Changelogs

Invicti Standard

RSS Feed

v24.10.0 - 08 Oct 2024

This release includes new security checks, improvements, and bug fixes.

New Security Checks

Improvements

  • Added ‘save as new’ and ‘overwrite’ options when importing scans
  • Reporting improvements for the “Unknown Option Used In Referrer-Policy” vulnerability
  • Added the ability to export/import scan profiles and scan policies between different instances of Invicti Standard

Fixes

  • Various fixes for the verifiers
  • Out-of-date version for Boolean Based MongoDB Injection is now reported correctly

v24.9.1 - 24 Sep 2024

This release includes a new security check and a bug fix.

New Security Checks

  • Added XWiki version disclosure vulnerability and attack patterns.

Fixes

  • Fixed the false negative issue related to Polyfill.io.
  • Fixed an issue related to creating a custom script for a web application using the OIDC method with a login pop-up.

v24.9.0 - 10 Sep 2024

This release includes new security checks, an improvement, and a bug fix.

New Security Checks

  • Adjusted the severity of SSLv3 and TLS 1.0 vulnerabilities to reflect their security risks
  • Added support for CSP frame-ancestors
  • Added detection for CVE-2024-6297, affecting several WordPress plugins

Improvements

  • Pre-request script now works in DOM as well

Fixes

  • Resolved an issue with a pre-request script that was affecting crawling functionality

v24.8.1 - 27 Aug 2024

This release includes new security checks, improvements, and bug fixes.

New Security Checks

  • Added detection for Jenkins Secret as a Sensitive Data Exposure

Improvements

  • Started to utilize the Microsoft Azure Trusted Signing service for code signing of Invicti Standard

Fixes

  • Fixed chromium-related issues in the agent
  • Fixed the issue where temp folders could not be deleted and Chromium instances remained open when Puppeteer encountered an error
  • Fixed the false positive on detection of “Stack Trace Disclosure (Java)”
  • Fixed an issue related to the Moment.js regex
  • Fixed the OIDC authentication issue
  • Fixed the issue where the REST API endpoint returned HTTP 400 instead of HTTP 200 when sending custom values
  • Fixed the issue preventing proper login to the target URL

v24.8.0 - 13 Aug 2024

This release includes new security checks, improvements, and bug fixes.

New Security Checks

  • Incorporated the reporting of sensitive information disclosures from Okta
  • Added a check for Authentication bypass in Fortra’s GoAnywhere MFT (CVE-2024-0204)
  • Added a check for Open SSH server RC (CVE-2024-6387)
  • Added a check for cached pages that contain sensitive data (CWE-525)

Improvements

  • Resolved an issue where scans were failing due to the TLS connection not being established

Fixes

  • Resolved a problem that was causing scans to become stuck

v24.7.1 - 25 Jul 2024

This release includes improvements and a bug fix.

Improvements

  • Disabled the detection of CSRF vulnerabilities from built-in policies
  • Added custom header support for SSRF registration

Fixes

  • Fixed an issue related to BLR links

v24.7.0 - 09 Jul 2024

This release includes new security check, improvements, and bug fixes.

New Security Checks

  • Added a new security check to identify supply chain attacks through Polyfill JS
  • Added a detection for GeoServer SQLi vulnerability (CVE-2023-25157)
  • Added checks for various WordPress plugins

Improvements

  • Improved Credit Card Disclosure Security Check
  • Added custom headers for communication between Agents and Invicti Hawk
  • Set the severity of ‘Possible XSS’ vulnerabilities to ‘Informational’
  • Improved various Sensitive Data Exposure security checks
  • Improved the detection of the Short SSL Key Length vulnerability
  • Added the capability to check for Sensitive Data in XML responses

Fixes

  • Fixed missing Request Body content in vulnerability details
  • Fixed an issue with the ‘IgnoreCertificateErrors’ Agent setting for SSL Validation
  • Fixed a problem in the JWT Engine to resolve a false positive issue
  • Fixed an issue related to the OTA app scan
  • Fixed HTTP 413 responses resulting from nonce cookies stacking

v24.6.0 - 13 Jun 2024

This release includes a new feature, new security check, improvements, and bug fixes.

New Features

  • Added functionality for scanning gRPC API Web Services → Learn more

New Security Checks

  • Added a new attack pattern for missing Open Redirection

Improvements

  • Added an option to trigger only specified lists of events
  • Updated all the IAST Sensors:
    • .NET Framework and .NET Core 6.2.0
    • Java 16.0.0
    • Node.js 2.1.3
    • PHP 8.0.1

Fixes

  • Fixed an issue with user-agent selection in scan policies that was causing disabled security check vulnerabilities to appear in the dashboards and scan reports
  • Fixed an issue with user-agent selection in scan policies that was causing disabled security check vulnerabilities to appear in the dashboards and scan reports
  • Fixed vulnerabilities with the Invicti Scan Agent Docker image
  • Fixed the disk space utilization issue that was causing the InvictiCommon folder size to increase significantly during scans
  • Improved the crawling capability to allow for automatic crawling of XHR requests
  • Fixed an AWS4Signer authentication issue

v24.5.1 - 28 May 2024

This release includes new security checks, improvements, and bug fixes.

New Security Checks

Improvements

  • Updated CWE IDs for several vulnerabilities

Fixes

  • Fixed an issue in the detection of the ‘Improper XML parsing leads to Billion Laughs Attack’ vulnerability
  • Resolved an issue with the Business Logic Recorder

v24.5.0 - 07 May 2024

This release includes Korean language support, new security checks, and bug fixes.

New Feature

  • Enabled Korean language support

New Security Checks

  • Added detection method for Angular
  • Added a new security check for Oracle EBS RCE

Fixes

  • Fixed a scan authentication issue and a crawling issue with Cloud Agents
  • Fixed the HTTP 401 forbidden response form authentication error
  • Fixed an issue with the detection method for wp-admin vulnerabilities
  • Fixed an error that was occurring when generating knowledge base reports
  • Updated the extraction algorithm for downloaded scan files from Invicti Enterprise
  • Fixed a scan issue that was producing 413 error responses

v24.4.0 - 17 Apr 2024

This release includes improvements and bug fixes.

Improvements

  • Improved AWS Secret Key ID detection security checks
  • Improved Google Cloud API Key detection security checks
  • Updated remediation information for Angular JS related vulnerabilities
  • Improved Boolean-Based MongoDB Injection detection method

Fixes

  • Fixed a validation error when validating Shark settings
  • Fixed an issue with duplicate custom user agents that was preventing scanning
  • Fixed an issue where authentication would fail when started with an Authentication profile
  • Fixed an issue that caused proxy usage for Chromium even when no proxy was selected from the scan policy settings

v24.3.1 - 28 Mar 2024

This release includes new features, new security checks, some improvements, and bug fixes.

New features

  • Provided a new encryption method of API Token for Agent/Verifier Agent
  • Added a pre-request script to generate AWS Signature token

New security checks

  • Added a new security check for TLS/SSL certificate key size too small issue
  • Improved WP Config detection over backup files
  • Added a new security check for CVE-2023-46805 / CVE-2024-21887
  • Added detection for exposed WordPress configuration files
  • Added a new Security Check that allows to report two vulnerabilities: TorchServe Management API Publicly Exposed and TorchServe Management API SSRF
  • Command Injection in VMware Aria Operations for Networks can now be detected

Improvements

  • Implemented enhancements: Highlighting and Verification of Response Status Codes
  • Disabled the BREACH Security Engine
  • Report template of Possible XSS is updated to cover mime sniffing
  • Increased the default Severity level of Version Disclosure (Varnish) from ‘Information’ to ‘Low’

Fixes

  • Fixed the issue where the customer couldn’t scan their target with the additional website properly
  • Fixed an issue that was causing a memory issue in Javascript Parser
  • Fixed the inability of the custom script editor to load the form authentication fields