Vulnerabilities > Ivanti

DATE CVE VULNERABILITY TITLE RISK
2024-12-10 CVE-2024-11634 Command Injection vulnerability in Ivanti Connect Secure 22.7/7.1/7.4
Command injection in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
network
low complexity
ivanti CWE-77
7.2
2024-12-10 CVE-2024-11639 Missing Authentication for Critical Function vulnerability in Ivanti Cloud Services Appliance 4.5/4.6/5.0
An authentication bypass in the admin web console of Ivanti CSA before 5.0.3 allows a remote unauthenticated attacker to gain administrative access
network
low complexity
ivanti CWE-306
critical
9.8
2024-12-10 CVE-2024-11772 Command Injection vulnerability in Ivanti Cloud Services Appliance 4.5/4.6/5.0
Command injection in the admin web console of Ivanti CSA before version 5.0.3 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
network
low complexity
ivanti CWE-77
7.2
2024-12-10 CVE-2024-11773 SQL Injection vulnerability in Ivanti Cloud Services Appliance 4.5/4.6/5.0
SQL injection in the admin web console of Ivanti CSA before version 5.0.3 allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.
network
low complexity
ivanti CWE-89
7.2
2024-12-10 CVE-2024-9844 Unspecified vulnerability in Ivanti Connect Secure
Insufficient server-side controls in Secure Application Manager of Ivanti Connect Secure before version 22.7R2.4 allows a remote authenticated attacker to bypass restrictions.
network
low complexity
ivanti
8.8
2024-11-13 CVE-2024-29211 Race Condition vulnerability in Ivanti Secure Access Client
A race condition in Ivanti Secure Access Client before version 22.7R4 allows a local authenticated attacker to modify sensitive configuration files.
local
high complexity
ivanti CWE-362
4.7
2024-11-13 CVE-2024-37398 Unspecified vulnerability in Ivanti Secure Access Client
Insufficient validation in Ivanti Secure Access Client before 22.7R4 allows a local authenticated attacker to escalate their privileges.
local
low complexity
ivanti
7.8
2024-11-12 CVE-2024-11004 Cross-site Scripting vulnerability in Ivanti Connect Secure 22.7/7.1/7.4
Reflected XSS in Ivanti Connect Secure before version 22.7R2.1 and Ivanti Policy Secure before version 22.7R1.1 allows a remote unauthenticated attacker to obtain admin privileges.
network
low complexity
ivanti CWE-79
6.1
2024-11-12 CVE-2024-11005 OS Command Injection vulnerability in Ivanti Connect Secure and Policy Secure
Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.1 (Not Applicable to 9.1Rx) allows a remote authenticated attacker with admin privileges to achieve remote code execution.
network
low complexity
ivanti CWE-78
7.2
2024-11-12 CVE-2024-11006 OS Command Injection vulnerability in Ivanti Connect Secure and Policy Secure
Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.1 (Not Applicable to 9.1Rx) allows a remote authenticated attacker with admin privileges to achieve remote code execution.
network
low complexity
ivanti CWE-78
7.2