongoDB security engine to avoid possible false positives
- Improved the content-type exemption for non-HTML content types in the CSP engine
- Improved the typehead.js check to increase stability
- Removed the X-XSS-Protection header check because it is deprecated by modern browsers
- Fixed a scan coverage issue
- Improved the remediation part for the JetBrains .idea detected vulnerability
- Added functionalities to prevent bot detection and fixed an issue that was causing cookie loss after authentication
Fixes
- Fixed the update agent command that was not working correctly
- Fixed the internal Linux v23.7 AV agent that wasn’t sending header configurations
- Encrypted the proxy password used in the scan policy file
- Fixed an issue with missing links when importing a .nss file from Invicti into Acunetix 360
- Fixed the external SOAP web service import problem
- Fixed a custom script issue so that now passwords written to the logs are encrypted
- Fixed an issue that might cause broken functionality for popup pages
- Fixed an issue where vulnerabilities could not be generated as CloudFlare WAF rules via API
- Fixed a bug with Multiple Declarations in the X-Frame-Options Header
- Fixed a localized time issue in the Files area
- Fixed a problem that was causing default values to be filled incorrectly, resulting in false negatives
v23.8.0.41720 - 17 Aug 2023
This release includes new security checks, improvements, and fixes. We added security checks for XSS and improved detection for File Inclusion, Sensitive Data Exposure, and Dockerfiles. We also fixed some bugs.
New security checks
- Added new patterns to detect XSS
Improvements
- Improved detection and reporting of File Inclusion vulnerabilities
- Improved detection and reporting of Sensitive Data Exposure vulnerabilities
- Improved detection and reporting of Dockerfiles
- Added a custom authentication support header to scan policy
Fixes
- Fixed incorrect reporting of outdated technology versions
- Fixed a bug that was preventing reports from being saved
- Fixed the navigation check error on the dom parsing phase
- Fixed an issue that can cause too much browser user data to be left in the temp folder
- Fixed a custom script that was preventing successful basic authentication in some scenarios