CVE-2017-11463
published 2017-12-11CVE-2017-11463: In Ivanti Service Desk (formerly LANDESK Management Suite) versions between 2016.3 and 2017.3, an Unrestricted Direct Object Reference leads to…
PriorityP350high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EPSS
2.43%
82.2th percentile
In Ivanti Service Desk (formerly LANDESK Management Suite) versions between 2016.3 and 2017.3, an Unrestricted Direct Object Reference leads to referencing/updating objects belonging to other users. In other words, a normal user can send requests to a specific URI with the target user's username in an HTTP payload in order to retrieve a key/token and use it to access/update objects belonging to other users. Such objects could be user profiles, tickets, incidents, etc.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivanti | endpoint_manager | — | — |
| ivanti | endpoint_manager | — | — |
| ivanti | endpoint_manager | — | — |
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ivanti
Ivanti Security Advisory: CVE-2017-11463
vendor_ivanti·2017-12-11·CVSS 8.8
CVE-2017-11463 [HIGH] CWE-275 Ivanti Security Advisory: CVE-2017-11463
Ivanti Security Advisory: CVE-2017-11463
In Ivanti Service Desk (formerly LANDESK Management Suite) versions between 2016.3 and 2017.3, an Unrestricted Direct Object Reference leads to referencing/updating objects belonging to other users. In other words, a normal user can send requests to a specific URI with the target user's username in an HTTP payload in order to retrieve a key/token and use it to access/update objects belonging to other users. Such objects could be user profiles, tickets, incidents, etc.
CVE IDs: CVE-2017-11463
CVSS Base Score: 8.8
Severity: HIGH
CWEs: CWE-275
GHSA
GHSA-cmcr-rqpx-mmwv: In Ivanti Service Desk (formerly LANDESK Management Suite) versions between 2016
ghsa_unreviewed·2022-05-14
CVE-2017-11463 [HIGH] GHSA-cmcr-rqpx-mmwv: In Ivanti Service Desk (formerly LANDESK Management Suite) versions between 2016
In Ivanti Service Desk (formerly LANDESK Management Suite) versions between 2016.3 and 2017.3, an Unrestricted Direct Object Reference leads to referencing/updating objects belonging to other users. In other words, a normal user can send requests to a specific URI with the target user's username in an HTTP payload in order to retrieve a key/token and use it to access/update objects belonging to other users. Such objects could be user profiles, tickets, incidents, etc.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2017-12-11
Published