v24.10.0 - 08 Oct 2024
This release includes new security checks, improvements, and bug fixes.
New Security Checks
- Updated detection for ActiveMQ – Remote Code Execution (CVE-2023-46604) and TorchServe Management API SSRF (CVE-2023-43654)
Improvements
- Added ‘save as new’ and ‘overwrite’ options when importing scans
- Reporting improvements for the “Unknown Option Used In Referrer-Policy” vulnerability
- Added the ability to export/import scan profiles and scan policies between different instances of Invicti Standard
Fixes
- Various fixes for the verifiers
- Out-of-date version for Boolean Based MongoDB Injection is now reported correctly
v24.9.1 - 24 Sep 2024
This release includes a new security check and a bug fix.
New Security Checks
- Added XWiki version disclosure vulnerability and attack patterns.
Fixes
- Fixed the false negative issue related to Polyfill.io.
- Fixed an issue related to creating a custom script for a web application using the OIDC method with a login pop-up.
v24.9.0 - 10 Sep 2024
This release includes new security checks, an improvement, and a bug fix.
New Security Checks
- Adjusted the severity of SSLv3 and TLS 1.0 vulnerabilities to reflect their security risks
- Added support for CSP frame-ancestors
- Added detection for CVE-2024-6297, affecting several WordPress plugins
Improvements
- Pre-request script now works in DOM as well
Fixes
- Resolved an issue with a pre-request script that was affecting crawling functionality
v24.8.1 - 27 Aug 2024
This release includes new security checks, improvements, and bug fixes.
New Security Checks
- Added detection for Jenkins Secret as a Sensitive Data Exposure
Improvements
- Started to utilize the Microsoft Azure Trusted Signing service for code signing of Invicti Standard
Fixes
- Fixed chromium-related issues in the agent
- Fixed the issue where temp folders could not be deleted and Chromium instances remained open when Puppeteer encountered an error
- Fixed the false positive on detection of “Stack Trace Disclosure (Java)”
- Fixed an issue related to the Moment.js regex
- Fixed the OIDC authentication issue
- Fixed the issue where the REST API endpoint returned HTTP 400 instead of HTTP 200 when sending custom values
- Fixed the issue preventing proper login to the target URL
v24.8.0 - 13 Aug 2024
This release includes new security checks, improvements, and bug fixes.
New Security Checks
- Incorporated the reporting of sensitive information disclosures from Okta
- Added a check for Authentication bypass in Fortra’s GoAnywhere MFT (CVE-2024-0204)
- Added a check for Open SSH server RC (CVE-2024-6387)
- Added a check for cached pages that contain sensitive data (CWE-525)
Improvements
- Resolved an issue where scans were failing due to the TLS connection not being established
Fixes
- Resolved a problem that was causing scans to become stuck
v24.7.1 - 25 Jul 2024
This release includes improvements and a bug fix.
Improvements
- Disabled the detection of CSRF vulnerabilities from built-in policies
- Added custom header support for SSRF registration
Fixes
- Fixed an issue related to BLR links
v24.7.0 - 09 Jul 2024
This release includes new security check, improvements, and bug fixes.
New Security Checks
- Added a new security check to identify supply chain attacks through Polyfill JS
- Added a detection for GeoServer SQLi vulnerability (CVE-2023-25157)
- Added checks for various WordPress plugins
Improvements
- Improved Credit Card Disclosure Security Check
- Added custom headers for communication between Agents and Invicti Hawk
- Set the severity of ‘Possible XSS’ vulnerabilities to ‘Informational’
- Improved various Sensitive Data Exposure security checks
- Improved the detection of the Short SSL Key Length vulnerability
- Added the capability to check for Sensitive Data in XML responses
Fixes
- Fixed missing Request Body content in vulnerability details
- Fixed an issue with the ‘IgnoreCertificateErrors’ Agent setting for SSL Validation
- Fixed a problem in the JWT Engine to resolve a false positive issue
- Fixed an issue related to the OTA app scan
- Fixed HTTP 413 responses resulting from nonce cookies stacking
v24.6.0 - 13 Jun 2024
This release includes a new feature, new security check, improvements, and bug fixes.
New Features
- Added functionality for scanning gRPC API Web Services → Learn more
New Security Checks
- Added a new attack pattern for missing Open Redirection
Improvements
- Added an option to trigger only specified lists of events
- Updated all the IAST Sensors:
- .NET Framework and .NET Core 6.2.0
- Java 16.0.0
- Node.js 2.1.3
- PHP 8.0.1
Fixes
- Fixed an issue with user-agent selection in scan policies that was causing disabled security check vulnerabilities to appear in the dashboards and scan reports
- Fixed an issue with user-agent selection in scan policies that was causing disabled security check vulnerabilities to appear in the dashboards and scan reports
- Fixed vulnerabilities with the Invicti Scan Agent Docker image
- Fixed the disk space utilization issue that was causing the InvictiCommon folder size to increase significantly during scans
- Improved the crawling capability to allow for automatic crawling of XHR requests
- Fixed an AWS4Signer authentication issue
v24.5.1 - 28 May 2024
This release includes new security checks, improvements, and bug fixes.
New Security Checks
- Added detection methods for five more WordPress Templates
- Added detection of Fortinet vulnerabilities (CVE-2020-12812, CVE-2019-5591, CVE-2018-13379)
Improvements
- Updated CWE IDs for several vulnerabilities
Fixes
- Fixed an issue in the detection of the ‘Improper XML parsing leads to Billion Laughs Attack’ vulnerability
- Resolved an issue with the Business Logic Recorder
v24.5.0 - 07 May 2024
This release includes Korean language support, new security checks, and bug fixes.
New Feature
- Enabled Korean language support
New Security Checks
- Added detection method for Angular
- Added a new security check for Oracle EBS RCE
Fixes
- Fixed a scan authentication issue and a crawling issue with Cloud Agents
- Fixed the HTTP 401 forbidden response form authentication error
- Fixed an issue with the detection method for wp-admin vulnerabilities
- Fixed an error that was occurring when generating knowledge base reports
- Updated the extraction algorithm for downloaded scan files from Invicti Enterprise
- Fixed a scan issue that was producing 413 error responses
v24.4.0 - 17 Apr 2024
This release includes improvements and bug fixes.
Improvements
- Improved AWS Secret Key ID detection security checks
- Improved Google Cloud API Key detection security checks
- Updated remediation information for Angular JS related vulnerabilities
- Improved Boolean-Based MongoDB Injection detection method
Fixes
- Fixed a validation error when validating Shark settings
- Fixed an issue with duplicate custom user agents that was preventing scanning
- Fixed an issue where authentication would fail when started with an Authentication profile
- Fixed an issue that caused proxy usage for Chromium even when no proxy was selected from the scan policy settings
v24.3.1 - 28 Mar 2024
This release includes new features, new security checks, some improvements, and bug fixes.
New features
- Provided a new encryption method of API Token for Agent/Verifier Agent
- Added a pre-request script to generate AWS Signature token
New security checks
- Added a new security check for TLS/SSL certificate key size too small issue
- Improved WP Config detection over backup files
- Added a new security check for CVE-2023-46805 / CVE-2024-21887
- Added detection for exposed WordPress configuration files
- Added a new Security Check that allows to report two vulnerabilities: TorchServe Management API Publicly Exposed and TorchServe Management API SSRF
- Command Injection in VMware Aria Operations for Networks can now be detected
Improvements
- Implemented enhancements: Highlighting and Verification of Response Status Codes
- Disabled the BREACH Security Engine
- Report template of Possible XSS is updated to cover mime sniffing
- Increased the default Severity level of Version Disclosure (Varnish) from ‘Information’ to ‘Low’
Fixes
- Fixed the issue where the customer couldn’t scan their target with the additional website properly
- Fixed an issue that was causing a memory issue in Javascript Parser
- Fixed the inability of the custom script editor to load the form authentication fields