Invicti Enterprise On-Demand

This update did not include changes to the internal agents.

Improvement

• Improved API Discovery of API specifications spread across multiple files in Mulesoft Anypoint Exchange

This update includes changes to the internal agents. The internal scan agent’s current version is 25.3.1. The internal authentication verifier agent’s current version is 25.3.1.

New feature

• Added the ability to reset the issue state to its default

Resolved issues

• Fixed an exception caused by an invalid Target URI in scheduled scans
• Fixed an issue where proxy credentials were not encrypted when launching InvictiProxy
• Fixed inconsistent styling in the report policy, ensuring uniform formatting in the vulnerability profile sections

This update includes changes to the internal agents. The internal scan agent’s current version is 25.3.0. The internal authentication verifier agent’s current version is 25.3.0.

Improvements

• Enhanced technology version identification from URI
• Improved reporting of multiple technology detections on the same file
• Scheduled group scans will be initiated in chunks when exceeding 500 websites
• Updated footer URL in Invicti Enterprise reports
• The SelfDisable command is no longer sent to the Agent when its state is updated to Disabled
• Upgraded 3rd party script libraries
• Added support for encrypting proxy credentials settings in the agent appsettings.json file
• Updated the Splunk Python SDK for the Splunk Plugin to ensure compliance with the latest Splunk Vetting Policy

Resolved issues

• Fixed issue with error occurring when sending vulnerabilities to APIHub if externalId is Null
• Fixed permission issue with unlinking API in APIHub
• Fixed the issue to enable compatibility with the latest version of GitHub Actions
• Scheduled scans now remove the URL path after ‘#’ when using the default Scan Profile
• Fixed sorting issues in the dashboard to use numerical order instead of alphabetical
• Updated OpenSSL from version 3.3.1 to 3.3.2

API changes

• The Validate Imported Links API endpoint no longer requires a Target URL when a file is uploaded

This update includes changes to the internal agents. The internal scan agent’s current version is 25.2.1. The internal authentication verifier agent’s current version is 25.2.1

Improvements

• Added a loading state for the Export CSV button to prevent multiple clicks
• Improved value filling in GraphQL queries
• Added the ability to re-scan cloned PCI scans on previously scanned targets to apply exceptions

Resolved issues

• Fixed an issue where 'LaunchInstance' errors caused GUIDs to be stored instead of AWS-generated instance IDs in the database
• Fixed an issue that caused the Mend vulnerabilities to be reported with incorrect severity
• Replaced a formatted string in a SQL statement with a prepared statement using SqlCommand and SqlParameter to prevent potential SQL injection
• Fixed the issue which was causing exports from Invicti Standard to Invicti Enterprise to fail
• The issue preventing the use of the Chromium Extension in Scanner and Verifier Agent has been resolved

This update includes changes to the internal agents. The internal scan agent’s current version is 25.2.0. The internal authentication verifier agent’s current version is 25.2.0

New features

• Added single-tab crawling for websites that do not allow multiple-tab browsing
• Upgraded the Shortcut integration API endpoint to v3

Improvements

• Added Customizations folder to the Agent Output folder
• Improved the performance of searching by profileName on the Scan-Index page

Resolved issues

• Updated APIHub npm package to the latest version
• Resolved scan authentication issues for multiple pages
• Resolved issues related to screenshots and login processes
• Fixed Dashboard Widget Active Issue is empty when selecting a specific target
• Fixed the problem of reverting vulnerability in issue update endpoint to default
• Fixed removes preferred agent group in update-scheduled API endpoint
• Fixed an auto-update issue for Verifier Agent
• Added control for URLs that should not be included in the scope
• Upgraded the Shortcut (Clubhouse) integration
• Resolved an issue caused by the Chromium version update by updating Chromium dependencies for the Linux operating system. Refer to the updated scripts to install the required dependencies for Headless Chrome. (Read more)

This update includes changes to the internal agents. The internal scan agent’s current version is 25.1.1. The internal authentication verifier agent’s current version is 25.1.1

Improvements

• API specifications from sub-organizations in Mulesoft are now synchronized into API Inventory

Resolved issues

• Improved performance of the All Issues page

This update includes changes to the internal agents. The internal scan agent’s current version is 25.1.1. The internal authentication verifier agent’s current version is 25.1.1

New features

• Improved support for handling gRPC multiple proto imports in the Agent and in the engine

New security checks

• Added detection of cookieconsent2 as a technology in the Vulnerability Database (VDB)

Improvements

• Added pull commands for Docker and OpenShift to the New Agent page
• Added the SourceType field to the New Issues API endpoint
• Enhanced agent mode to better distinguish between verifier and scanner agents
• Added the ability to replace placeholders in the browser for Authorization Headers
• Improved report template of JWT Signature is not verified vulnerability

Resolved issues

• Resolved an issue where file upload events using LSR/BLR in React forms failed to propagate to body-level listeners
  

This update includes changes to the internal agents. The internal scan agent’s current version is 25.1.0. The internal authentication verifier agent’s current version is 25.1.0.

New features

• Clicking on the scheduled scan icon in the scan summary screen now redirects you to the Recent Scans page with a filtered view, improving navigation and access to relevant scan details
• Implemented an integration that automatically retrieves the latest Container security results from Mend when a DAST scan is initiated

Improvements

• Fixed an issue on the 2FA page where the code text field was not automatically focused upon page load
• Introduces a configurable retention period for HTTP log files, allowing Root users to specify the number of days before log
• Implemented a restriction to prevent the modification of the Vulnerability Signature Type
• Enhanced the UI to highlight the menu when API Hub specifications are linked to a scan profile, making it easier for users to identify associated profiles
• Updated Chromium from version 121 to version 131 for enhanced performance and compatibility
• Enhanced detection accuracy for Weak Ciphers Enabled by analyzing false positives
• Administrators can now assign Agent Groups to Teams for greater control over agents and the teams that can use them. Learn more.
  

Resolved issues

• Corrected OTP configuration attachment to personas, ensuring separate secrets and preventing shared changes
• Resolved issue where the internal agent service stopped after being disabled in the UI. The service now remains active even when the agent is disabled from the web application.
• Updated the SharedAssemblyInfo file to reflect the correct copyright details
• Fixed an issue where a disabled scan was inadvertently running, leading to an outage
• Fixed a bug where users were unable to update the website name longer than 40 characters
• Fixed an issue where the Invicti REST API did not return errors when importing an invalid definition file
• Resolved the “Internal Server Error” encountered on the Invicti scans/report API endpoint after enabling the “Prevent any sensitive information showing within the product” setting
• Fixed an issue where the Issue state was inadvertently removed when a user, without permission to update the state, added a note to the issue
• Fixed an issue where the "Notification Settings" hyperlink in notification emails was redirecting incorrectly
• Resolved the issue where the Agent Verifier was encountering errors when using certificates in a Linux environment
• Fixed an issue where duplicate tickets were being created in ServiceNow due to integration error
• Fixed an issue where the severity trend chart was not rendering correctly on the individual website dashboard
• Node.js v6 has reached its End of Life (EOL), and support for this version has been removed from Azure Pipelines
• Resolved a coverage issue where the login page reappeared during scans
  

This update includes changes to the internal agents. The internal scan agent’s current version is 24.9.1. The internal authentication verifier agent’s current version is 24.9.1.

New Feature

• Administrators can now assign Agent Groups to Teams for greater control over agents and the teams that can use them. Contact our Support team to activate this feature.

New Security Checks

• Added XWiki version disclosure vulnerability and attack patterns.

Improvements

• Added improvements to the Mend SAST integration.
• Target to Project mapping is now available via API for the Mend SAST integration.

Fixes

• Fixed the issue where tagging in the Discovery service would create a single-character tag when converted to a target.
• Fixed an issue where the encryption process remained pending and incomplete after starting encryption key generation.
• Fixed a bug in the API where '/api/1.0/issues/allissues' always returned NULL in the History field.
• The option to suspend all future scans is now available to all customers in Scans Control Settings.
• Fixed the false negative issue related to Polyfill.io.
• Fixed an issue related to creating a custom script for a web application using the OIDC method with a login pop-up.
• Fixed the issue where the scan summary page did not time out according to the settings.

This update includes changes to the internal agents. The internal scan agent’s current version is 24.9.0. The internal authentication verifier agent’s current version is 24.9.0.

New Security Checks

• Adjusted the severity of SSLv3 and TLS 1.0 vulnerabilities to reflect their security risks
• Added support for CSP frame-ancestors
• Added detection for CVE-2024-6297, affecting several WordPress plugins

Improvements

• Pre-request script now works in DOM as well
• The Azure Extension now retries connections, preventing pipeline failures

Fixes

• Remediated a high vulnerability issue on the Agent Dotnet dependency package
• Fixed an issue that was preventing the selection of configuration items during ServiceNow integration setup
• Fixed an issue with updating targets using the target group ID
• Fixed an issue where the Auth Verifier heartbeat was showing an hour behind due to daylight-saving time adjustments
• Fixed an error that was occurring when editing Report Policies
• Fixed an issue with a REST API endpoint returning alternating severity data for TLS 1.0 vulnerabilities
• Resolved an issue with a pre-request script that was affecting crawling functionality

New Feature

• Integration with Mend SAST: display Mend SAST results alongside DAST results in Invicti Enterprise so you can prioritize all your application security testing fixes in one list → Learn more

This update includes changes to the internal agents. The internal scan agent's current version is 24.8.1. The internal authentication verifier agent's current version is 24.8.1.

New Security Checks

• Added detection for Jenkins Secret as a Sensitive Data Exposure

Fixes

• Fixed the issue where the ServiceNow Integration fields were not loading while editing the integration
• Fixed the issue where clicking the clone button in the Jira integration incorrectly redirected to the create new integration page
• Fixed Chromium-related issues in the agent
• Corrected the description of the "api/1.0/scans/test-scan-profile-credentials" endpoint
• Fixed the error when selecting a custom time period in the Dashboard Date Range
• Fixed the issue where temp folders could not be deleted and Chromium instances remained open when Puppeteer encountered an error
• Fixed the display issue on the Scan Summary page
• Fixed the false positive on detection of "Stack Trace Disclosure (Java)"
• Fixed a scan authentication issue and reduced latency
• Fixed the issue that was preventing the download of detailed PCI reports
• Fixed an issue related to the Moment.js regex
• Updated the OpenSSL configuration on the Cloud AMI
• Fixed the disk space issue in the Invicti Common folder
• Fixed the automatic syncing of issues with Jira integrations
• Fixed the issue where scans were failing due to a TLS connection not being established
• Fixed the OIDC authentication issue
• Fixed the issue where the REST API endpoint returned HTTP 400 instead of HTTP 200 when sending custom values
• Fixed the issue preventing proper login to the target URL