CVSS: 7.7EPSS: 0%CPEs: 59EXPL: 2CVE-2019-11538
https://notcve.org/view.php?id=CVE-2019-11538
In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1, an NFS problem could allow an authenticated attacker to access the contents of arbitrary files on the affected device. En Pulse Secure Pulse Connect Secure versiones 9.0RX anteriores a 9.0R3.4, versiones 8.3RX anteriores a 8.3R7.1, versiones 8.2RX anteriores a 8.2R12.1, y versiones 8.1RX anteriores a 8.1R15.1, un problema NFS podría permitir a un atacante autenticado acceder al contenido de archivos arbitrarios en el dispositivo afectado. • http://www.securityfocus.com/bid/108073 https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101 https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010 https://www.kb.cert.org/vuls/id/927237 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 8.1EPSS: 0%CPEs: 5EXPL: 0CVE-2019-11213
https://notcve.org/view.php?id=CVE-2019-11213
In Pulse Secure Pulse Desktop Client and Network Connect, an attacker could access session tokens to replay and spoof sessions, and as a result, gain unauthorized access as an end user, a related issue to CVE-2019-1573. (The endpoint would need to be already compromised for exploitation to succeed.) This affects Pulse Desktop Client 5.x before Secure Desktop 5.3R7 and Pulse Desktop Client 9.x before Secure Desktop 9.0R3. It also affects (for Network Connect customers) Pulse Connect Secure 8.1 before 8.1R14, 8.3 before 8.3R7, and 9.0 before 9.0R3. En Pulse Secure Pulse Desktop Client y Network Connect, un atacante podría acceder a los tokens de sesión para responder y suplantar sesiones, y , como resultado, obtener acceso no autorizado como usuario final, un problema relacionado con el identificador CVE-2019-1573. • https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44114 https://www.kb.cert.org/vuls/id/192371 • CWE-384: Session Fixation •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2018-20808
https://notcve.org/view.php?id=CVE-2018-20808
An XSS issue has been found with rd.cgi in Pulse Secure Pulse Connect Secure 8.3RX before 8.3R3 due to improper header sanitization. This is not applicable to 8.1RX. Se ha encontrado un problema de Cross-Site Scripting (XSS) con rd.cgi en Pulse Secure Pulse Connect Secure versión 8.3RX anteriores a la 8.3R3 debido al saneamiento inadecuado del encabezado. Esto no es aplicable a la versión 8.1RX. • https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA43877 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-20813
https://notcve.org/view.php?id=CVE-2018-20813
An input validation issue has been found with login_meeting.cgi in Pulse Secure Pulse Connect Secure 8.3RX before 8.3R2. Se ha encontrado un problema de validación de entradas con login_meeting.cgi en Pulse Secure Pulse Connect Secure versión 8.3RX anteriores a la 8.3R2. • https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA43877 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2018-20810
https://notcve.org/view.php?id=CVE-2018-20810
Session data between cluster nodes during cluster synchronization is not properly encrypted in Pulse Secure Pulse Connect Secure (PCS) 8.3RX before 8.3R2 and Pulse Policy Secure (PPS) 5.4RX before 5.4R2. This is not applicable to PCS 8.1RX, PPS 5.2RX, or stand-alone devices. Los datos de sesión entre nodos del clúster durante la sincronización del clúster no están cifrados correctamente en Pulse Secure Pulse Connect Secure (PCS) 8.3RX antes de 8.3R2 y Pulse Policy Secure (PPS) 5.4RX antes de 5.4R2. Esto no es aplicable a PCS 8.1RX, PPS 5.2RX o dispositivos independientes. • https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA43877 • CWE-326: Inadequate Encryption Strength •