• Added detection methods for five more WordPress Templates
• Added detection of Fortinet vulnerabilities (CVE-2020-12812, CVE-2019-5591, CVE-2018-13379)

Improvements

• Updated CWE IDs for several vulnerabilities

Fixes

• Fixed an issue in the detection of the ‘Improper XML parsing leads to Billion Laughs Attack’ vulnerability
• Resolved an issue with the Business Logic Recorder

The post v24.5.1 – 28 May 2024 appeared first on Invicti.

• Enabled Korean language support

New Security Checks

• Added detection method for Angular
• Added a new security check for Oracle EBS RCE

Fixes

• Fixed a scan authentication issue and a crawling issue with Cloud Agents
• Fixed the HTTP 401 forbidden response form authentication error
• Fixed an issue with the detection method for wp-admin vulnerabilities
• Fixed an error that was occurring when generating knowledge base reports
• Updated the extraction algorithm for downloaded scan files from Invicti Enterprise
• Fixed a scan issue that was producing 413 error responses

The post v24.5.0 – 7 May 2024 appeared first on Invicti.

• Improved AWS Secret Key ID detection security checks
• Improved Google Cloud API Key detection security checks
• Updated remediation information for Angular JS related vulnerabilities
• Improved Boolean-Based MongoDB Injection detection method

Fixes

• Fixed a validation error when validating Shark settings
• Fixed an issue with duplicate custom user agents that was preventing scanning
• Fixed an issue where authentication would fail when started with an Authentication profile
• Fixed an issue that caused proxy usage for Chromium even when no proxy was selected from the scan policy settings

The post v24.4.0 – 17 April 2024 appeared first on Invicti.

• Provided a new encryption method of API Token for Agent/Verifier Agent
• Added a pre-request script to generate AWS Signature token

New security checks

• Added a new security check for TLS/SSL certificate key size too small issue
• Improved WP Config detection over backup files
• Added a new security check for CVE-2023-46805 / CVE-2024-21887
• Added detection for exposed WordPress configuration files
• Added a new Security Check that allows to report two vulnerabilities: TorchServe Management API Publicly Exposed and TorchServe Management API SSRF
• Command Injection in VMware Aria Operations for Networks can now be detected

Improvements

• Implemented enhancements: Highlighting and Verification of Response Status Codes
• Disabled the BREACH Security Engine
• Report template of Possible XSS is updated to cover mime sniffing
• Increased the default Severity level of Version Disclosure (Varnish) from ‘Information’ to ‘Low’

Fixes

• Fixed the issue where the customer couldn’t scan their target with the additional website properly
• Fixed an issue that was causing a memory issue in Javascript Parser
• Fixed the inability of the custom script editor to load the form authentication fields

The post v24.3.1 – 28 March 2024 appeared first on Invicti.

• Added the ability to force authentication verifier agents to use incognito mode by default on Chromium browsers

New security checks

• Added detection for ActiveMQ RCE to the OOB RCE Attack Pattern (CVE-2023-46604)

Fixes

• Added a Cookie Source field to the Knowledge Base Cookies screen

The post v24.3.0 – 12 March 2024 appeared first on Invicti.

• Added a new BLR log providing details on BLR execution

New security checks

• Implemented a detection and reporting mechanism for the Backup Migration WordPress plugin (CVE-2023-6553)
• Added detection for TinyMCE

Improvements

• Updated the “Insecure Transportation Security Protocol Supported (TLS 1.0)” vulnerability to High Severity
• Updated the WSDL serialization mechanism
• Implemented support for scanning sites with location permission pop-ups
• Added support for FreshService API V2
• Removed obsolete X-Frame-Options Header security checks

Fixes

• Fixed a bug in the Request/Response tab of Version Disclosure vulnerabilities
• Removed the target URL from the scope control list

The post v24.2.0 – 20 February 2024 appeared first on Invicti.

• Added a check for dotCMS
• Added a check for the Ultimate Member WordPress plugin
• Added a new mXSS pattern
• Added new signatures to detect JWKs

Improvements

• Improved the recommendations for the Weak Ciphers Enabled vulnerability
• Improved detection of swagger.json vulnerabilities
• Added support for AWS WAFv2 rules
• Improved more of our error and warning messages so they are more user friendly
• Added Sentry implementation into the Agent repository

Fixes

• Fixed a proxy issue that was impacting the detection of weak ciphers
• Fixed a problem with importing WDSL files

The post v24.1.1 – 30 January 2024 appeared first on Invicti.

• In the scan settings section, we’ve added a checkbox (under Authentication > Form) to collect all logs about the authentication progress
• Enhanced reporting of DOM XSS vulnerabilities

Improvements

• Updated the Shark Dotnet Sensor to .NET Core 6
• Improved site-logout detection

Fixes

• Resolved a problem with missing information in the report policy database
• Fixed an issue with the import of scan data from Invicti Enterprise to Invicti Standard
• Fixed a bug in the importing of links
• Fixed some vulnerabilities on our Invicti Docker Image by updating the packages
• Fixed reporting of some false/positive passive out-of-date vulnerabilities

The post v24.1.0 – 9 January 2024 appeared first on Invicti.

• Added CVSS 4.0 categorization of vulnerabilities
• Added support for PCI DSS 4.0
• Added new messaging for when scans fail due to mistyped http/https protocols

 New security checks

• Added new HSQLDB vulnerabilities and report templates
• Added new Typo3 vulnerabilities and report templates

Improvements

• Improved the vulnerability calculator for Boolean MongoDB
• Improved the signature for .dockerignore file detected issues
• Improved the request body rating algorithm
• Improved the signature for Joomla detection
• Improved the signature for other docker-related signatures
• Improved the Postman collection parsing algorithm
• Resolved an issue with adding a client certificate to set up a scan
• Added logs for better traceability of BLR playbacks

Fixes

• Fixed the NRE in the agent log if any authentication is adjusted
• Fixed an issue that was causing verifiers to not use scan policy proxy settings
• Fixed an auth verifier client certificate authentication path error

The post v23.12.0 appeared first on Invicti.

• Added an option under New Scan Policy > Ignored Parameters to allow customers to set ‘Cookie’ as a type of ignored parameter

New security checks

• Added new checks for the WordPress Login with Phone Number Plugin: CVE-2023-23492
• Added new checks for the WordPress JupiterX Core Plugin: CVE-2023-38389, CVE-2023-38388

Improvements

• Added support for custom authentication tokens without token type
• Improved LFI attack patterns for better accuracy
• Fixed some vulnerabilities in the Docker image
• Stricter sensitive data rules
• Improved bot detection bypass scenarios

Fixes

• Fixed custom header values in scan profiles so that they are masked
• Docker Cloud Stack check has been updated to reduce noise
• Fixed an issue with adding configuration files to scan profiles
• SSL/TLS classification updated from CWE-311 to CWE-319

The post v23.11.0 appeared first on Invicti.