CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13180 – Ivanti Avalanche Faces ResourceManager Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2024-13180
14 Jan 2025 — Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to leak sensitive information. This CVE addresses incomplete fixes from CVE-2024-47011. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Ivanti Avalanche. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Faces Mojarra component. The issue results from the use of a vulnerable third-party library. • https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Avalanche-6-4-7-Multiple-CVEs • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 0CVE-2024-13179 – Ivanti Avalanche SecureFilter Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2024-13179
14 Jan 2025 — Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication. This vulnerability allows remote attackers to partially bypass authentication on affected installations of Ivanti Avalanche. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SecureFilter class. The issue results from incorrect string matching when making an authorization decision. An attacker can leverage this vulnerability to partially b... • https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Avalanche-6-4-7-Multiple-CVEs • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 7.0EPSS: 0%CPEs: 3EXPL: 0CVE-2025-0283
https://notcve.org/view.php?id=CVE-2025-0283
08 Jan 2025 — A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a local authenticated attacker to escalate their privileges. • https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283 • CWE-121: Stack-based Buffer Overflow •
CVSS: 9.3EPSS: 90%CPEs: 3EXPL: 17CVE-2025-0282 – Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability
https://notcve.org/view.php?id=CVE-2025-0282
08 Jan 2025 — A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution. Ivanti Connect Secure, Policy Secure, and ZTA Gateways contain a stack-based buffer overflow which can lead to unauthenticated remote code execution. • https://packetstorm.news/files/id/188667 • CWE-121: Stack-based Buffer Overflow •
CVSS: 7.8EPSS: 1%CPEs: 1EXPL: 0CVE-2024-37401
https://notcve.org/view.php?id=CVE-2024-37401
11 Dec 2024 — An out-of-bounds read in IPsec of Ivanti Connect Secure before version 22.7R2.1 allows a remote unauthenticated attacker to cause a denial of service. • https://forums.ivanti.com/s/article/December-2024-Security-Advisory-Ivanti-Connect-Secure-ICS-and-Ivanti-Policy-Secure-IPS-Multiple-CVEs • CWE-125: Out-of-bounds Read •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37377
https://notcve.org/view.php?id=CVE-2024-37377
11 Dec 2024 — A heap-based buffer overflow in IPsec of Ivanti Connect Secure before version 22.7R2.3 allows a remote unauthenticated attacker to cause a denial of service. • https://forums.ivanti.com/s/article/December-2024-Security-Advisory-Ivanti-Connect-Secure-ICS-and-Ivanti-Policy-Secure-IPS-Multiple-CVEs • CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8496
https://notcve.org/view.php?id=CVE-2024-8496
11 Dec 2024 — Under specific circumstances, insecure permissions in Ivanti Workspace Control before version 10.18.40.0 allows a local authenticated attacker to achieve local privilege escalation. • https://forums.ivanti.com/s/article/December-2024-Security-Advisory-Ivanti-Workspace-Control-IWC-CVE-2024-8496 • CWE-276: Incorrect Default Permissions •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9845
https://notcve.org/view.php?id=CVE-2024-9845
11 Dec 2024 — Under specific circumstances, insecure permissions in Ivanti Automation before version 2024.4.0.1 allows a local authenticated attacker to achieve local privilege escalation. • https://forums.ivanti.com/s/article/December-2024-Security-Advisory-Ivanti-Automation-CVE-2024-9845 • CWE-276: Incorrect Default Permissions •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10251
https://notcve.org/view.php?id=CVE-2024-10251
11 Dec 2024 — Under specific circumstances, insecure permissions in Ivanti Security Controls before version 2024.4.1 allows a local authenticated attacker to achieve local privilege escalation. • https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Security-Controls-iSec-CVE-2024-10251 • CWE-276: Incorrect Default Permissions •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11773
https://notcve.org/view.php?id=CVE-2024-11773
10 Dec 2024 — SQL injection in the admin web console of Ivanti CSA before version 5.0.3 allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements. • https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Cloud-Services-Application-CSA-CVE-2024-11639-CVE-2024-11772-CVE-2024-11773 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •