282 matches found
CVE-2023-39337 - MobileConfig profile download authentication bypass
Last Modified Date Dec 11, 2023 2:11:27 PM...
CVE-2023-39338 - Authenticated user access protected Sentry service vulnerability
Last Modified Date Jul 9, 2025 1:23:20 PM...
CVE-2023-38041 New client side release to address a privilege escalation on Windows user machines
Summary A vulnerability exists on all versions of the Ivanti Secure Access Client Below 22.6R1 that would allow an unprivileged local user to gain unauthorized elevated privileges on the affected system. Mitigation Currently None Resoluiton To resolve the below mentioned vulnerability upgrade you...
SA-2023-08-08-CVE-2023-35084
SECURITY ADVISORY 08-08-2023 Product Affected: Ivanti Endpoint Manager A vulnerability was recently discovered for EPM 2022 SU3 and all previous versions. We have a Hotfix available to remediate this vulnerability that can be found by going to CVE-2023-35084 Full details. Please log into the...
SA-2023-08-08-CVE-2023-35083
SECURITY ADVISORY 08-08-2023 Product Affected: Ivanti Endpoint Manager A vulnerability was recently discovered for EPM 2022 SU3 and all previous versions. We have a Hotfix available to remediate this vulnerability that can be found by going to CVE-2023-35083 Full details. Please log into the...
Samsung Email app security patch for CWE-297
Last Modified Date Sep 15, 2023 7:06:21 AM...
Security Advisory - Avalanche CVE-2023-38036
Last Modified Date Mar 8, 2024 4:49:43 PM...
KB API Authentication Bypass on Sentry Administrator Interface - CVE-2023-38035
A vulnerability has been discovered in Ivanti Sentry, formerly MobileIron Sentry. This vulnerability impacts all supported versions – 9.18, 9.17, and 9.16. Older versions/releases are also at risk. This vulnerability does not affect other Ivanti products or solutions, such as Ivanti EPMM,...
CVE-2023-38035 – API Authentication Bypass on Sentry Administrator Interface
A vulnerability has been discovered in Ivanti Sentry, formerly known as MobileIron Sentry. This vulnerability impacts versions 9.18 and prior. The vulnerability does not impact other Ivanti products, such as Ivanti EPMM or Ivanti Neurons for MDM. If exploited, this vulnerability enables an...
Sentry : Database Open Access Vulnerability
Last Modified Date Aug 17, 2023 3:23:30 PM...
Avalanche Vulnerabilities Addressed in 6.4.1
Securtiy Advisory for Avalanche 6.4 and older. To resolve these vulnerabilities, please upgrade to Avalanche 6.4.1.207 Download Page: https://www.wavelink.com/Download-AvalancheMobile-Device-Management-Software/ Release Notes:...
CVE-2023-35082 – Remote Unauthenticated API Access Vulnerability
DESCRIPTION: Update: Since originally reporting CVE-2023-35082 on 2 August 2023 at 10:00 MDT, Ivanti has continued its investigation and has found that this vulnerability impacts all versions of Ivanti Endpoint Manager Mobile EPMM 11.10, 11.9 and 11.8 and MobileIron Core 11.7 and below. The risk ...
CVE-2023-35081 - Remote Arbitrary File Write
A vulnerability has been discovered in Ivanti Endpoint Manager Mobile EPMM, formerly known as MobileIron Core. This vulnerability impacts all supported versions –releases 11.10, 11.9 and 11.8. Older versions/releases are also at risk. This vulnerability is different from CVE-2023-35078, released ...
SA-2023-07-26-CVE-2023-28129
SECURITY ADVISORY 07-26-2023 Product Affected: Ivanti Desktop and Server Management A vulnerability was recently discovered in DSM 2022.1 Service Update 1. This vulnerability is remediated in DSM 2022.2 Service Update 3. Vulnerability Information CVE | CVSS | Summary | Product Affected...
CVE-2023-35078 - Remote Unauthenticated API Access Vulnerability
A vulnerability has been discovered in Ivanti Endpoint Manager Mobile EPMM, formerly known as MobileIron Core. This vulnerability impacts all supported versions – Version 11.4 releases 11.10, 11.9 and 11.8. Older versions/releases are also at risk. If exploited, this vulnerability enables an...
SA-2023-07-19-CVE-2023-35077
SECURITY ADVISORY 07-19-2023 Product Affected: Ivanti Endpoint Manager A vulnerability was recently discovered for Ivanti Antivirus Security Content version 7.94791 and all previous versions. Updating to Ivanti Antivirus Product version 7.9.1.285 will allow the Security Content version to update ...
CVE (2023-34298) Ivanti Secure Access Client Local Privilege Escalation
Summary A logged in Windows user can leverage functionality of the Pulse Secure / Ivanti Secure Access Client or Pulse Secure Installer Service to carry out a privilege escalation on the user machine. Mitigation None Currently Related Links https://forums.ivanti.com/s/article/New-Client-Side...
SA-2023-06-20-CVE-2023-28323
SECURITY ADVISORY 06-20-2023 Product Affected: Ivanti Endpoint Manager A vulnerability was recently discovered for EPM 2022 SU3 and all previous versions. We have a Hotfix available to remediate this vulnerability that can be found by going to CVE-2023-28323 Full details . Please log into the...
SA-2023-06-06-CVE-2023-28324
SECURITY ADVISORY 06-06-2023 Product Affected: Ivanti Endpoint Manager A vulnerability was recently discovered for Ivanti Endpoint Manager for all versions of 2022 SU2 and below. Please patch to the latest version of EPM 2022. If you are using 2021.1, please patch to SU4 and apply the hotfix as...
ZDI-CAN-17750: Ivanti Avalanche EnterpriseServer GetSettings Exposed Dangerous Method Authentication Bypass Vulnerability
This vulnerability allows to bypass the patches for following vulnerabilities: ZDI-CAN-15251 ZDI-CAN-15137 ZDI-CAN-15528 ZDI-CAN-15919 Those patches restricted an access to the messages or validated the response through the calculation of the h.meta1 token. However, the attacker is able to leak t...
ZDI-CAN-17769 Ivanti Avalanche getLogFile Directory Traversal Information Disclosure
This advisory presents a bypass for the ZDI-CAN-15967 Path Traversal leading to Arbitrary File Read patch. getLogFile method verifies the UUID input parameter. However, it does not verify the provided fileName path. According to that, the attacker can still exploit this issue and retrieve files...
ZDI-CAN-17812: Ivanti Avalanche FileStoreConfig Arbitrary File Upload Remote Code Execution Vulnerability
This vulnerability presents a bypass for the ZDI-CAN-14187 vulnerability patch Arbitrary File Upload leading to Remote Code Execution. Blacklist of the forbidden directories can be bypassed with the 8.3 filenames. Instead of the "Program Files" directory, the attacker may use "PROGRA1". .jsp...
ZDI-CAN-17729 - CVE-2023-28125 - Bug 958437: ZDI-CAN-17729: Ivanti Avalanche InfoRail Authentication Bypass Vulnerability
Last Modified Date 2024-3-8 16:51:05...
Avalanche ZDI-CAN-19513 Security Advisory
Last Modified Date Apr 3, 2023 8:41:48 PM...
CSA 上的 HSTS 安全漏洞
Last Modified Date Jul 27, 2023 11:22:48 AM...
JSA10571 - 2013-06 Security Bulletin: Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS): Internal and test Certificate Authority Root Servers unintentionally added to Trusted CA list
Edit: 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. The Pulse Connect Secure PCS and Pulse Policy Secure PPS software use Trusted Server CA Root Certificate list in order to verify the validity of certificates. Internal and development...
JSA10462 - Cross-site scripting issue with file browsing upload page
Problem A cross-site scripting XSS vulnerability was identified in the PCS / PPS file browsing upload page during a routine security scan. Specifically, this URL is called when a user attempts to upload a set of files. A malicious URL can be crafted with a bad payload that could allow unauthorize...
JSA10469 - Pre-authentication CGI script prints arbitrary contents of XML and ZIP files
Edit: 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. Certain CGI scripts found on the appliance are accessible during pre-authentication. There is an issue that may allow access to arbitrary XML files or the contents of ZIP files on the...
JSA10590 - 2013-09 Security Bulletin: Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS): Crafted packet can cause denial of service
Edit: 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. A denial of service DoS issue has been found on the Pulse Connect Secure PCS and Pulse Policy Secure PPS devices. This issue can cause the system to hang ultimately requiring a restart ...
JSA10502 - 2012-03 Security Bulletin: Pulse Connect Secure (PCS): Cross Site Scripting Issue
Ivanti 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. A cross site scripting issue has been found in the Pulse Connect Secure device. The cause of this issue is due to incorrect validation of user input sent to the web server. This issue...
JSA10544 - 2012-11 Security Bulletin: Steel-Belted Radius: Multiple OpenSSL Vulnerabilities
Problem OpenSSL software distributed with Steel-Belted Radius is vulnerable to CVE-2011-4619, and CVE-2011-4576. These may allow decrypting encrypted information or cause a denial of service condition for the Steel-Belted Radius server. CVE-2011-4576 The SSL 3.0 implementation in OpenSSL before...
JSA10553 - 2013-03: Security Bulletin: Pulse Secure Mobile: Android client privilege escalation
Edit: 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. A security issue has been found in the Pulse Secure Mobile for Android. This issue could only be carried out on an Android phone that was "rooted". An issue in the Pulse Secure Mobile f...
JSA10350 - Optimistic TCP acknowledgements can cause denial of service (CERT/CC VU#102014)
The Transmission Control Protocol TCP is described in RFC 793 as a means to provide reliable host-to-host transmission between hosts in a packet-switched computer network. Numerous Internet protocols such as HTTP, SMTP, and FTP rely on TCP as their underlying transport protocol. Several different...
JSA10453 - 2010-09 Security Bulletin: Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS): Local Client Logging Issue
Ivanti 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. User session information is saved to the local system even when client logging is disabled. Pulse Secure would like to acknowledge Espion Ltd. Dublin, Ireland for bringing this to our...
JSA10591 - 2013-09 Security Bulletin: Pulse Connect Secure and Pulse Policy Secure: Multiple OpenSSL vulnerabilities
Edit: 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. Multiple OpenSSL vulnerabilities have been found in the PCS and PPS devices. CVE| Issue| CVE Description| CVSS Score ---|---|---|--- CVE-2012-2131| OpenSSL buffer overflow issue| Multip...
JSA10470 - Pre-authentication CGI script fails to fully validate all parameters
Edit: 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. CGI scripts accessible during pre-authentication may fail to verify the validity of values supplied as parameters. This could lead to the arbitrary fetching of ".exe" files from the...
JSA10536 - 2012-09 Security Bulletin: Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS): Specifically crafted https packet may cause denial of service
Edit: 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. A denial of service issue was found in the Pulse Connect Secure PCS and Pulse Policy Secure PPS system software. A specific malformed https packet can potentially cause a system service...
JSA10402 - Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS) - Multiple Web-based CGI and Cross Site Scripting (XSS) vulnerabilities.
Ivanti 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. CGI and Cross Site Scripting vulnerabilities found and fixed through a combination of internal and external proactive security testing: - Internal path was displayed in some error...
JSA10471 - Out of Cycle Security Bulletin: Pulse Connect Secure (PCS) Network Connect Credential Provider Issue
Ivanti 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. There is an issue with Network Connect Credential Provider where local machine authentication can be bypassed on Windows 7 and Vista. If Network Connect Credential Provider is configur...
JSA10628 - 2014-06 Security Bulletin: Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS): Weak SSL cipher allowed unexpectedly when higher level cipher group is configured (CVE-2014-3812)
Edit: 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. A weak cipher issue has been discovered on the Pulse Connect Secure PCS and Pulse Policy Secure PPS devices. When configuring the device to use a higher level cipher setting, a lower...
JSA10445 - 2010-06 Security Bulletin: Pulse Connect Secure (PCS) Cross Site Scripting Issue in Windows Secure Application Manager
Ivanti 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. Cross site scripting issue on uninstallation link for Windows Secure Application Manager. This issue was found during internal proactive security testing. This vulnerability only affec...
JSA10648 - 2014-09 Out of Cycle Security Bulletin: Multiple Products: Shell Command Injection Vulnerability in Bash
Edit: 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. Bash or the Bourne again shell has vulnerabilities in the way it handles environment variables when it is invoked. Under some scenarios, network based remote attackers can inject shell...
JSA10656 - 2014-10 Out of Cycle Security Bulletin: Multiple products affected by SSL POODLE vulnerability (CVE-2014-3566)
Ivanti 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. The SSL protocol 3.0 SSLv3 uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack. This issue is...
JSA10376 - Pulse Policy Secure (PPS) Infranet Controller Webroot Path Disclosure Vulnerability
Ivanti 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. By requesting the 'remediate.cgi' script omitting certain parameters, the embedded IC web server returns the physical path of the webroot '/home/webserver/htdocs/' within an "Execute...
JSA10589 - 2013-09 Security Bulletin: Pulse Connect Secure (PCS): Multiple cross site scripting issues
Ivanti 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. Multiple cross site scripting issues have been found in the Pulse Connect Secure PCS product. The issues are the result of incorrect validation of user input sent to the PCS web server...
JSA10374 - Pulse Connect Secure (PCS) SSL VPN Webroot Path Disclosure Vulnerability
Ivanti 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. By requesting the 'remediate.cgi' script omitting certain parameters, the embedded PCS web server returns the physical path of the webroot '/home/webserver/htdocs/' within an "Execute...
JSA10482 - 2011-07 Out of Cycle Security Bulletin: Multiple Products; TLS/SSL Renegotiation Vulnerability (CVE-2009-3555)
Edit: 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. CVE-2009-3555 summary: The TLS protocol, and the SSL protocol 3.0 and possibly earlier, does not properly associate renegotiation handshakes with an existing connection, which allows...
JSA10497 - 2012-09: Security, Access, and Acceleration: Security Advisories Released
Edit: 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. A new Security, Access, and Acceleration product security advisory bundle has been released. This message contains the links to the new JSA advisories that have been released. In the...
JSA10602 - 2013-12 Security Bulletin: Pulse Connect Secure (PCS): Cross site scripting issue (CVE-2013-6956)
Ivanti 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. A cross site scripting issue has been found in Pulse Connect Secure PCS. The problem is a result of incorrect user input validation on the PCS web server. The issue exists within a fil...
JSA10512 - 2012-06 Security Bulletin: Pulse Connect Secure (PCS): Open redirect issue
Ivanti 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. An open redirect issue has been found in the Pulse Connect Secure PCS product. The issue is caused by incorrect validation of user input sent to the PCS web server. The issue exists in...