CVSS: 8.2EPSS: 1%CPEs: 1EXPL: 0CVE-2024-36132
https://notcve.org/view.php?id=CVE-2024-36132
07 Aug 2024 — Insufficient verification of authentication controls in EPMM prior to 12.1.0.1 allows a remote attacker to bypass authentication and access sensitive resources. • https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-for-Mobile-EPMM-July-2024 • CWE-287: Improper Authentication •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37403
https://notcve.org/view.php?id=CVE-2024-37403
07 Aug 2024 — Ivanti Docs@Work for Android, before 2.26.0 is affected by the 'Dirty Stream' vulnerability. The application fails to properly sanitize file names, resulting in a path traversal-affiliated vulnerability. This potentially enables other malicious apps on the device to read sensitive information stored in the app root. • https://forums.ivanti.com/s/article/Security-Advisory-CVE-2024-37403-Dirty-Stream-for-Ivanti-Docs-Work-for-Android • CWE-24: Path Traversal: '../filedir' •
CVSS: 6.8EPSS: 8%CPEs: 1EXPL: 0CVE-2024-34788
https://notcve.org/view.php?id=CVE-2024-34788
07 Aug 2024 — An improper authentication vulnerability in web component of EPMM prior to 12.1.0.1 allows a remote malicious user to access potentially sensitive information • https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-for-Mobile-EPMM-July-2024 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37381
https://notcve.org/view.php?id=CVE-2024-37381
29 Jul 2024 — An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2024 flat allows an authenticated attacker within the same network to execute arbitrary code. • https://forums.ivanti.com/s/article/Security-Advisory-EPM-July-2024-for-EPM-2024 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-38042
https://notcve.org/view.php?id=CVE-2023-38042
31 May 2024 — A local privilege escalation vulnerability in Ivanti Secure Access Client for Windows allows a low privileged user to execute code as SYSTEM. Una vulnerabilidad de escalada de privilegios local en Ivanti Secure Access Client para Windows permite a un usuario con pocos privilegios ejecutar código como SYSTEM. • https://forums.ivanti.com/s/article/Security-Advisory-May-2024?language=en_US • CWE-250: Execution with Unnecessary Privileges •
CVSS: 8.8EPSS: 7%CPEs: 1EXPL: 0CVE-2024-22059
https://notcve.org/view.php?id=CVE-2024-22059
31 May 2024 — A SQL injection vulnerability in web component of Ivanti Neurons for ITSM allows a remote authenticated user to read/modify/delete information in the underlying database. This may also lead to DoS. Una vulnerabilidad de inyección SQL en el componente web de Ivanti Neurons para ITSM permite a un usuario autenticado remoto leer/modificar/eliminar información en la base de datos subyacente. Esto también puede provocar DoS. • https://forums.ivanti.com/s/article/Security-Advisory-May-2024 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46810
https://notcve.org/view.php?id=CVE-2023-46810
31 May 2024 — A local privilege escalation vulnerability in Ivanti Secure Access Client for Linux before 22.7R1, allows a low privileged user to execute code as root. Una vulnerabilidad de escalada de privilegios local en Ivanti Secure Access Client para Linux anterior a 22.7R1 permite a un usuario con pocos privilegios ejecutar código como root. • https://forums.ivanti.com/s/article/Security-Advisory-May-2024 • CWE-269: Improper Privilege Management •
CVSS: 8.7EPSS: 4%CPEs: 1EXPL: 0CVE-2024-22060
https://notcve.org/view.php?id=CVE-2024-22060
31 May 2024 — An unrestricted file upload vulnerability in web component of Ivanti Neurons for ITSM allows a remote, authenticated, high privileged user to write arbitrary files into sensitive directories of ITSM server. Una vulnerabilidad de carga de archivos sin restricciones en el componente web de Ivanti Neurons para ITSM permite a un usuario remoto, autenticado y con altos privilegios escribir archivos arbitrarios en directorios confidenciales del servidor ITSM. • https://forums.ivanti.com/s/article/Security-Advisory-May-2024 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.2EPSS: 0%CPEs: 3EXPL: 0CVE-2023-38551
https://notcve.org/view.php?id=CVE-2023-38551
31 May 2024 — A CRLF Injection vulnerability in Ivanti Connect Secure (9.x, 22.x) allows an authenticated high-privileged user to inject malicious code on a victim’s browser, thereby leading to cross-site scripting attack. Una vulnerabilidad de inyección CRLF en Ivanti Connect Secure (9.x, 22.x) permite a un usuario autenticado con altos privilegios inyectar código malicioso en el navegador de una víctima, lo que lleva a un ataque de cross-site scripting. • https://forums.ivanti.com/s/article/Security-Advisory-May-2024 • CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22058
https://notcve.org/view.php?id=CVE-2024-22058
31 May 2024 — A buffer overflow allows a low privilege user on the local machine that has the EPM Agent installed to execute arbitrary code with elevated permissions in Ivanti EPM 2021.1 and older. Un desbordamiento del búfer permite que un usuario con privilegios bajos en la máquina local que tiene instalado el Agente EPM ejecute código arbitrario con permisos elevados en Ivanti EPM 2021.1 y versiones anteriores. • https://forums.ivanti.com/s/article/CVE-2024-22058-Privilege-Escalation-for-Ivanti-Endpoint-Manager-EPM • CWE-122: Heap-based Buffer Overflow •