Vulnerabilities > Ivanti > Endpoint Manager > High

DATE CVE VULNERABILITY TITLE RISK
2024-05-31 CVE-2024-29846 SQL Injection vulnerability in Ivanti Endpoint Manager
An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an authenticated attacker within the same network to execute arbitrary code.
low complexity
ivanti CWE-89
8.0
2024-01-09 CVE-2023-39336 SQL Injection vulnerability in Ivanti Endpoint Manager
An unspecified SQL Injection vulnerability in Ivanti Endpoint Manager released prior to 2022 SU 5 allows an attacker with access to the internal network to execute arbitrary SQL queries and retrieve output without the need for authentication.
low complexity
ivanti CWE-89
8.8
2023-09-21 CVE-2023-38343 XXE vulnerability in Ivanti Endpoint Manager
An XXE (XML external entity injection) vulnerability exists in the CSEP component of Ivanti Endpoint Manager before 2022 SU4.
network
low complexity
ivanti CWE-611
7.5
2023-07-21 CVE-2023-35077 Out-of-bounds Write vulnerability in Ivanti Endpoint Manager
An out-of-bounds write vulnerability on windows operating systems causes the Ivanti AntiVirus Product to crash.
network
low complexity
ivanti CWE-787
7.5
2022-12-05 CVE-2022-35259 XML Injection (aka Blind XPath Injection) vulnerability in Ivanti Endpoint Manager
XML Injection with Endpoint Manager 2022.
local
low complexity
ivanti CWE-91
7.8
2020-11-16 CVE-2020-13769 SQL Injection vulnerability in Ivanti Endpoint Manager
LDMS/alert_log.aspx in Ivanti Endpoint Manager through 2020.1 allows SQL Injection via a /remotecontrolauth/api/device request.
network
low complexity
ivanti CWE-89
8.8
2020-11-12 CVE-2020-13771 Uncontrolled Search Path Element vulnerability in Ivanti Endpoint Manager
Various components in Ivanti Endpoint Manager through 2020.1.1 rely on Windows search order when loading a (nonexistent) library file, allowing (under certain conditions) one to gain code execution (and elevation of privileges to the level of privilege held by the vulnerable component such as NT AUTHORITY\SYSTEM) via DLL hijacking.
local
low complexity
ivanti CWE-427
7.8
2020-11-12 CVE-2020-13770 Incorrect Default Permissions vulnerability in Ivanti Endpoint Manager
Several services are accessing named pipes in Ivanti Endpoint Manager through 2020.1.1 with default or overly permissive security attributes; as these services run as user ‘NT AUTHORITY\SYSTEM’, the issue can be used to escalate privileges from a local standard or service account having SeImpersonatePrivilege (eg.
local
low complexity
ivanti CWE-276
7.8
2017-12-11 CVE-2017-11463 Permission Issues vulnerability in Ivanti Endpoint Manager 2016.4/2017.1/2017.3
In Ivanti Service Desk (formerly LANDESK Management Suite) versions between 2016.3 and 2017.3, an Unrestricted Direct Object Reference leads to referencing/updating objects belonging to other users.
network
low complexity
ivanti CWE-275
8.8