CVE-2020-8256 — XML External Entity (XXE) Injection in Pulse Connect Secure

CWE-611 — XML External Entity (XXE) Injection3 documents3 sources

Severity

4.9MEDIUMNVD

EPSS

3.9%

top 11.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pulsesecure Pulse Connect Secure Ivanti Connect Secure

Timeline

PublishedSep 30

Latest updateMay 24

Description

A vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could allow an authenticated attacker to gain arbitrary file reading access through Pulse Collaboration via XML External Entity (XXE) vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages3 packages

▶NVDpulsesecure/pulse_connect_secure9.0

▶CVEListV5pulsesecure/pulse_connect_secureFixed in 9.1R8.2

▶NVDivanti/connect_secure9.1

🔴Vulnerability Details

GHSA

GHSA-pcw3-p344-q7jr: A vulnerability in the Pulse Connect Secure < 9↗2022-05-24

▶

CVEList

CVE-2020-8256: A vulnerability in the Pulse Connect Secure < 9↗2020-09-29

▶