cbcvebase.
CVE-2022-21826
published 2022-09-30

CVE-2022-21826: Pulse Secure version 9.115 and below may be susceptible to client-side http request smuggling, When the application receives a POST request, it ignores the…

PriorityP343medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
45.23%
98.6th percentile
Pulse Secure version 9.115 and below may be susceptible to client-side http request smuggling, When the application receives a POST request, it ignores the request's Content-Length header and leaves the POST body on the TCP/TLS socket. This body ends up prefixing the next HTTP request sent down that connection, this means when someone loads website attacker may be able to make browser issue a POST to the application, enabling XSS.

Affected

2 ranges
VendorProductVersion rangeFixed in
ivanticonnect_secure
pulsesecurepulse_connect_secure< 9.19.1
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.