Ivanti Connect Secure vulnerabilities

130 known vulnerabilities affecting ivanti/connect_secure.

Total CVEs

130

CISA KEV

actively exploited

Public exploits

Exploited in wild

Severity breakdown

CRITICAL15HIGH67MEDIUM46LOW2

Vulnerabilities

Page 6 of 7

CVE-2020-8217MEDIUMCVSS 5.4v9.12020-07-30

CVE-2020-8217 [MEDIUM] CWE-79 CVE-2020-8217: A cross site scripting (XSS) vulnerability in Pulse Connect Secure <9.1R8 allowed attackers to explo A cross site scripting (XSS) vulnerability in Pulse Connect Secure <9.1R8 allowed attackers to exploit in the URL used for Citrix ICA.

nvd

CVE-2020-12880MEDIUMCVSS 5.5v9.12020-07-27

CVE-2020-12880 [MEDIUM] CVE-2020-12880: An issue was discovered in Pulse Policy Secure (PPS) and Pulse Connect Secure (PCS) Virtual Applianc An issue was discovered in Pulse Policy Secure (PPS) and Pulse Connect Secure (PCS) Virtual Appliance before 9.1R8. By manipulating a certain kernel boot parameter, it can be tricked into dropping into a root shell in a pre-install phase where the entire source code of the appliance is available and can be retrieved. (The source code is otherwise inaccessib

nvd

CVE-2018-20810CRITICALCVSS 9.8v8.32019-06-28

CVE-2018-20810 [CRITICAL] CWE-326 CVE-2018-20810: Session data between cluster nodes during cluster synchronization is not properly encrypted in Pulse Session data between cluster nodes during cluster synchronization is not properly encrypted in Pulse Secure Pulse Connect Secure (PCS) 8.3RX before 8.3R2 and Pulse Policy Secure (PPS) 5.4RX before 5.4R2. This is not applicable to PCS 8.1RX, PPS 5.2RX, or stand-alone devices.

nvd

CVE-2018-20813CRITICALCVSS 9.8v8.32019-06-28

CVE-2018-20813 [CRITICAL] CWE-20 CVE-2018-20813: An input validation issue has been found with login_meeting.cgi in Pulse Secure Pulse Connect Secure An input validation issue has been found with login_meeting.cgi in Pulse Secure Pulse Connect Secure 8.3RX before 8.3R2.

nvd

CVE-2018-20809HIGHCVSS 7.5v8.32019-06-28

CVE-2018-20809 [HIGH] CWE-20 CVE-2018-20809: A crafted message can cause the web server to crash with Pulse Secure Pulse Connect Secure (PCS) 8.3 A crafted message can cause the web server to crash with Pulse Secure Pulse Connect Secure (PCS) 8.3RX before 8.3R5 and Pulse Policy Secure 5.4RX before 5.4R5. This is not applicable to PCS 8.1RX.

nvd

CVE-2018-20808MEDIUMCVSS 6.1v8.32019-06-28

CVE-2018-20808 [MEDIUM] CWE-79 CVE-2018-20808: An XSS issue has been found with rd.cgi in Pulse Secure Pulse Connect Secure 8.3RX before 8.3R3 due An XSS issue has been found with rd.cgi in Pulse Secure Pulse Connect Secure 8.3RX before 8.3R3 due to improper header sanitization. This is not applicable to 8.1RX.

nvd

CVE-2018-20811MEDIUMCVSS 5.3v8.1v8.32019-06-28

CVE-2018-20811 [MEDIUM] CWE-200 CVE-2018-20811: A hidden RPC service issue was found with Pulse Secure Pulse Connect Secure 8.3RX before 8.3R2 and 8 A hidden RPC service issue was found with Pulse Secure Pulse Connect Secure 8.3RX before 8.3R2 and 8.1RX before 8.1R12.

nvd

CVE-2018-20814MEDIUMCVSS 6.1v8.32019-06-28

CVE-2018-20814 [MEDIUM] CWE-79 CVE-2018-20814: An XSS issue was found with Psaldownload.cgi in Pulse Secure Pulse Connect Secure (PCS) 8.3R2 before An XSS issue was found with Psaldownload.cgi in Pulse Secure Pulse Connect Secure (PCS) 8.3R2 before 8.3R2 and Pulse Policy Secure (PPS) 5.4RX before 5.4R2. This is not applicable to PCS 8.1RX or PPS 5.2RX.

nvd

CVE-2018-20807MEDIUMCVSS 6.1v8.1v8.2+1 more2019-06-28

CVE-2018-20807 [MEDIUM] CWE-79 CVE-2018-20807: An XSS issue has been found in welcome.cgi in Pulse Secure Pulse Connect Secure (PCS) 8.1.x before 8 An XSS issue has been found in welcome.cgi in Pulse Secure Pulse Connect Secure (PCS) 8.1.x before 8.1R12, 8.2.x before 8.2R9, and 8.3.x before 8.3R3 due to one of the URL parameters not being sanitized properly.

nvd

CVE-2019-11509HIGHCVSS 8.8v8.1v8.2+2 more2019-06-03

CVE-2019-11509 [HIGH] CVE-2019-11509: In Pulse Secure Pulse Connect Secure (PCS) before 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, In Pulse Secure Pulse Connect Secure (PCS) before 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 and Pulse Policy Secure (PPS) before 5.1R15.1, 5.2 before 5.2R12.1, 5.3 before 5.3R15.1, 5.4 before 5.4R7.1, and 9.0 before 9.0R3.2, an authenticated attacker (via the admin web interface) can exploit Incorrect Access Control to execute

nvd

CVE-2019-11510CRITICALCVSS 10.0KEVPoCv8.2v8.3+1 more2019-05-08

CVE-2019-11510 [CRITICAL] CWE-22 CVE-2019-11510: In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9 In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability .

nvd

CVE-2019-11508HIGHCVSS 7.2v7.1v7.4+4 more2019-05-08

CVE-2019-11508 [HIGH] CWE-22 CVE-2019-11508: In Pulse Secure Pulse Connect Secure (PCS) before 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, In Pulse Secure Pulse Connect Secure (PCS) before 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an authenticated attacker (via the admin web interface) can exploit Directory Traversal to execute arbitrary code on the appliance.

nvd

CVE-2019-11507MEDIUMCVSS 6.1PoCv8.3v9.02019-05-08

CVE-2019-11507 [MEDIUM] CWE-79 CVE-2019-11507: In Pulse Secure Pulse Connect Secure (PCS) 8.3.x before 8.3R7.1 and 9.0.x before 9.0R3, an XSS issue In Pulse Secure Pulse Connect Secure (PCS) 8.3.x before 8.3R7.1 and 9.0.x before 9.0R3, an XSS issue has been found on the Application Launcher page.

nvd

CVE-2019-11540CRITICALCVSS 9.8v8.32019-04-26

CVE-2019-11540 [CRITICAL] CVE-2019-11540: In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4 and 8.3RX before 8.3R7.1 and Pulse In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4 and 8.3RX before 8.3R7.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2 and 5.4RX before 5.4R7.1, an unauthenticated, remote attacker can conduct a session hijacking attack.

nvd

CVE-2019-11538HIGHCVSS 7.7v8.1v8.2+2 more2019-04-26

CVE-2019-11538 [HIGH] CWE-59 CVE-2019-11538: In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX befor In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1, an NFS problem could allow an authenticated attacker to access the contents of arbitrary files on the affected device.

nvd

CVE-2019-11542HIGHCVSS 7.2v8.1v8.2+1 more2019-04-26

CVE-2019-11542 [HIGH] CWE-787 CVE-2019-11542: In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX befor In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1, an authenticated attacker (via the admin web interface) can send a

nvd

CVE-2019-11539HIGHCVSS 7.2KEVPoCv8.1v8.2+2 more2019-04-26

CVE-2019-11539 [HIGH] CWE-78 CVE-2019-11539: In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX befor In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1, the admin web interface allows an authenticated attacker to inject

nvd

CVE-2019-11541HIGHCVSS 7.5v8.2v8.32019-04-26

CVE-2019-11541 [HIGH] CVE-2019-11541: In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, and 8.2RX b In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, and 8.2RX before 8.2R12.1, users using SAML authentication with the Reuse Existing NC (Pulse) Session option may see authentication leaks.

nvd

CVE-2019-11543MEDIUMCVSS 6.1v8.1v8.32019-04-26

CVE-2019-11543 [MEDIUM] CWE-79 CVE-2019-11543: XSS exists in the admin web console in Pulse Secure Pulse Connect Secure (PCS) 9.0RX before 9.0R3.4, XSS exists in the admin web console in Pulse Secure Pulse Connect Secure (PCS) 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, and 5.2RX before 5.2R12.1.

nvd

CVE-2019-11213HIGHCVSS 8.1≥ 9.0r1, < 9.0r32019-04-12

CVE-2019-11213 [HIGH] CWE-384 CVE-2019-11213: In Pulse Secure Pulse Desktop Client and Network Connect, an attacker could access session tokens to In Pulse Secure Pulse Desktop Client and Network Connect, an attacker could access session tokens to replay and spoof sessions, and as a result, gain unauthorized access as an end user, a related issue to CVE-2019-1573. (The endpoint would need to be already compromised for exploitation to succeed.) This affects Pulse Desktop Client 5.x before Secure

nvd

← Previous6 / 7Next →