v24.7.0 - 9 July 2024

This update includes changes to the internal agents. The internal scan agent’s current version is 24.7.0. The internal authentication verifier agent’s current version is 24.7.0.

New Features

• Added custom headers for communication between Agents and Invicti Hawk
• Added a warning message when creating scan targets for websites that do not have a hostname mapped to an IP address

New Security Checks

• Added detection for supply chain attacks through Polyfill JS
• Added detection for GeoServer SQLi (CVE-2023-25157)
• Added checks for various WordPress plugins

Improvements

• Improved Credit Card Disclosure Security Check
• Set the severity of 'Possible XSS' vulnerabilities to 'Informational'
• Improved various Sensitive Data Exposure security checks
• Improved detection of the Short SSL Key Length vulnerability
• Added capability to check for Sensitive Data in XML responses

Fixes

• Fixed missing Request Body content in vulnerability details
• Fixed an issue with the selection of agent groups
• Fixed an issue with the order in which internal agent scans are initiated
• Fixed an issue with the 'Ignore Certificate Errors' Agent setting for SSL Validation
• Fixed a download problem with PCI reports
• Fixed an issue with the SSO login that was causing incorrect redirects
• Removed references to 3.2 in the PCI DSS Compliance scan summary
• Fixed an issue with the Azure Boards integration reopening old vulnerabilities that do not link to active issues in Invicti Enterprise
• Fixed a timeout issue that was occurring on a prerequest script
• Fixed a problem in the JWT Engine to resolve a false positive issue
• Updated vulnerable OpenSSL libraries to secure versions
• Fixed a bug in the Checkout Logout Detection so that it now chooses the same verification agent as the verification process
• Fixed an issue related to the OTA app scan
• Fixed HTTP 413 responses resulting from nonce cookies stacking