CVE-2017-17947Cross-site Scripting in Pulse Connect Secure

CWE-79Cross-site Scripting3 documents3 sources
Severity
4.8MEDIUMNVD
EPSS
0.3%
top 50.58%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Pulsesecure Pulse Connect Secure
Timeline
PublishedJan 16
Latest updateMay 14

Description

A cross site scripting issue has been found in custompage.cgi in Pulse Secure Pulse Connect Secure (PCS) before 8.0R17.0, 8.1.x before 8.1R13, 8.2.x before 8.2R9, and 8.3.x before 8.3R3 and Pulse Policy Secure (PPS) before 5.2R10, 5.3.x before 5.3R9, and 5.4.x before 5.4R3 due to one of the URL parameters not being sanitized. Exploitation does require the user to be logged in as administrator; the issue is not applicable to the end user portal.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages1 packages

NVDpulsesecure/pulse_connect_secure8.18.1r13+3

Patches

Patch: kb.pulsesecure.netPatch: kb.pulsesecure.net

🔴Vulnerability Details

2
GHSA
GHSA-23cp-hr68-96ff: A cross site scripting issue has been found in custompage2022-05-14
CVEList
CVE-2017-17947: A cross site scripting issue has been found in custompage2018-01-16
CVE-2017-17947 — Cross-site Scripting | cvebase