CVSS: 7.8EPSS: 1%CPEs: 1EXPL: 0CVE-2024-36136
https://notcve.org/view.php?id=CVE-2024-36136
14 Aug 2024 — An off-by-one error in WLInfoRailService in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to crash the service, resulting in a DoS. • https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Avalanche-6-4-4-CVE-2024-38652-CVE-2024-38653-CVE-2024-36136-CVE-2024-37399-CVE-2024-37373 • CWE-193: Off-by-one Error •
CVSS: 10.0EPSS: 94%CPEs: 2EXPL: 7CVE-2024-7593 – Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2024-7593
13 Aug 2024 — Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass authentication of the admin panel. Ivanti Virtual Traffic Manager contains an authentication bypass vulnerability that allows a remote, unauthenticated attacker to create a chosen administrator account. • https://packetstorm.news/files/id/180873 • CWE-287: Improper Authentication CWE-303: Incorrect Implementation of Authentication Algorithm •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7570
https://notcve.org/view.php?id=CVE-2024-7570
13 Aug 2024 — Improper certificate validation in Ivanti ITSM on-prem and Neurons for ITSM Versions 2023.4 and earlier allows a remote attacker in a MITM position to craft a token that would allow access to ITSM as any user. • https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Neurons-for-ITSM-CVE-2024-7569-CVE-2024-7570 • CWE-295: Improper Certificate Validation •
CVSS: 10.0EPSS: 6%CPEs: 1EXPL: 0CVE-2024-7569
https://notcve.org/view.php?id=CVE-2024-7569
13 Aug 2024 — An information disclosure vulnerability in Ivanti ITSM on-prem and Neurons for ITSM versions 2023.4 and earlier allows an unauthenticated attacker to obtain the OIDC client secret via debug information. • https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Neurons-for-ITSM-CVE-2024-7569-CVE-2024-7570 • CWE-215: Insertion of Sensitive Information Into Debugging Code CWE-922: Insecure Storage of Sensitive Information •
CVSS: 10.0EPSS: 3%CPEs: 1EXPL: 0CVE-2024-36130
https://notcve.org/view.php?id=CVE-2024-36130
07 Aug 2024 — An insufficient authorization vulnerability in web component of EPMM prior to 12.1.0.1 allows an unauthorized attacker within the network to execute arbitrary commands on the underlying operating system of the appliance. • https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-for-Mobile-EPMM-July-2024 • CWE-285: Improper Authorization •
CVSS: 9.0EPSS: 2%CPEs: 1EXPL: 0CVE-2024-36131
https://notcve.org/view.php?id=CVE-2024-36131
07 Aug 2024 — An insecure deserialization vulnerability in web component of EPMM prior to 12.1.0.1 allows an authenticated remote attacker to execute arbitrary commands on the underlying operating system of the appliance. • https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-for-Mobile-EPMM-July-2024 • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.2EPSS: 2%CPEs: 1EXPL: 0CVE-2024-36132
https://notcve.org/view.php?id=CVE-2024-36132
07 Aug 2024 — Insufficient verification of authentication controls in EPMM prior to 12.1.0.1 allows a remote attacker to bypass authentication and access sensitive resources. • https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-for-Mobile-EPMM-July-2024 • CWE-287: Improper Authentication •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37403
https://notcve.org/view.php?id=CVE-2024-37403
07 Aug 2024 — Ivanti Docs@Work for Android, before 2.26.0 is affected by the 'Dirty Stream' vulnerability. The application fails to properly sanitize file names, resulting in a path traversal-affiliated vulnerability. This potentially enables other malicious apps on the device to read sensitive information stored in the app root. • https://forums.ivanti.com/s/article/Security-Advisory-CVE-2024-37403-Dirty-Stream-for-Ivanti-Docs-Work-for-Android • CWE-24: Path Traversal: '../filedir' •
CVSS: 6.8EPSS: 12%CPEs: 1EXPL: 0CVE-2024-34788
https://notcve.org/view.php?id=CVE-2024-34788
07 Aug 2024 — An improper authentication vulnerability in web component of EPMM prior to 12.1.0.1 allows a remote malicious user to access potentially sensitive information • https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-for-Mobile-EPMM-July-2024 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37381
https://notcve.org/view.php?id=CVE-2024-37381
29 Jul 2024 — An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2024 flat allows an authenticated attacker within the same network to execute arbitrary code. • https://forums.ivanti.com/s/article/Security-Advisory-EPM-July-2024-for-EPM-2024 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •