Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2019-11507Cross-site Scripting in Ivanti Connect Secure

CWE-79Cross-site Scripting6 documents6 sources
Severity
6.1MEDIUMNVD
EPSS
0.6%
top 31.85%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Ivanti Connect Secure
Timeline
PublishedMay 8
Latest updateMay 24

Description

In Pulse Secure Pulse Connect Secure (PCS) 8.3.x before 8.3R7.1 and 9.0.x before 9.0R3, an XSS issue has been found on the Application Launcher page.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages1 packages

NVDivanti/connect_secure8.3, 9.0+1

Patches

Patch: kb.pulsesecure.netPatch: kb.pulsesecure.net

🔴Vulnerability Details

3
GHSA
GHSA-2m46-g734-85f6: In Pulse Secure Pulse Connect Secure (PCS) 82022-05-24
CVEList
CVE-2019-11507: In Pulse Secure Pulse Connect Secure (PCS) 82019-05-08
VulnCheck
Ivanti Connect Secure and Policy Secure Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')2019

💥Exploits & PoCs

1
Nuclei
Pulse Secure Pulse Connect Secure - Cross-Site Scripting (Reflected)

🕵️Threat Intelligence

1
Tenable
CVE-2019-11510: Proof of Concept Available for Arbitrary File Disclosure in Pulse Connect Secure2019-08-21
CVE-2019-11507 — Cross-site Scripting in Ivanti | cvebase