New Security Checks

• Added detection of Fortinet vulnerabilities (CVE-2020-12812, CVE-2019-5591, CVE-2018-13379)

Improvements

• Added a “Stop The Scan When Build is Aborted” option to the Jenkins integration

Fixes

• Fixed a bug in the user timeout session setting
• Resolved an issue with the frequency of out-of-date technology email notifications
• Removed email notifications for out-of-date technologies in failed scans
• Fixed an issue that was causing scans to be stuck in an async archiving state
• Fixed a bug in the automatic sign out functionality when the session timeout period has expired
• Fixed an issue in the detection of the ‘Improper XML parsing leads to Billion Laughs Attack’ vulnerability

The post v24.5.1 – 28 May 2024 appeared first on Invicti.

New Security Checks

• Added detection method for Angular
• Added a new security check for Oracle EBS RCE

Improvements

• Updated all IAST sensors to support Java 17 and 21

Fixes

• Fixed an issue with the detection method for wp-admin vulnerabilities
• Fixed the issue where scan profiles could not be created through automation tools, Postman, or through the Invicti API Documentation page
• Fixed the issue with scans that were stuck in ‘Delayed’ or ‘Archiving’ status
• Fixed an issue that was occurring with the Jira Integration when the Jira URL was set as Localhost
• Fixed a scan authentication issue and a crawling issue with Cloud Agents
• Fixed an issue that was occurring when websites were added with both http and https protocols
• The scan report pdf file name now includes the time and date when it is delivered via the scan completed notification
• Fixed the 504 error that was appearing when running the Scans_NewWithProfile endpoint
• Fixed a bug that was preventing retest scans from launching
• Fixed an issue with the scan data import from Invicti Enterprise to Invicti Standard
• Fixed the HTTP 401 forbidden response form authentication error
• Fixed a scan issue that was producing 413 error responses

The post v24.5.0 – 7 May 2024 appeared first on Invicti.

Improvements

• Improved AWS Secret Key ID detection security checks
• Improved Google Cloud API Key detection security checks
• Updated remediation information for Angular JS related vulnerabilities
• Improved Boolean-Based MongoDB Injection detection method

Fixes

• Fixed a validation error when validating Shark settings
• Fixed a bug in the API Access settings
• Resolved an issue with custom severity levels that were reverting to their previous level
• Fixed a bug in the API update command for scan profiles
• Removed limits on AWS Discovery port filters
• Technologies identified during failed scans are no longer displayed
• Fixed a bug in the scan retention period settings that was causing inaccurate information in the Recent Scans list
• The Last Login Date is now aligned between the UI and the API
• Fixed an issue that caused proxy usage for Chromium even when no proxy was selected from the scan policy settings

The post v24.4.0 – 17 April 2024 appeared first on Invicti.

New features

• Provided a new encryption method of API Token for Agent/Verifier Agent
• The CVSS 4.0 scores are now available via API
• A new feature to make the Discovery settings more precise  – ability to include/exclude main level domains – reached Early Access for selected customers
• The pre-request script will now have the capability to generate AWS signature tokens to perform authentication

New security checks

• Added a new security check for TLS/SSL certificate key size too small issue
• Added a new security check for CVE-2023-46805 / CVE-2024-21887
• Added a new signature for Stack Trace Disclosures (ASP.Net)
• Added a new security checks for Client-Side Prototype Pollution
• Added a new Security Check that allows to report two vulnerabilities: TorchServe Management API Publicly Exposed and TorchServe Management API SSRF (CVE-2023-43654)
• Command Injection in VMware Aria Operations for Networks can now be detected

Improvements

• Improved WP Config detection over backup files
• Report template of Possible XSS is updated to cover mime sniffing
• The Agent type (Arm or Intel) information is displayed on the Scan Summary page
• The Permissions on the General Settings screen are now grouped by category rather than listed without being categorised
• A feature allowing the enabling or disabling of the JavaScript Parser has been added, facilitating JavaScript parameter discovery within the JavaScript code
• Fixed the issue where the Jenkins plug-in sent requests directly to the default gateway instead of routing them through the proxy
• The Team Administrator role checkbox is now in a separate ‘Limiting Permissions Role’ section

Fixes

• Disabled the BREACH Security Engine
• Increased the default Severity level of Version Disclosure (Varnish) from ‘Information’ to ‘Low’
• Fixed the issue where users were unable to load the Scan Report
• Fixed the issue where Internal Scans were not failing if their Agents were terminated
• Fixed the Azure Boards integration, which was reported to have been suspended by itself
• Fixed the issue where the customer couldn’t scan their target with the additional website properly
• Fixed query optimization on the main Scans page, resulting in improved response time and query quality
• The page number in the Custom Script Editor is now correctly displayed
• When the Token is expired, the Azure Boards Integration is disabled
• Fixed concurrency exceptions occurring for the scan and website tables due to excessive update requests sent within a short timeframe
• Fixed the inability to export a scan from Invicti Standard to Invicti Enterprise
• The Issues counter on the Dashboard now displays the correct number of issues
• Fixed the inability of the custom script editor to load the form authentication fields
• Fixed an issue when Team Administrator and Account Owner role are assigned to the same user

The post v24.3.1 – 28 March 2024 appeared first on Invicti.

New features

• ServiceNow Application Vulnerability Response integration is now available in the ServiceNow store
• Added the ability to force authentication verifier agent to use incognito by default on Chromium browser

New security checks

• Added detection for ActiveMQ RCE to the OOB RCE Attack Pattern (CVE-2023-46604)

Improvements

• Improved ServiceNow Vulnerability Response integration

Fixes

• Fixed the error in the API’s websites/update function
• Removed logos and brand names from the Detailed Scan Report display
• The API now correctly assigns the appropriate scan profile when updating the periods of scheduled scans
• Fixed the hyperlink to the Release Notes within the application
• Upgraded Microsoft.Owin package to version number 4.2.2
• Fixed null character error in JIRA integration when sending issues
• Fixed the system to halt subsequent tests if a scan is aborted from Jenkins
• Scan policies can now be updated with proxy passwords directly through the API
• Fixed GUI and API login dates to synchronize seamlessly
• Added Cookie Source field to the Knowledge Base Cookies screen
• The CSV export for user lists now includes all attributes that have been selected

The post v24.3.0 – 12 March 2024 appeared first on Invicti.

New security checks

• Implemented a detection and reporting mechanism for the Backup Migration WordPress plugin (CVE-2023-6553)
• Added detection for TinyMCE

Improvements

• Updated the “Insecure Transportation Security Protocol Supported (TLS 1.0)” vulnerability to High Severity
• Implemented support for scanning sites with location permission pop-ups
• Implemented support for FreshService API V2
• Revised the labeling of the active vulnerabilities information on the Scan Summary page to provide greater clarity
• Removed obsolete X-Frame-Options Header security checks

Fixes

• Fixed a bug in the Request/Response tab of Version Disclosure vulnerabilities
• Corrected an issue in the technical reports where vulnerabilities identified in Korean are now reported in English
• Changed the ID parameter from ‘optional’ to ‘required’ within the Scan Policy Update API
• Removed the target URL from the scope control list
• Resolved a bug in the filtering of vulnerabilities on the Issues page
• Fixed a bug in the marking of issues as a false positive
• Resolved an issue where the agent would become unavailable after receiving a 401 error
• Fixed the issue with uploading a Swagger file into a scan profile

The post v24.2.0 – 20 February 2024 appeared first on Invicti.

New features

• Added the option to remove Request/Response details from the detailed template to avoid the character limit error when sending vulnerabilities
• Added the option for customers to display their company name on the PCI report (new scan settings field under General settings)
• Enabled the ability to re-scan a previously scanned target which allows the application of previous exclusions on the scan and helps avoid false positives on the PCI ASV scan
• Added the option to enable enhanced logging of failed logins
• Added functionality to the UI for users to obtain logs from failed scans (previously only system administrators were able to do that)

New security checks

• Added a check for dotCMS
• Added a check for the Ultimate Member WordPress plugin
• Added a new mXSS pattern
• Added new signatures to detect JWKs

Improvements

• Improved the recommendations for the Weak Ciphers Enabled vulnerability
• Improved detection of swagger.json vulnerabilities

Fixes

• Fixed a bug in the cloning report policies functionality
• Fixed an error that was occurring with the API endpoint: list-scheduled
• Fixed a bug with the Jira integration
• Fixed a bug with custom scheduled scans that were not updating the Next Execution Time field correctly
• Fixed an issue with the HashiCorp Vault integration token validation path
• Fixed the missing ‘Known Issues’ tab from scan summary issue details
• Fixed an issue with the severity trend chart on the Dashboard
• Fixed a problem with importing WDSL files

The post v24.1.1 – 30 January 2024 appeared first on Invicti.

New features

• Added notifications about agent disk full issues for easier navigation and to prevent scan errors
• Added an option to the Jenkins plugin to cancel the scan started by the plugin if the Jenkins build is aborted

Improvements

• Improved reporting of DOM XSS vulnerabilities

Fixes

• Fixed an issue with removing the client certificate via API
• Fixed an inconsistency for PCI results between the Invicti UI and the PCI DSS detailed report
• Fixed a bug that was causing scan session files to fail when loading
• Fixed inconsistencies with the ‘average time to fix’ table on the dashboard
• Fixed an issue with the import of scan data from Invicti Enterprise to Invicti Standard
• Fixed an issue with the form verifier not using the new scan policy until the scan profile is saved
• Added a custom detailed scan report
• Fixed a bug in the importing of links
• Fixed an error that was occurring when setting an issue as Accepted Risk
• Resolved issues with importing API documentation from a link
• Resolved issues with the Authentication Verifier and Agent.db file corrupting after update
• Fixed a bug in the Jenkins plugin that was causing the ‘Stop The Scan When Build Fails’ option to not work correctly

The post v24.1.0 – 9 January 2024 appeared first on Invicti.

New features

• Added CVSS 4.0 categorization of vulnerabilities
• Added support for PCI DSS 4.0

Improvements

• Added descriptions to the agent warning messages on the Scan Summary page
• Updated messaging around the functionality of the Team Administrator role
• Improved the request body rating algorithm
• Improved the Postman collection parsing algorithm
• Resolved an issue with adding a client certificate to set up a scan
• Improved the vulnerability calculator for Boolean MongoDB

Fixes

• Fixed an issue with the agent auto-updater
• Added a missing control for SSO users while editing members
• Fixed a bug in the communication between Invicti and ServiceNow
• Fixed a bug that was preventing administrators from creating new notifications or editing built-in notifications
• Fixed an issue that was causing verifiers to not use scan policy proxy settings
• Fixed an auth verifier client certificate authentication path error
• Fixed the Invicti crawler that wasn’t getting JS endpoints correctly

The post v23.12.0 – 13 December 2023 appeared first on Invicti.

• Google ProtocolBuffers: CVE-2022-1941

Fixes

• Fixed a bug that was preventing customers from adding back previously deleted targets
• Increased character length for the Jira and Snow integration URL validation regex to ensure it accommodates Top-Level Domains (TLDs)
• Paused scheduled scans that were resuming automatically will now remain paused until manually resumed
• Removed the previous limit on the number of supported second-level domains in the Discovery feature
• Fixed an error that was occurring when updating an issue from Fixed (confirmed) to Accepted Risk status
• Fixed discrepancies in the numbers displayed on the Dashboard

The post v23.11.1 – 29 November 2023 appeared first on Invicti.