CVE-2020-15408 — Missing Authorization in Pulse Connect Secure

CWE-862 — Missing Authorization3 documents3 sources

Severity

4.6MEDIUMNVD

CNA3.7

EPSS

0.2%

top 54.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pulsesecure Pulse Connect Secure Pulsesecure Pulse Secure Desktop Client

Timeline

PublishedJul 28

Latest updateMay 24

Description

An issue was discovered in Pulse Secure Pulse Connect Secure before 9.1R8. An authenticated attacker can access the admin page console via the end-user web interface because of a rewrite.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:NExploitability: 2.1 | Impact: 2.5

Affected Packages2 packages

▶NVDpulsesecure/pulse_connect_secure9.1

▶NVDpulsesecure/pulse_secure_desktop_client9.1

🔴Vulnerability Details

GHSA

GHSA-x3p9-c74w-j5mx: An issue was discovered in Pulse Secure Pulse Connect Secure before 9↗2022-05-24

▶

CVEList

CVE-2020-15408: An issue was discovered in Pulse Secure Pulse Connect Secure before 9↗2020-07-28

▶