28 Sep 2023

28 September 2023 - v23.9.0

New features

Added the option to set a Custom HTTP Authorization Header under Scan policy > HTTP > Request
Adjusted agent download parameters to allow installation of internal scanner agents using the Docker client via the Invicti registry service
Changed the compression tool and default compression format for log files from 7zip to Tar
Added functionality to enable entering of multiple IP addresses and IP ranges into the IP Address Restrictions setting. Previously, only single-entry IP addresses were permitted.
Added TLS certificate authentication as an option when integrating with HashiCorp Vault. Previously, we only supported token authentications.

New security checks

Added new patterns to detect XSS

Improvements

Improved notification delivery with integration services
[Closed Beta] Protected visibility of passwords within custom scripts
Improved detection and reporting of File Inclusion vulnerabilities
Improved detection and reporting of Sensitive Data Exposure vulnerabilities
Improved detection and reporting of Dockerfiles
Disabled caching from the boolean-based MongoDB security engine to avoid possible false positives
Improved the content-type exemption for non-HTML content types in the CSP engine
Improved the typehead.js check to increase stability
Removed the X-XSS-Protection header check because it is deprecated by modern browsers
Added functionalities to prevent bot detection and fixed an issue that was causing cookie loss after authentication
Improved the remediation part for the JetBrains .idea detected vulnerability
Added information to the UI about the functionality of the 'Edit My Team's Role' permission
Added bypass list functionality for scan policies

Fixes

Fixed a bug in the date filter that was causing incorrect information to display on the dashboard
Fixed the external SOAP web service import problem
Fixed a problem that was causing default values to be filled incorrectly, resulting in false negatives
Fixed Vulnerabilities visible from the UI but not via API in certain failed scan situations
Fixed inconsistent scan states in rare deleted scan scenarios
Fixed missing Next Execution Time for certain scheduled scans
Fixed an issue that prevented saving scheduled scans in some scenarios
Fixed inconsistencies in the Resource Finder with certain hidden files and backup files
Improved updating of groups in Azure Provisioning scenarios
Fixed a problem with converting scan data while the CloudProvider Settings page is open
Fixed a database update exception when a large number of scans are launched simultaneously
Fixed the incorrect reporting of outdated technology versions
Fixed a bug that was preventing reports from being saved
Fixed a bug that can cause too much browser user data to be left in the temp folder
Fixed a bug that was stopping the certificate authentication process from working correctly for Authverifiers
Fixed a boolean-based MongoDB Injection that was causing false positives in scan reports
Fixed the incorrect display of vulnerabilities when importing scan results from Invicti Standard to Invicti Enterprise
Fixed a bug that was preventing the editing of internal website URLs
Fixed a character validity issue so that user names with Danish characters can now be edited in the UI
Fixed a bug that was allowing access to the UI via the back button after the user had signed out
Fixed the Discovery Main Domains Filter Expression that was not working properly for some domains
Fixed an issue that was causing tags to be duplicated when a website was imported using a CSV file
Fixed the update agent command that was not working correctly
Fixed the internal Linux v23.7 AV agent that wasn’t sending header configurations
Encrypted the proxy password used in the scan policy file
Fixed a scan coverage issue
Fixed a custom script issue so that now passwords written to the logs are encrypted
Fixed an issue where vulnerabilities could not be generated as CloudFlare WAF rules via API