cbcvebase.
CVE-2019-11507
published 2019-05-08

CVE-2019-11507: In Pulse Secure Pulse Connect Secure (PCS) 8.3.x before 8.3R7.1 and 9.0.x before 9.0R3, an XSS issue has been found on the Application Launcher page.

PriorityP182medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEVRansomware
Exploited in the wild
EPSS
4.06%
89.4th percentile
In Pulse Secure Pulse Connect Secure (PCS) 8.3.x before 8.3R7.1 and 9.0.x before 9.0R3, an XSS issue has been found on the Application Launcher page.

Affected

2 ranges
VendorProductVersion rangeFixed in
ivanticonnect_secure
ivanticonnect_secure

Detection & IOCsextracted from sources · hover to see the quote

url/dana-na/auth/url_default/welcome.cgi
url/dana-na/auth/url_default/login.cgi
url/dana/home/cts_get_ica.cgi?bm_id=x&vdi=1&appname=aa%0d%0aContent-Type::text/html%0d%0aContent-Disposition::inline%0d%0aaa:bb
path/dana/home/cts_get_ica.cgi
otherhttp.html:"welcome.cgi?p=logo"
  • Exploit request targets /dana/home/cts_get_ica.cgi with CRLF-injected headers in the 'appname' parameter to force a text/html Content-Type response, enabling reflected XSS on the Application Launcher page.
  • Successful exploitation is indicated by HTTP 200 response with Content-Type containing 'text/html' and body containing the XSS payload string from the injected appname parameter.
  • Shodan/FOFA fingerprint for exposed Pulse/Ivanti Connect Secure instances: search for 'welcome.cgi?p=logo' in HTTP body or 'ivanti connect secure' in page title.
  • Pre-exploitation step requires extracting the 'xsauth_token' CSRF token from the welcome page before submitting login credentials; monitor for automated token extraction followed by rapid login attempts.
  • ·Exploit requires an authenticated session — the Nuclei template uses valid credentials to log in first, then triggers the vulnerable endpoint. Unauthenticated detection is not possible via this path alone.
  • ·Affected versions are PCS 8.3.x before 8.3R7.1 and 9.0.x before 9.0R3; the Nuclei template CPE targets 8.3:r1 as a representative version but the vulnerability spans the full 8.3.x and 9.0.x ranges.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv3.05.8MEDIUMCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.