CVE-2019-11507
published 2019-05-08CVE-2019-11507: In Pulse Secure Pulse Connect Secure (PCS) 8.3.x before 8.3R7.1 and 9.0.x before 9.0R3, an XSS issue has been found on the Application Launcher page.
PriorityP182medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEVRansomware
Exploited in the wild
EPSS
4.06%
89.4th percentile
In Pulse Secure Pulse Connect Secure (PCS) 8.3.x before 8.3R7.1 and 9.0.x before 9.0R3, an XSS issue has been found on the Application Launcher page.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/dana/home/cts_get_ica.cgi?bm_id=x&vdi=1&appname=aa%0d%0aContent-Type::text/html%0d%0aContent-Disposition::inline%0d%0aaa:bb↗
- →Exploit request targets /dana/home/cts_get_ica.cgi with CRLF-injected headers in the 'appname' parameter to force a text/html Content-Type response, enabling reflected XSS on the Application Launcher page. ↗
- →Successful exploitation is indicated by HTTP 200 response with Content-Type containing 'text/html' and body containing the XSS payload string from the injected appname parameter. ↗
- →Shodan/FOFA fingerprint for exposed Pulse/Ivanti Connect Secure instances: search for 'welcome.cgi?p=logo' in HTTP body or 'ivanti connect secure' in page title. ↗
- →Pre-exploitation step requires extracting the 'xsauth_token' CSRF token from the welcome page before submitting login credentials; monitor for automated token extraction followed by rapid login attempts. ↗
- ·Exploit requires an authenticated session — the Nuclei template uses valid credentials to log in first, then triggers the vulnerable endpoint. Unauthenticated detection is not possible via this path alone. ↗
- ·Affected versions are PCS 8.3.x before 8.3R7.1 and 9.0.x before 9.0R3; the Nuclei template CPE targets 8.3:r1 as a representative version but the vulnerability spans the full 8.3.x and 9.0.x ranges. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv3.05.8MEDIUMCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2m46-g734-85f6: In Pulse Secure Pulse Connect Secure (PCS) 8
ghsa_unreviewed·2022-05-24
CVE-2019-11507 [MEDIUM] CWE-79 GHSA-2m46-g734-85f6: In Pulse Secure Pulse Connect Secure (PCS) 8
In Pulse Secure Pulse Connect Secure (PCS) 8.3.x before 8.3R7.1 and 9.0.x before 9.0R3, an XSS issue has been found on the Application Launcher page.
VulnCheck
Ivanti Connect Secure and Policy Secure Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2019·CVSS 6.1
CVE-2019-11507 [MEDIUM] Ivanti Connect Secure and Policy Secure Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Ivanti Connect Secure and Policy Secure Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
In Pulse Secure Pulse Connect Secure (PCS) 8.3.x before 8.3R7.1 and 9.0.x before 9.0R3, an XSS issue has been found on the Application Launcher page.
Affected: Ivanti Connect Secure and Policy Secure
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://research.checkpoint.com/2020/8th-june-threat-intelligence-bulletin/; https://cybersecurityworks.com/patchwatch/patch-watch-csw-analysis-of-pulse-secure-vulnerabilities.html
Ivanti
Ivanti Security Advisory: CVE-2019-11507
vendor_ivanti·2019-05-08·CVSS 6.1
CVE-2019-11507 [MEDIUM] CWE-79 Ivanti Security Advisory: CVE-2019-11507
Ivanti Security Advisory: CVE-2019-11507
In Pulse Secure Pulse Connect Secure (PCS) 8.3.x before 8.3R7.1 and 9.0.x before 9.0R3, an XSS issue has been found on the Application Launcher page.
CVE IDs: CVE-2019-11507
CVSS Base Score: 6.1
Severity: MEDIUM
CWEs: CWE-79
No detection rules found.
Nuclei
Pulse Secure Pulse Connect Secure - Cross-Site Scripting (Reflected)
nuclei·CVSS 6.1
CVE-2019-11507 [MEDIUM] Pulse Secure Pulse Connect Secure - Cross-Site Scripting (Reflected)
Pulse Secure Pulse Connect Secure - Cross-Site Scripting (Reflected)
Pulse Secure Pulse Connect Secure (PCS) 8.3.x before 8.3R7.1 and 9.0.x before 9.0R3 contain a reflected cross-site scripting caused by insufficient sanitization on the Application Launcher page, letting attackers execute scripts in the context of the affected page, exploit requires victim to visit a malicious link.
Template:
id: CVE-2019-11507
info:
name: Pulse Secure Pulse Connect Secure - Cross-Site Scripting (Reflected)
author: theamanrawat
severity: medium
description: |
Pulse Secure Pulse Connect Secure (PCS) 8.3.x before 8.3R7.1 and 9.0.x before 9.0R3 contain a reflected cross-site scripting caused by insufficient sanitization on the Application Launcher page, letting attackers execute scripts in the context of
Checkpoint
8th June – Threat Intelligence Bulletin
blogs_checkpoint·2020-06-08·CVSS 9.8
CVE-2019-19781 [CRITICAL] 8th June – Threat Intelligence Bulletin
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 8th June – Threat Intelligence Bulletin
For the latest discoveries in cyber research for the week of 8th June 2020, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Westech , a US military missile contractor, has been hit by the Maze ransomware after threat actors compromised its network and stole confidential documents from it. It is suspected that the hackers are of Russian origin, and that they may attempt to sell the stolen data to a foreign state.
Check Point SandBlast and Anti-
Tenable
CVE-2019-11510: Proof of Concept Available for Arbitrary File Disclosure in Pulse Connect Secure
blogs_tenable·2019-08-21·CVSS 10.0
[CRITICAL] CVE-2019-11510: Proof of Concept Available for Arbitrary File Disclosure in Pulse Connect Secure
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
http://www.securityfocus.com/bid/108073https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdfhttps://kb.pulsesecure.net/?atype=sahttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516https://www.kb.cert.org/vuls/id/927237http://www.securityfocus.com/bid/108073https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdfhttps://kb.pulsesecure.net/?atype=sahttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516https://www.kb.cert.org/vuls/id/927237
2019-05-08
Published
Exploited in the wild