Invicti Enterprise On-Demand 28 Mar 2024 v24.3.1
This update includes changes to the internal agents. The internal scan agent’s current version is 24.3.1. The internal authentication verifier agent’s current version is 24.3.1.
New features
- Provided a new encryption method of API Token for Agent/Verifier Agent
- The CVSS 4.0 scores are now available via API
- A new feature to make the Discovery settings more precise – ability to include/exclude main level domains – reached Early Access for selected customers
- The pre-request script will now have the capability to generate AWS signature tokens to perform authentication
New security checks
- Added a new security check for TLS/SSL certificate key size too small issue
- Added a new security check for CVE-2023-46805 / CVE-2024-21887
- Added a new signature for Stack Trace Disclosures (ASP.Net)
- Added a new security checks for Client-Side Prototype Pollution
- Added a new Security Check that allows to report two vulnerabilities: TorchServe Management API Publicly Exposed and TorchServe Management API SSRF (CVE-2023-43654)
- Command Injection in VMware Aria Operations for Networks can now be detected
Improvements
- Improved WP Config detection over backup files
- Report template of Possible XSS is updated to cover mime sniffing
- The Agent type (Arm or Intel) information is displayed on the Scan Summary page
- The Permissions on the General Settings screen are now grouped by category rather than listed without being categorised
- A feature allowing the enabling or disabling of the JavaScript Parser has been added, facilitating JavaScript parameter discovery within the JavaScript code
- Fixed the issue where the Jenkins plug-in sent requests directly to the default gateway instead of routing them through the proxy
- The Team Administrator role checkbox is now in a separate ‘Limiting Permissions Role’ section
Fixes
- Disabled the BREACH Security Engine
- Increased the default Severity level of Version Disclosure (Varnish) from ‘Information’ to ‘Low’
- Fixed the issue where users were unable to load the Scan Report
- Fixed the issue where Internal Scans were not failing if their Agents were terminated
- Fixed the Azure Boards integration, which was reported to have been suspended by itself
- Fixed the issue where the customer couldn’t scan their target with the additional website properly
- Fixed query optimization on the main Scans page, resulting in improved response time and query quality
- The page number in the Custom Script Editor is now correctly displayed
- When the Token is expired, the Azure Boards Integration is disabled
- Fixed concurrency exceptions occurring for the scan and website tables due to excessive update requests sent within a short timeframe
- Fixed the inability to export a scan from Invicti Standard to Invicti Enterprise
- The Issues counter on the Dashboard now displays the correct number of issues
- Fixed the inability of the custom script editor to load the form authentication fields
- Fixed an issue when Team Administrator and Account Owner role are assigned to the same user