Release Notes
Invicti Standard
RSS FEED
New Security Checks
- Added detection methods for five more WordPress Templates
- Added detection of Fortinet vulnerabilities (CVE-2020-12812, CVE-2019-5591, CVE-2018-13379)
Improvements
- Updated CWE IDs for several vulnerabilities
Fixes
- Fixed an issue in the detection of the 'Improper XML parsing leads to Billion Laughs Attack' vulnerability
- Resolved an issue with the Business Logic Recorder
New Feature
- Enabled Korean language support
New Security Checks
- Added detection method for Angular
- Added a new security check for Oracle EBS RCE
Fixes
- Fixed a scan authentication issue and a crawling issue with Cloud Agents
- Fixed the HTTP 401 forbidden response form authentication error
- Fixed an issue with the detection method for wp-admin vulnerabilities
- Fixed an error that was occurring when generating knowledge base reports
- Updated the extraction algorithm for downloaded scan files from Invicti Enterprise
- Fixed a scan issue that was producing 413 error responses
Improvements
- Improved AWS Secret Key ID detection security checks
- Improved Google Cloud API Key detection security checks
- Updated remediation information for Angular JS related vulnerabilities
- Improved Boolean-Based MongoDB Injection detection method
Fixes
- Fixed a validation error when validating Shark settings
- Fixed an issue with duplicate custom user agents that was preventing scanning
- Fixed an issue where authentication would fail when started with an Authentication profile
- Fixed an issue that caused proxy usage for Chromium even when no proxy was selected from the scan policy settings
New features
- Provided a new encryption method of API Token for Agent/Verifier Agent
- Added a pre-request script to generate AWS Signature token
New security checks
- Added a new security check for TLS/SSL certificate key size too small issue
- Improved WP Config detection over backup files
- Added a new security check for CVE-2023-46805 / CVE-2024-21887
- Added detection for exposed WordPress configuration files
- Added a new Security Check that allows to report two vulnerabilities: TorchServe Management API Publicly Exposed and TorchServe Management API SSRF
- Command Injection in VMware Aria Operations for Networks can now be detected
Improvements
- Implemented enhancements: Highlighting and Verification of Response Status Codes
- Disabled the BREACH Security Engine
- Report template of Possible XSS is updated to cover mime sniffing
- Increased the default Severity level of Version Disclosure (Varnish) from 'Information' to 'Low'
Fixes
- Fixed the issue where the customer couldn't scan their target with the additional website properly
- Fixed an issue that was causing a memory issue in Javascript Parser
- Fixed the inability of the custom script editor to load the form authentication fields
New features
- Added the ability to force authentication verifier agents to use incognito mode by default on Chromium browsers
New security checks
- Added detection for ActiveMQ RCE to the OOB RCE Attack Pattern (CVE-2023-46604)
Fixes
- Added a Cookie Source field to the Knowledge Base Cookies screen
New features
- Added a new BLR log providing details on BLR execution
New security checks
- Implemented a detection and reporting mechanism for the Backup Migration WordPress plugin (CVE-2023-6553)
- Added detection for TinyMCE
Improvements
- Updated the "Insecure Transportation Security Protocol Supported (TLS 1.0)" vulnerability to High Severity
- Updated the WSDL serialization mechanism
- Implemented support for scanning sites with location permission pop-ups
- Added support for FreshService API V2
- Removed obsolete X-Frame-Options Header security checks
Fixes
- Fixed a bug in the Request/Response tab of Version Disclosure vulnerabilities
- Removed the target URL from the scope control list
New security checks
- Added a check for dotCMS
- Added a check for the Ultimate Member WordPress plugin
- Added a new mXSS pattern
- Added new signatures to detect JWKs
Improvements
- Improved the recommendations for the Weak Ciphers Enabled vulnerability
- Improved detection of swagger.json vulnerabilities
- Added support for AWS WAFv2 rules
- Improved more of our error and warning messages so they are more user friendly
- Added Sentry implementation into the Agent repository
Fixes
- Fixed a proxy issue that was impacting the detection of weak ciphers
- Fixed a problem with importing WDSL files
New features
- In the scan settings section, we've added a checkbox (under Authentication > Form) to collect all logs about the authentication progress
- Enhanced reporting of DOM XSS vulnerabilities
Improvements
- Updated the Shark Dotnet Sensor to .NET Core 6
- Improved site-logout detection
Fixes
- Resolved a problem with missing information in the report policy database
- Fixed an issue with the import of scan data from Invicti Enterprise to Invicti Standard
- Fixed a bug in the importing of links
- Fixed some vulnerabilities on our Invicti Docker Image by updating the packages
- Fixed reporting of some false/positive passive out-of-date vulnerabilities
New features
- Added CVSS 4.0 categorization of vulnerabilities
- Added support for PCI DSS 4.0
- Added new messaging for when scans fail due to mistyped http/https protocols
New security checks
- Added new HSQLDB vulnerabilities and report templates
- Added new Typo3 vulnerabilities and report templates
Improvements
- Improved the vulnerability calculator for Boolean MongoDB
- Improved the signature for .dockerignore file detected issues
- Improved the request body rating algorithm
- Improved the signature for Joomla detection
- Improved the signature for other docker-related signatures
- Improved the Postman collection parsing algorithm
- Resolved an issue with adding a client certificate to set up a scan
- Added logs for better traceability of BLR playbacks
Fixes
- Fixed the NRE in the agent log if any authentication is adjusted
- Fixed an issue that was causing verifiers to not use scan policy proxy settings
- Fixed an auth verifier client certificate authentication path error
New features
- Added an option under New Scan Policy > Ignored Parameters to allow customers to set 'Cookie' as a type of ignored parameter
New security checks
- Added new checks for the WordPress Login with Phone Number Plugin: CVE-2023-23492
- Added new checks for the WordPress JupiterX Core Plugin: CVE-2023-38389, CVE-2023-38388
Improvements
- Added support for custom authentication tokens without token type
- Improved LFI attack patterns for better accuracy
- Fixed some vulnerabilities in the Docker image
- Stricter sensitive data rules
- Improved bot detection bypass scenarios
Fixes
- Fixed custom header values in scan profiles so that they are masked
- Docker Cloud Stack check has been updated to reduce noise
- Fixed an issue with adding configuration files to scan profiles
- SSL/TLS classification updated from CWE-311 to CWE-319
New features
- Added encoding for sensitive data
- Added the option to enable CSRF checks for authenticated scans only
- Added a sensitive data (password, session cookie, token etc.) encoder
New security checks
- Added JQuery placeholder detection methods
- Added a new security check for the Missing X-Content-Type-Options vulnerability
Improvements
- Improved the JS Delivery CDN disclosure check to increase stability
- Improved the remediation part for the Weak Ciphers Enabled vulnerability
- Reduced the certainty value to 90 for the Robot Attack Detected vulnerability
- Improved the detection method for CSP
- Improved the detection method for the Dockerignore File Detected vulnerability
- Improved the detection method for the Docker Cloud Stack File Detected vulnerability
Fixes
- Improved our XSS capabilities
- Fixed an NTLM login issue
- Fixed a bug that was overwriting proxy settings in scan policies
- Fixed a unique analyzer bug for the WSDL importer
- Fixed a custom proxy bypass list issue