CVSS: 7.2EPSS: 0%CPEs: 13EXPL: 0CVE-2021-22938
https://notcve.org/view.php?id=CVE-2021-22938
A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform command injection via an unsanitized web parameter in the administrator web console. Una vulnerabilidad en Pulse Connect Secure, versiones anteriores a 9.1R12, podía permitir a un administrador autenticado llevar a cabo una inyección de comandos por medio de un parámetro web no saneado en la consola web del administrador. • https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44858/?kA23Z000000L6oySAC • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 6.5EPSS: 0%CPEs: 13EXPL: 0CVE-2021-22933
https://notcve.org/view.php?id=CVE-2021-22933
A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform an arbitrary file delete via a maliciously crafted web request. Una vulnerabilidad en Pulse Connect Secure, versiones anteriores a 9.1R12, podría permitir a un administrador autenticado llevar a cabo una eliminación de archivos arbitraria por medio de una petición web maliciosamente diseñada. • https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44858/?kA23Z000000L6oySAC • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 1CVE-2021-3540 – Ivanti MobileIron Core clish Restricted Shell Escape via Argument Injection
https://notcve.org/view.php?id=CVE-2021-3540
By abusing the 'install rpm info detail' command, an attacker can escape the restricted clish shell on affected versions of Ivanti MobileIron Core. This issue was fixed in version 11.1.0.0. Al abusar del comando "install rpm info detail", un atacante puede escapar del shell clish restringido en las versiones afectadas de Ivanti MobileIron Core. Este problema fue corrregido en versión 11.1.0.0 • https://www.rapid7.com/blog/post/2021/06/02/untitled-cve-2021-3198-and-cve-2021-3540-mobileiron-shell-escape-privilege-escalation-vulnerabilities • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 1CVE-2021-3198 – Ivanti MobileIron Core clish Restricted Shell Escape via OS Command Injection
https://notcve.org/view.php?id=CVE-2021-3198
By abusing the 'install rpm url' command, an attacker can escape the restricted clish shell on affected versions of Ivanti MobileIron Core. This issue was fixed in version 11.1.0.0. Al abusar del comando "install rpm url", un atacante puede escapar del shell clish restringido en las versiones afectadas de Ivanti MobileIron Core. Este problema fue corregido en versión 11.1.0.0 • https://www.rapid7.com/blog/post/2021/06/02/untitled-cve-2021-3198-and-cve-2021-3540-mobileiron-shell-escape-privilege-escalation-vulnerabilities • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.2EPSS: 0%CPEs: 41EXPL: 0CVE-2021-22900 – Ivanti Pulse Connect Secure Unrestricted File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2021-22900
A vulnerability allowed multiple unrestricted uploads in Pulse Connect Secure before 9.1R11.4 that could lead to an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface. Una vulnerabilidad permitió múltiples cargas sin restricciones en Pulse Connect Secure versiones anteriores a 9.1R11.4, que podrían conllevar a un administrador autenticado llevar a cabo una escritura de archivo por medio de una carga de archivo diseñada con fines maliciosos en la interfaz web del administrador Ivanti Pulse Connect Secure contains an unrestricted file upload vulnerability that allows an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface. • https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/?kA23Z000000boUWSAY • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-669: Incorrect Resource Transfer Between Spheres •