CVSS: 7.8EPSS: 1%CPEs: 76EXPL: 0CVE-2022-35258
https://notcve.org/view.php?id=CVE-2022-35258
05 Dec 2022 — An unauthenticated attacker can cause a denial-of-service to the following products: Ivanti Connect Secure (ICS) in versions prior to 9.1R14.3, 9.1R15.2, 9.1R16.2, and 22.2R4, Ivanti Policy Secure (IPS) in versions prior to 9.1R17 and 22.3R1, and Ivanti Neurons for Zero-Trust Access in versions prior to 22.3R1. Un atacante no autenticado puede provocar una Denegación de Servicio (DoS) a los siguientes productos: Ivanti Connect Secure (ICS) en versiones anteriores a 9.1R14.3, 9.1R15.2, 9.1R16.2 y 22.2R4, Iva... • https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA45520/?kA23Z000000GH5OSAW • CWE-128: Wrap-around Error CWE-682: Incorrect Calculation •
CVSS: 5.5EPSS: 39%CPEs: 39EXPL: 0CVE-2022-21826
https://notcve.org/view.php?id=CVE-2022-21826
30 Sep 2022 — Pulse Secure version 9.115 and below may be susceptible to client-side http request smuggling, When the application receives a POST request, it ignores the request's Content-Length header and leaves the POST body on the TCP/TLS socket. This body ends up prefixing the next HTTP request sent down that connection, this means when someone loads website attacker may be able to make browser issue a POST to the application, enabling XSS. Pulse Secure versiones 9.115,y anteriores, pueden ser susceptibles de contrab... • https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/Client-Side-Desync-Attack • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 8.3EPSS: 1%CPEs: 21EXPL: 0CVE-2021-44720
https://notcve.org/view.php?id=CVE-2021-44720
11 Aug 2022 — In Ivanti Pulse Secure Pulse Connect Secure (PCS) before 9.1R12, the administrator password is stored in the HTML source code of the "Maintenance > Push Configuration > Targets > Target Name" targets.cgi screen. A read-only administrative user can escalate to a read-write administrative role. En Ivanti Pulse Secure Pulse Connect Secure (PCS) versiones anteriores a 9.1R12, la contraseña del administrador se almacena en el código fuente HTML de la pantalla "Maintenance ) Push Configuration ) Targets ) Target ... • https://gist.github.com/JGarciaSec/2060ec1c8efc1d573a1ddb754c6b4f84 • CWE-798: Use of Hard-coded Credentials •
CVSS: 7.8EPSS: 13%CPEs: 26EXPL: 0CVE-2021-22965
https://notcve.org/view.php?id=CVE-2021-22965
19 Nov 2021 — A vulnerability in Pulse Connect Secure before 9.1R12.1 could allow an unauthenticated administrator to causes a denial of service when a malformed request is sent to the device. Una vulnerabilidad en Pulse Connect Secure versiones anteriores a 9.1R12.1, podría permitir a un administrador no autenticado causar una denegación de servicio cuando es enviada una petición malformada al dispositivo • https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44879/?kA13Z000000L3ZF • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.2EPSS: 9%CPEs: 13EXPL: 0CVE-2021-22937
https://notcve.org/view.php?id=CVE-2021-22937
16 Aug 2021 — A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform a file write via a maliciously crafted archive uploaded in the administrator web interface. Una vulnerabilidad en Pulse Connect Secure, versiones anteriores a 9.1R12, podría permitir a un administrador autenticado llevar a cabo una escritura de archivos por medio de un archivo malicioso cargado en la interfaz web del administrador. • https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44858/?kA23Z000000L6oySAC • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: 13EXPL: 0CVE-2021-22936
https://notcve.org/view.php?id=CVE-2021-22936
16 Aug 2021 — A vulnerability in Pulse Connect Secure before 9.1R12 could allow a threat actor to perform a cross-site script attack against an authenticated administrator via an unsanitized web parameter. Una vulnerabilidad en Pulse Connect Secure, versiones anteriores a 9.1R12, podría permitir a un actor de amenazas llevar a cabo un ataque de tipo cross-site script contra un administrador autenticado por medio de un parámetro web no digitalizado. • https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44858/?kA23Z000000L6oySAC • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 6%CPEs: 13EXPL: 0CVE-2021-22935
https://notcve.org/view.php?id=CVE-2021-22935
16 Aug 2021 — A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform command injection via an unsanitized web parameter. Una vulnerabilidad en Pulse Connect Secure, versiones anteriores a 9.1R12, podría permitir a un administrador autenticado llevar a cabo una inyección de comandos por medio de un parámetro web no saneado. • https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44858/?kA23Z000000L6oySAC • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 7.2EPSS: 4%CPEs: 13EXPL: 0CVE-2021-22934
https://notcve.org/view.php?id=CVE-2021-22934
16 Aug 2021 — A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator or compromised Pulse Connect Secure device in a load-balanced configuration to perform a buffer overflow via a malicious crafted web request. Una vulnerabilidad en Pulse Connect Secure, versiones anteriores a 9.1R12, podría permitir a un administrador autenticado o a un dispositivo Pulse Connect Secure comprometido en una configuración de carga equilibrada llevar a cabo un desbordamiento del búfer por medio de u... • https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44858/?kA23Z000000L6oySAC • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 7.2EPSS: 6%CPEs: 13EXPL: 0CVE-2021-22938
https://notcve.org/view.php?id=CVE-2021-22938
16 Aug 2021 — A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform command injection via an unsanitized web parameter in the administrator web console. Una vulnerabilidad en Pulse Connect Secure, versiones anteriores a 9.1R12, podía permitir a un administrador autenticado llevar a cabo una inyección de comandos por medio de un parámetro web no saneado en la consola web del administrador. • https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44858/?kA23Z000000L6oySAC • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 6.5EPSS: 6%CPEs: 13EXPL: 0CVE-2021-22933
https://notcve.org/view.php?id=CVE-2021-22933
16 Aug 2021 — A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform an arbitrary file delete via a maliciously crafted web request. Una vulnerabilidad en Pulse Connect Secure, versiones anteriores a 9.1R12, podría permitir a un administrador autenticado llevar a cabo una eliminación de archivos arbitraria por medio de una petición web maliciosamente diseñada. • https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44858/?kA23Z000000L6oySAC • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •