CVE-2020-15352 — XML External Entity (XXE) Injection in Pulse Connect Secure

CWE-611 — XML External Entity (XXE) Injection3 documents3 sources

Severity

7.2HIGHNVD

EPSS

6.6%

top 8.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pulsesecure Pulse Connect Secure Pulsesecure Pulse Policy Secure Ivanti Connect Secure +1 more

Timeline

PublishedOct 27

Latest updateMay 24

Description

An XML external entity (XXE) vulnerability in Pulse Connect Secure (PCS) before 9.1R9 and Pulse Policy Secure (PPS) before 9.1R9 allows remote authenticated admins to conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages4 packages

▶NVDpulsesecure/pulse_policy_secure9.0

▶NVDpulsesecure/pulse_connect_secure9.0

▶NVDivanti/policy_secure9.1

▶NVDivanti/connect_secure9.1

🔴Vulnerability Details

GHSA

GHSA-2p2j-5crh-g4rm: An XML external entity (XXE) vulnerability in Pulse Connect Secure (PCS) before 9↗2022-05-24

▶

CVEList

CVE-2020-15352: An XML external entity (XXE) vulnerability in Pulse Connect Secure (PCS) before 9↗2020-10-27

▶