v24.11.0 - 18 November 2024

New Features

• Integration with Mend SAST: display Mend SAST results alongside DAST results in Invicti Enterprise so you can prioritize all your application security testing fixes in one list → Learn more
• API Security: Added integration with Azure API Management to fetch Swagger2 and OpenAPI3 specification files → Learn more
• API Security now supports working with RAML specs from MuleSoft Anypoint Exchange

New Security Checks

• Updated detection for ActiveMQ - Remote Code Execution (CVE-2023-46604) and TorchServe Management API SSRF (CVE-2023-43654)
• Added detection for multiple JavaScript libraries
• Added detection for Masa CMS (CVE-2022-47002 and CVE-2021-42183)

Improvements

• Database optimizations
• Reporting improvements for the “Unknown Option Used In Referrer-Policy” vulnerability
• Improved the behavior of the 'Recent Scans' button group on the global dashboard when using the mobile view

Fixes

• Fixed a timeout bug in zero-configuration API discovery
• Fixed some wording inconsistencies and other minor improvements to the user interface
• Removal of sitemap data when a scan is canceled, failed, or aborted
• Resolved an issue in the General Settings page configuration
• Resolved an issue with user sessions not timing out in compliance with the specified configuration
• Fixed a false positive issue with Boolean Based MongoDB Injection detection
• Out-of-date version for Boolean Based MongoDB Injection is now reported correctly
• Vulnerability profiles that are set as hidden will now still be reported in the scan reports of scans completed prior to the vulnerability being hidden
• Fixed a bug in the editing of scan profiles with custom report policies
• Resolved an issue in the exporting of team member data with all attributes selected
• Resolved an issue with missing vulnerability profiles in custom report policies