CVE-2023-32560

An attacker can send a specially crafted message to the Wavelink Avalanche Manager, which could result in service disruption or arbitrary code execution. Thanks to a Researcher at Tenable for finding and reporting. Fixed in version 6.4.1.

CVE-2024-24996

A Heap overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows an unauthenticated remote attacker to execute arbitrary commands.

CVE-2023-32563

An unauthenticated attacker could achieve the code execution through a RemoteControl server.

CVE-2024-38652

Path traversal in the skin management component of Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to achieve denial of service via arbitrary file deletion.

CVE-2022-36983

This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetSettings class. The issue results from the lack of authentication prior to allowing...

CVE-2024-22061

A Heap Overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands

CVE-2024-29204

A Heap Overflow vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands

CVE-2022-36980

This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the EnterpriseServe...

CVE-2020-12442

Ivanti Avalanche 6.3 allows a SQL injection that is vaguely associated with the Apache HTTP Server, aka Bug 683250.

CVE-2021-22962

An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack.

CVE-2023-32562

An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to achieve a remove code execution. Fixed in version 6.4.1.

CVE-2023-32566

An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack. Fixed in version 6.4.1.

CVE-2022-36971

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the JwtTokenUtilit...

CVE-2022-36977

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the Certificate Ma...

CVE-2023-32564

An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker to achieve a remove code execution.

CVE-2022-36978

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the Notification S...

CVE-2022-36972

This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can levera...

CVE-2022-36973

This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the ProfileDaoImpl ...

CVE-2024-47009

Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to bypass authentication.

CVE-2022-36974

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the Web File Serve...

CVE-2022-36976

This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the GroupDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage...

CVE-2023-32565

An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack. Fixed in version 6.4.1.

CVE-2023-32567

Ivanti Avalanche decodeToMap XML External Entity Processing. Fixed in version 6.4.1.236

CVE-2023-41727

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

CVE-2024-13179

Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication.

CVE-2024-13181

Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication. This CVE addresses incomplete fixes from CVE-2024-47010.

CVE-2021-42127

A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 using Inforail Service allows arbitrary code execution via Data Repository Service.

CVE-2023-46263

An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker to achieve a remote code execution.

CVE-2022-36981

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.3.101. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the DeviceLogResour...

CVE-2024-47010

Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to bypass authentication.

CVE-2022-36975

This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can levera...

CVE-2023-46258

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

CVE-2022-36979

This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the AvalancheDaoSup...

CVE-2023-46216

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

CVE-2023-46222

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

CVE-2023-46257

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

CVE-2023-46264

An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker to achieve a remove code execution.

CVE-2021-42128

An exposed dangerous function vulnerability exists in Ivanti Avalanche before 6.3.3 using inforail Service allows Privilege Escalation via Enterprise Server Service.

CVE-2023-46224

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

CVE-2023-46261

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

CVE-2023-46265

An unauthenticated could abuse a XXE vulnerability in the Smart Device Server to leak data or perform a Server-Side Request Forgery (SSRF).

CVE-2023-46220

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

CVE-2023-46223

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

CVE-2023-46217

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

CVE-2023-46259

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

CVE-2023-46260

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

CVE-2023-46266

An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack.

CVE-2023-46221

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

CVE-2023-46225

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

CVE-2023-38036

A security vulnerability within Ivanti Avalanche Manager before version 6.4.1 may allow an unauthenticated attacker to create a buffer overflow that could result in service disruption or arbitrary code execution.