Vulnerabilities > Ivanti
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-10-25 | CVE-2023-38041 | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Ivanti Secure Access Client 22.2/22.3/22.5 A logged in user may elevate its permissions by abusing a Time-of-Check to Time-of-Use (TOCTOU) race condition. | 7.0 |
| 2023-10-18 | CVE-2023-35083 | Unspecified vulnerability in Ivanti Endpoint Manager Allows an authenticated attacker with network access to read arbitrary files on Endpoint Manager recently discovered on 2022 SU3 and all previous versions potentially leading to the leakage of sensitive information. | 6.5 |
| 2023-10-18 | CVE-2023-35084 | Deserialization of Untrusted Data vulnerability in Ivanti Endpoint Manager Unsafe Deserialization of User Input could lead to Execution of Unauthorized Operations in Ivanti Endpoint Manager 2022 su3 and all previous versions, which could allow an attacker to execute commands remotely. | 9.8 |
| 2023-09-21 | CVE-2023-38343 | XXE vulnerability in Ivanti Endpoint Manager An XXE (XML external entity injection) vulnerability exists in the CSEP component of Ivanti Endpoint Manager before 2022 SU4. | 7.5 |
| 2023-09-21 | CVE-2023-38344 | Unspecified vulnerability in Ivanti Endpoint Manager An issue was discovered in Ivanti Endpoint Manager before 2022 SU4. | 6.5 |
| 2023-08-21 | CVE-2023-38035 | Incorrect Authorization vulnerability in Ivanti Mobileiron Sentry A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration. | 9.8 |
| 2023-08-15 | CVE-2023-35082 | Improper Authentication vulnerability in Ivanti Endpoint Manager Mobile An authentication bypass vulnerability in Ivanti EPMM 11.10 and older, allows unauthorized users to access restricted functionality or resources of the application without proper authentication. | 9.8 |
| 2023-08-10 | CVE-2023-28129 | Unspecified vulnerability in Ivanti Desktop & Server Management 2022.2 DSM 2022.2 SU2 and all prior versions allows a local low privileged account to execute arbitrary OS commands as the DSM software installation user. | 7.8 |
| 2023-08-10 | CVE-2023-32560 | Out-of-bounds Write vulnerability in Ivanti Avalanche An attacker can send a specially crafted message to the Wavelink Avalanche Manager, which could result in service disruption or arbitrary code execution. Thanks to a Researcher at Tenable for finding and reporting. Fixed in version 6.4.1. | 9.8 |
| 2023-08-10 | CVE-2023-32561 | Unspecified vulnerability in Ivanti Avalanche A previously generated artifact by an administrator could be accessed by an attacker. | 7.5 |