CVE-2017-11193Cross-Site Request Forgery in Pulse Connect Secure

CWE-352Cross-Site Request Forgery3 documents3 sources
Severity
8.8HIGHNVD
EPSS
0.2%
top 64.23%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Pulsesecure Pulse Connect Secure
Timeline
PublishedJul 12
Latest updateMay 17

Description

Pulse Connect Secure 8.3R1 has CSRF in diag.cgi. In the panel, the diag.cgi file is responsible for running commands such as ping, ping6, traceroute, traceroute6, nslookup, arp, and Portprobe. These functions do not have any protections against CSRF. That can allow an attacker to run these commands against any IP if they can get an admin to visit their malicious CSRF page.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

🔴Vulnerability Details

2
GHSA
GHSA-c6vq-95h3-7xfg: Pulse Connect Secure 82022-05-17
CVEList
CVE-2017-11193: Pulse Connect Secure 82017-07-12
CVE-2017-11193 — Cross-Site Request Forgery | cvebase