Vulnerabilities > Ivanti
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-12-05 | CVE-2022-35259 | XML Injection (aka Blind XPath Injection) vulnerability in Ivanti Endpoint Manager XML Injection with Endpoint Manager 2022. | 7.8 |
| 2022-09-30 | CVE-2022-21826 | HTTP Request Smuggling vulnerability in multiple products Pulse Secure version 9.115 and below may be susceptible to client-side http request smuggling, When the application receives a POST request, it ignores the request's Content-Length header and leaves the POST body on the TCP/TLS socket. | 5.4 |
| 2022-09-23 | CVE-2022-30121 | Unspecified vulnerability in Ivanti Endpoint Manager The “LANDesk(R) Management Agent” service exposes a socket and once connected, it is possible to launch commands only for signed executables. | 6.7 |
| 2022-08-12 | CVE-2021-44720 | Use of Hard-coded Credentials vulnerability in multiple products In Ivanti Pulse Secure Pulse Connect Secure (PCS) before 9.1R12, the administrator password is stored in the HTML source code of the "Maintenance > Push Configuration > Targets > Target Name" targets.cgi screen. | 7.2 |
| 2022-04-11 | CVE-2022-22571 | Cross-site Scripting vulnerability in Ivanti Incapptic Connect An authenticated high privileged user can perform a stored XSS attack due to incorrect output encoding in Incapptic connect and affects all current versions. | 4.8 |
| 2022-04-11 | CVE-2022-22572 | Unspecified vulnerability in Ivanti Incapptic Connect A non-admin user with user management permission can escalate his privilege to admin user via password reset functionality. | 8.8 |
| 2022-04-11 | CVE-2022-27088 | Unquoted Search Path or Element vulnerability in Ivanti DSM Remote Ivanti DSM Remote <= 6.3.1.1862 is vulnerable to an unquoted service path allowing local users to launch processes with elevated privileges. | 7.8 |
| 2022-04-06 | CVE-2021-30497 | Path Traversal vulnerability in Ivanti Avalanche 6.3.2 Ivanti Avalanche (Premise) 6.3.2 allows remote unauthenticated users to read arbitrary files via Absolute Path Traversal. | 7.5 |
| 2022-03-04 | CVE-2022-21828 | Unspecified vulnerability in Ivanti Incapptic Connect A user with high privilege access to the Incapptic Connect web console can remotely execute code on the Incapptic Connect server using a unspecified attack vector in Incapptic Connect version 1.40.0, 1.39.1, 1.39.0, 1.38.1, 1.38.0, 1.37.1, 1.37.0, 1.36.0, 1.35.5, 1.35.4 and 1.35.3. | 7.2 |
| 2022-02-01 | CVE-2021-38560 | Cross-site Scripting vulnerability in Ivanti Service Manager 2021.1 Ivanti Service Manager 2021.1 allows reflected XSS via the appName parameter associated with ConfigDB calls, such as in RelocateAttachments.aspx. | 6.1 |