CVSS: 7.7EPSS: 0%CPEs: 59EXPL: 2CVE-2019-11538
https://notcve.org/view.php?id=CVE-2019-11538
In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1, an NFS problem could allow an authenticated attacker to access the contents of arbitrary files on the affected device. En Pulse Secure Pulse Connect Secure versiones 9.0RX anteriores a 9.0R3.4, versiones 8.3RX anteriores a 8.3R7.1, versiones 8.2RX anteriores a 8.2R12.1, y versiones 8.1RX anteriores a 8.1R15.1, un problema NFS podría permitir a un atacante autenticado acceder al contenido de archivos arbitrarios en el dispositivo afectado. • http://www.securityfocus.com/bid/108073 https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101 https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010 https://www.kb.cert.org/vuls/id/927237 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 8.1EPSS: 0%CPEs: 5EXPL: 0CVE-2019-11213
https://notcve.org/view.php?id=CVE-2019-11213
In Pulse Secure Pulse Desktop Client and Network Connect, an attacker could access session tokens to replay and spoof sessions, and as a result, gain unauthorized access as an end user, a related issue to CVE-2019-1573. (The endpoint would need to be already compromised for exploitation to succeed.) This affects Pulse Desktop Client 5.x before Secure Desktop 5.3R7 and Pulse Desktop Client 9.x before Secure Desktop 9.0R3. It also affects (for Network Connect customers) Pulse Connect Secure 8.1 before 8.1R14, 8.3 before 8.3R7, and 9.0 before 9.0R3. En Pulse Secure Pulse Desktop Client y Network Connect, un atacante podría acceder a los tokens de sesión para responder y suplantar sesiones, y , como resultado, obtener acceso no autorizado como usuario final, un problema relacionado con el identificador CVE-2019-1573. • https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44114 https://www.kb.cert.org/vuls/id/192371 • CWE-384: Session Fixation •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-10885 – Ivanti Workspace Manager Security Bypass
https://notcve.org/view.php?id=CVE-2019-10885
An issue was discovered in Ivanti Workspace Control before 10.3.90.0. Local authenticated users with low privileges in a Workspace Control managed session can bypass Workspace Control security features configured for this session by resetting the session context. Se ha descubierto un problema en Ivanti Workspace Control en versiones anteriores a la 10.3.90.0. Los usuarios locales autenticados con bajos privilegios en una sesión gestionada de Workspace Control pueden omitir las funcionalidades de seguridad de Workspace Control configuradas para esta sesión restableciendo el contexto de la misma. Ivanti Workspace Manager versions prior to 10.3.90 suffer from a bypass vulnerability. • http://packetstormsecurity.com/files/156792/Ivanti-Workspace-Manager-Security-Bypass.html https://community.ivanti.com/docs/DOC-74552 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2018-20808
https://notcve.org/view.php?id=CVE-2018-20808
An XSS issue has been found with rd.cgi in Pulse Secure Pulse Connect Secure 8.3RX before 8.3R3 due to improper header sanitization. This is not applicable to 8.1RX. Se ha encontrado un problema de Cross-Site Scripting (XSS) con rd.cgi en Pulse Secure Pulse Connect Secure versión 8.3RX anteriores a la 8.3R3 debido al saneamiento inadecuado del encabezado. Esto no es aplicable a la versión 8.1RX. • https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA43877 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-20813
https://notcve.org/view.php?id=CVE-2018-20813
An input validation issue has been found with login_meeting.cgi in Pulse Secure Pulse Connect Secure 8.3RX before 8.3R2. Se ha encontrado un problema de validación de entradas con login_meeting.cgi en Pulse Secure Pulse Connect Secure versión 8.3RX anteriores a la 8.3R2. • https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA43877 • CWE-20: Improper Input Validation •