CVE-2017-11455 — Cross-Site Request Forgery in Ivanti Connect Secure

CWE-352 — Cross-Site Request Forgery3 documents3 sources

Severity

8.8HIGHNVD

EPSS

0.6%

top 31.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ivanti Connect Secure Pulsesecure Pulse Connect Secure Pulsesecure Pulse Policy Secure

Timeline

PublishedAug 29

Latest updateMay 13

Description

diag.cgi in Pulse Connect Secure 8.2R1 through 8.2R5, 8.1R1 through 8.1R10 and Pulse Policy Secure 5.3R1 through 5.3R5, 5.2R1 through 5.2R8, and 5.1R1 through 5.1R10 allow remote attackers to hijack the authentication of administrators for requests to start tcpdump, related to the lack of anti-CSRF tokens.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶NVDpulsesecure/pulse_policy_secure37 versions+36

▶NVDpulsesecure/pulse_connect_secure9 versions+8

▶NVDivanti/connect_secure8.1

🔴Vulnerability Details

GHSA

GHSA-337j-5pvv-8pq9: diag↗2022-05-13

▶

CVEList

CVE-2017-11455: diag↗2017-08-29

▶