CVSS: 5.3EPSS: 5%CPEs: 60EXPL: 0CVE-2024-22023
https://notcve.org/view.php?id=CVE-2024-22023
04 Apr 2024 — An XML entity expansion or XEE vulnerability in SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated attacker to send specially crafted XML requests in-order-to temporarily cause resource exhaustion thereby resulting in a limited-time DoS. Una expansión de entidad XML o vulnerabilidad XEE en el componente SAML de Ivanti Connect Secure (9.x, 22.x) e Ivanti Policy Secure permite que un atacante no autenticado envíe solicitudes XML especialmente manipuladas par... • https://forums.ivanti.com/s/article/New-CVE-2024-21894-Heap-Overflow-CVE-2024-22052-Null-Pointer-Dereference-CVE-2024-22053-Heap-Overflow-and-CVE-2024-22023-XML-entity-expansion-or-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US • CWE-476: NULL Pointer Dereference CWE-703: Improper Check or Handling of Exceptional Conditions •
CVSS: 8.3EPSS: 93%CPEs: 8EXPL: 1CVE-2024-22024
https://notcve.org/view.php?id=CVE-2024-22024
13 Feb 2024 — An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication. Una entidad externa XML o vulnerabilidad XXE en el componente SAML de Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) y puertas de enlace ZTA que permite a un atacante acceder a ciertos recursos restringidos sin autenticación. • https://github.com/0dteam/CVE-2024-22024 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 8.5EPSS: 94%CPEs: 107EXPL: 3CVE-2024-21893 – Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery (SSRF) Vulnerability
https://notcve.org/view.php?id=CVE-2024-21893
31 Jan 2024 — A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication. Una vulnerabilidad de server-side request forgery en el componente SAML de Ivanti Connect Secure (9.x, 22.x) e Ivanti Policy Secure (9.x, 22.x) e Ivanti Neurons for ZTA permite a un atacante acceder a ciertos recursos restringidos sin autenticación. Ivanti Connec... • https://packetstorm.news/files/id/177229 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.0EPSS: 66%CPEs: 106EXPL: 0CVE-2024-21888
https://notcve.org/view.php?id=CVE-2024-21888
31 Jan 2024 — A privilege escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator. Una vulnerabilidad de escalada de privilegios en el componente web de Ivanti Connect Secure (9.x, 22.x) e Ivanti Policy Secure (9.x, 22.x) permite a un usuario elevar privilegios a los de administrador. • https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US •
CVSS: 9.1EPSS: 94%CPEs: 81EXPL: 13CVE-2024-21887 – Ivanti Connect Secure and Policy Secure Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2024-21887
12 Jan 2024 — A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. Una vulnerabilidad de inyección de comandos en componentes web de Ivanti Connect Secure (9.x, 22.x) e Ivanti Policy Secure (9.x, 22.x) permite a un administrador autenticado enviar solicitudes especialmente manipuladas y ejecutar comandos arbitrarios en el disposi... • https://packetstorm.news/files/id/176668 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 8.5EPSS: 94%CPEs: 81EXPL: 12CVE-2023-46805 – Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2023-46805
12 Jan 2024 — An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks. Una vulnerabilidad de omisión de autenticación en el componente web de Ivanti ICS 9.x, 22.x e Ivanti Policy Secure permite a un atacante remoto acceder a recursos restringidos omitiendo las comprobaciones de control. Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways... • https://packetstorm.news/files/id/176668 • CWE-287: Improper Authentication •
CVSS: 7.8EPSS: 6%CPEs: 60EXPL: 0CVE-2023-39340
https://notcve.org/view.php?id=CVE-2023-39340
16 Dec 2023 — A vulnerability exists on all versions of Ivanti Connect Secure below 22.6R2 where an attacker can send a specific request which may lead to Denial of Service (DoS) of the appliance. Existe una vulnerabilidad en todas las versiones de Ivanti Connect Secure inferiores a 22.6R2 donde un atacante puede enviar una solicitud específica que puede provocar una denegación de servicio (DoS) del dispositivo. • https://forums.ivanti.com/s/article/Security-fix-release-Ivanti-Connect-Secure-22-6R2-and-22-6R2-1?language=en_US •
CVSS: 8.3EPSS: 54%CPEs: 53EXPL: 0CVE-2023-41719
https://notcve.org/view.php?id=CVE-2023-41719
14 Dec 2023 — A vulnerability exists on all versions of Ivanti Connect Secure below 22.6R2 where an attacker impersonating an administrator may craft a specific web request which may lead to remote code execution. Existe una vulnerabilidad en todas las versiones de Ivanti Connect Secure inferiores a 22.6R2 donde un atacante que se hace pasar por un administrador puede crear una solicitud web específica que puede conducir a la ejecución remota de código. • https://forums.ivanti.com/s/article/Security-patch-release-Ivanti-Connect-Secure-22-6R2-and-22-6R2-1?language=en_US •
CVSS: 7.8EPSS: 0%CPEs: 12EXPL: 0CVE-2023-41720
https://notcve.org/view.php?id=CVE-2023-41720
14 Dec 2023 — A vulnerability exists on all versions of Ivanti Connect Secure below 22.6R2 where an attacker with a foothold on an Ivanti Connect Secure (ICS) appliance can escalate their privileges by exploiting a vulnerable installed application. This vulnerability allows the attacker to gain elevated execution privileges on the affected system. Existe una vulnerabilidad en todas las versiones de Ivanti Connect Secure inferiores a 22.6R2 donde un atacante con un punto de apoyo en un dispositivo Ivanti Connect Secure (I... • https://forums.ivanti.com/s/article/Security-patch-release-Ivanti-Connect-Secure-22-6R2-and-22-6R2-1?language=en_US •
CVSS: 7.8EPSS: 1%CPEs: 76EXPL: 0CVE-2022-35254
https://notcve.org/view.php?id=CVE-2022-35254
05 Dec 2022 — An unauthenticated attacker can cause a denial-of-service to the following products: Ivanti Connect Secure (ICS) in versions prior to 9.1R14.3, 9.1R15.2, 9.1R16.2, and 22.2R4, Ivanti Policy Secure (IPS) in versions prior to 9.1R17 and 22.3R1, and Ivanti Neurons for Zero-Trust Access in versions prior to 22.3R1. Un atacante no autenticado puede provocar una Denegación de Servicio (DoS) a los siguientes productos: Ivanti Connect Secure (ICS) en versiones anteriores a 9.1R14.3, 9.1R15.2, 9.1R16.2 y 22.2R4, Iva... • https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA45520/?kA23Z000000GH5OSAW • CWE-400: Uncontrolled Resource Consumption CWE-416: Use After Free •