Avalanche Security Vulnerabilities - CVSS Score 9 - 10
Ivanti Avalanche 6.3 allows a SQL injection that is vaguely associated with the Apache HTTP Server, aka Bug 683250.
9.8CVSS
9.7AI Score
0.001EPSS
An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack.
9.1CVSS
9AI Score
0.006EPSS
A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 using Inforail Service allows arbitrary code execution via Data Repository Service.
9.8CVSS
9.7AI Score
0.015EPSS
An exposed dangerous function vulnerability exists in Ivanti Avalanche before 6.3.3 using inforail Service allows Privilege Escalation via Enterprise Server Service.
9.8CVSS
9.4AI Score
0.01EPSS
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can levera...
9.8CVSS
9.6AI Score
0.093EPSS
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the Web File Serve...
9.8CVSS
9.8AI Score
0.144EPSS
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can levera...
9.8CVSS
9.6AI Score
0.093EPSS
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the GroupDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage...
9.8CVSS
9.6AI Score
0.093EPSS
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the Certificate Ma...
9.8CVSS
9.8AI Score
0.177EPSS
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the Notification S...
9.8CVSS
9.8AI Score
0.177EPSS
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the AvalancheDaoSup...
9.8CVSS
8.3AI Score
0.093EPSS
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.3.101. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the DeviceLogResour...
9.8CVSS
9.3AI Score
0.096EPSS
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetSettings class. The issue results from the lack of authentication prior to allowing...
9.8CVSS
8.2AI Score
0.008EPSS
An attacker can send a specially crafted message to the Wavelink Avalanche Manager, which could result in service disruption or arbitrary code execution. Thanks to a Researcher at Tenable for finding and reporting. Fixed in version 6.4.1.
9.8CVSS
9.2AI Score
0.692EPSS
An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to achieve a remove code execution. Fixed in version 6.4.1.
9.8CVSS
6.8AI Score
0.01EPSS
An unauthenticated attacker could achieve the code execution through a RemoteControl server.
9.8CVSS
8.9AI Score
0.396EPSS
An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker to achieve a remove code execution.
9.8CVSS
6.7AI Score
0.01EPSS
An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack. Fixed in version 6.4.1.
9.1CVSS
6.2AI Score
0.008EPSS
An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack. Fixed in version 6.4.1.
9.1CVSS
6.5AI Score
0.008EPSS
Ivanti Avalanche decodeToMap XML External Entity Processing. Fixed in version 6.4.1.236
9.8CVSS
6.5AI Score
0.014EPSS
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
9.8CVSS
9.6AI Score
0.001EPSS
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
9.8CVSS
9.6AI Score
0.001EPSS
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
9.8CVSS
9.6AI Score
0.001EPSS
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
9.8CVSS
9.6AI Score
0.009EPSS
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
9.8CVSS
9.6AI Score
0.009EPSS
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
9.8CVSS
9.6AI Score
0.009EPSS
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
9.8CVSS
9.6AI Score
0.008EPSS
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
9.8CVSS
9.6AI Score
0.009EPSS
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
9.8CVSS
9.6AI Score
0.009EPSS
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
9.8CVSS
9.6AI Score
0.009EPSS
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
9.8CVSS
9.6AI Score
0.009EPSS
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
9.8CVSS
9.6AI Score
0.009EPSS
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
9.8CVSS
7.8AI Score
0.009EPSS
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
9.8CVSS
9.6AI Score
0.009EPSS
An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker to achieve a remote code execution.
9.8CVSS
7.2AI Score
0.004EPSS
An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker to achieve a remove code execution.
9.8CVSS
7.1AI Score
0.012EPSS
An unauthenticated could abuse a XXE vulnerability in the Smart Device Server to leak data or perform a Server-Side Request Forgery (SSRF).
9.8CVSS
6.4AI Score
0.011EPSS
An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack.
9.1CVSS
7.1AI Score
0.006EPSS
A Heap overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows an unauthenticated remote attacker to execute arbitrary commands.
9.8CVSS
9.7AI Score
0.001EPSS
A Heap Overflow vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands
9.8CVSS
7.8AI Score
0.0004EPSS
Path traversal in the skin management component of Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to achieve denial of service via arbitrary file deletion.
9.1CVSS
7.3AI Score
0.005EPSS