CVE-2017-17947
published 2018-01-16CVE-2017-17947: A cross site scripting issue has been found in custompage.cgi in Pulse Secure Pulse Connect Secure (PCS) before 8.0R17.0, 8.1.x before 8.1R13, 8.2.x before…
PriorityP418medium4.8CVSS 3.0
AVNACLPRHUIRSCCLILAN
EPSS
0.50%
39.1th percentile
A cross site scripting issue has been found in custompage.cgi in Pulse Secure Pulse Connect Secure (PCS) before 8.0R17.0, 8.1.x before 8.1R13, 8.2.x before 8.2R9, and 8.3.x before 8.3R3 and Pulse Policy Secure (PPS) before 5.2R10, 5.3.x before 5.3R9, and 5.4.x before 5.4R3 due to one of the URL parameters not being sanitized. Exploitation does require the user to be logged in as administrator; the issue is not applicable to the end user portal.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pulsesecure | pulse_connect_secure | < 8.0r17.0 | 8.0r17.0 |
| pulsesecure | pulse_connect_secure | >= 8.1 < 8.1r13 | 8.1r13 |
| pulsesecure | pulse_connect_secure | 8.2 – 8.2r9 | — |
| pulsesecure | pulse_connect_secure | >= 8.3 < 8.3r3 | 8.3r3 |
CVSS provenance
nvdv3.04.8MEDIUMCVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ivanti
Ivanti Security Advisory: CVE-2017-17947
vendor_ivanti·2018-01-16·CVSS 4.8
CVE-2017-17947 [MEDIUM] CWE-79 Ivanti Security Advisory: CVE-2017-17947
Ivanti Security Advisory: CVE-2017-17947
A cross site scripting issue has been found in custompage.cgi in Pulse Secure Pulse Connect Secure (PCS) before 8.0R17.0, 8.1.x before 8.1R13, 8.2.x before 8.2R9, and 8.3.x before 8.3R3 and Pulse Policy Secure (PPS) before 5.2R10, 5.3.x before 5.3R9, and 5.4.x before 5.4R3 due to one of the URL parameters not being sanitized. Exploitation does require the user to be logged in as administrator; the issue is not applicable to the end user portal.
CVE IDs: CVE-2017-17947
CVSS Base Score: 4.8
Severity: MEDIUM
CWEs: CWE-79
GHSA
GHSA-23cp-hr68-96ff: A cross site scripting issue has been found in custompage
ghsa_unreviewed·2022-05-14
CVE-2017-17947 [MEDIUM] CWE-79 GHSA-23cp-hr68-96ff: A cross site scripting issue has been found in custompage
A cross site scripting issue has been found in custompage.cgi in Pulse Secure Pulse Connect Secure (PCS) before 8.0R17.0, 8.1.x before 8.1R13, 8.2.x before 8.2R9, and 8.3.x before 8.3R3 and Pulse Policy Secure (PPS) before 5.2R10, 5.3.x before 5.3R9, and 5.4.x before 5.4R3 due to one of the URL parameters not being sanitized. Exploitation does require the user to be logged in as administrator; the issue is not applicable to the end user portal.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2018-01-16
Published