cbcvebase.

Ivanti Connect Secure vulnerabilities

130 known vulnerabilities affecting ivanti/connect_secure.

Total CVEs
130
CISA KEV
14
actively exploited
Public exploits
14
Exploited in wild
19
Severity breakdown
CRITICAL15HIGH67MEDIUM46LOW2

Vulnerabilities

Page 6 of 7
CVE-2024-13830P4MEDIUMCVSS 6.1fixed in 22.7v22.72025-02-11
CVE-2024-13830 [MEDIUM] CWE-79 CVE-2024-13830: Reflected XSS in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before versi Reflected XSS in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3 allows a remote unauthenticated attacker to obtain admin privileges. User interaction is required.
nvd
CVE-2024-11004P4MEDIUMCVSS 6.1fixed in 22.7v22.72024-11-12
CVE-2024-11004 [MEDIUM] CWE-79 CVE-2024-11004: Reflected XSS in Ivanti Connect Secure before version 22.7R2.1 and Ivanti Policy Secure before versi Reflected XSS in Ivanti Connect Secure before version 22.7R2.1 and Ivanti Policy Secure before version 22.7R1.1 allows a remote unauthenticated attacker to obtain admin privileges. User interaction is required.
nvd
CVE-2025-0292P4MEDIUMCVSS 4.9fixed in 22.7v22.72025-07-08
CVE-2025-0292 [MEDIUM] CWE-918 CVE-2025-0292: SSRF in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1 SSRF in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated attacker with admin rights to access internal network services.
nvd
CVE-2019-11543P4MEDIUMCVSS 6.1v8.1v8.32019-04-26
CVE-2019-11543 [MEDIUM] CWE-79 CVE-2019-11543: XSS exists in the admin web console in Pulse Secure Pulse Connect Secure (PCS) 9.0RX before 9.0R3.4, XSS exists in the admin web console in Pulse Secure Pulse Connect Secure (PCS) 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, and 5.2RX before 5.2R12.1.
nvd
CVE-2025-55146P4MEDIUMCVSS 4.9fixed in 22.7v22.72025-09-09
CVE-2025-55146 [MEDIUM] CWE-252 CVE-2025-55146: An unchecked return value in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure b An unchecked return value in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with admin privileges to trigger a denial of service.
nvd
CVE-2020-8238P4MEDIUMCVSS 6.1v9.12020-09-30
CVE-2020-8238 [MEDIUM] CWE-79 CVE-2020-8238: A vulnerability in the authenticated user web interface of Pulse Connect Secure and Pulse Policy Sec A vulnerability in the authenticated user web interface of Pulse Connect Secure and Pulse Policy Secure < 9.1R8.2 could allow attackers to conduct Cross-Site Scripting (XSS).
nvd
CVE-2025-5451P4MEDIUMCVSS 4.9fixed in 22.7v22.72025-07-08
CVE-2025-5451 [MEDIUM] CWE-121 CVE-2025-5451: A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Sec A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated attacker with admin rights to trigger a denial of service.
nvd
CVE-2020-8262P4MEDIUMCVSS 6.1v9.12020-10-28
CVE-2020-8262 [MEDIUM] CWE-79 CVE-2020-8262: A vulnerability in the Pulse Connect Secure / Pulse Policy Secure below 9.1R9 could allow attackers A vulnerability in the Pulse Connect Secure / Pulse Policy Secure below 9.1R9 could allow attackers to conduct Cross-Site Scripting (XSS) and Open Redirection for authenticated user web interface.
nvd
CVE-2018-20808P4MEDIUMCVSS 6.1v8.32019-06-28
CVE-2018-20808 [MEDIUM] CWE-79 CVE-2018-20808: An XSS issue has been found with rd.cgi in Pulse Secure Pulse Connect Secure 8.3RX before 8.3R3 due An XSS issue has been found with rd.cgi in Pulse Secure Pulse Connect Secure 8.3RX before 8.3R3 due to improper header sanitization. This is not applicable to 8.1RX.
nvd
CVE-2018-20807P4MEDIUMCVSS 6.1v8.1v8.2+1 more2019-06-28
CVE-2018-20807 [MEDIUM] CWE-79 CVE-2018-20807: An XSS issue has been found in welcome.cgi in Pulse Secure Pulse Connect Secure (PCS) 8.1.x before 8 An XSS issue has been found in welcome.cgi in Pulse Secure Pulse Connect Secure (PCS) 8.1.x before 8.1R12, 8.2.x before 8.2R9, and 8.3.x before 8.3R3 due to one of the URL parameters not being sanitized properly.
nvd
CVE-2021-22936P4MEDIUMCVSS 6.1v9.12021-08-16
CVE-2021-22936 [MEDIUM] CWE-79 CVE-2021-22936: A vulnerability in Pulse Connect Secure before 9.1R12 could allow a threat actor to perform a cross- A vulnerability in Pulse Connect Secure before 9.1R12 could allow a threat actor to perform a cross-site script attack against an authenticated administrator via an unsanitized web parameter.
nvd
CVE-2018-20811P4MEDIUMCVSS 5.3v8.1v8.32019-06-28
CVE-2018-20811 [MEDIUM] CWE-200 CVE-2018-20811: A hidden RPC service issue was found with Pulse Secure Pulse Connect Secure 8.3RX before 8.3R2 and 8 A hidden RPC service issue was found with Pulse Secure Pulse Connect Secure 8.3RX before 8.3R2 and 8.1RX before 8.1R12.
nvd
CVE-2020-8217P4MEDIUMCVSS 5.4v9.12020-07-30
CVE-2020-8217 [MEDIUM] CWE-79 CVE-2020-8217: A cross site scripting (XSS) vulnerability in Pulse Connect Secure <9.1R8 allowed attackers to explo A cross site scripting (XSS) vulnerability in Pulse Connect Secure <9.1R8 allowed attackers to exploit in the URL used for Citrix ICA.
nvd
CVE-2020-12880P4MEDIUMCVSS 5.5v9.12020-07-27
CVE-2020-12880 [MEDIUM] CVE-2020-12880: An issue was discovered in Pulse Policy Secure (PPS) and Pulse Connect Secure (PCS) Virtual Applianc An issue was discovered in Pulse Policy Secure (PPS) and Pulse Connect Secure (PCS) Virtual Appliance before 9.1R8. By manipulating a certain kernel boot parameter, it can be tricked into dropping into a root shell in a pre-install phase where the entire source code of the appliance is available and can be retrieved. (The source code is otherwise inaccessib
nvd
CVE-2024-47909P4MEDIUMCVSS 4.9fixed in 22.7v22.72024-11-12
CVE-2024-47909 [MEDIUM] CWE-121 CVE-2024-47909: A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Sec A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to cause a denial of service.
nvd
CVE-2024-47905P4MEDIUMCVSS 4.9fixed in 22.7v22.72024-11-12
CVE-2024-47905 [MEDIUM] CWE-121 CVE-2024-47905: A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Sec A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to cause a denial of service.
nvd
CVE-2025-5466P4MEDIUMCVSS 4.9fixed in 22.7v22.72025-08-12
CVE-2025-5466 [MEDIUM] CWE-776 CVE-2025-5466: XEE in Ivanti Connect Secure before 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti XEE in Ivanti Connect Secure before 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with admin privileges to trigger a denial of service
nvd
CVE-2020-8204P4MEDIUMCVSS 6.1v9.12020-07-30
CVE-2020-8204 [MEDIUM] CWE-79 CVE-2020-8204: A cross site scripting (XSS) vulnerability exists in Pulse Connect Secure <9.1R5 on the PSAL Page. A cross site scripting (XSS) vulnerability exists in Pulse Connect Secure <9.1R5 on the PSAL Page.
nvd
CVE-2018-20814P4MEDIUMCVSS 6.1v8.32019-06-28
CVE-2018-20814 [MEDIUM] CWE-79 CVE-2018-20814: An XSS issue was found with Psaldownload.cgi in Pulse Secure Pulse Connect Secure (PCS) 8.3R2 before An XSS issue was found with Psaldownload.cgi in Pulse Secure Pulse Connect Secure (PCS) 8.3R2 before 8.3R2 and Pulse Policy Secure (PPS) 5.4RX before 5.4R2. This is not applicable to PCS 8.1RX or PPS 5.2RX.
nvd
CVE-2016-4789P4MEDIUMCVSS 6.1v8.1v8.0+1 more2016-05-26
CVE-2016-4789 [MEDIUM] CWE-79 CVE-2016-4789: Cross-site scripting (XSS) vulnerability in the system configuration section in the administrative u Cross-site scripting (XSS) vulnerability in the system configuration section in the administrative user interface in Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r2, 8.0 before 8.0r9, and 7.4 before 7.4r13.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
nvd
Ivanti Connect Secure vulnerabilities | cvebase