Vulnerabilities > Ivanti > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-05-27 | CVE-2021-22894 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products A buffer overflow vulnerability exists in Pulse Connect Secure before 9.1R11.4 allows a remote authenticated attacker to execute arbitrary code as the root user via maliciously crafted meeting room. | 8.8 |
| 2021-05-27 | CVE-2021-22899 | Command Injection vulnerability in multiple products A command injection vulnerability exists in Pulse Connect Secure before 9.1R11.4 allows a remote authenticated attacker to perform remote code execution via Windows Resource Profiles Feature | 8.8 |
| 2021-05-27 | CVE-2021-22900 | Incorrect Resource Transfer Between Spheres vulnerability in multiple products A vulnerability allowed multiple unrestricted uploads in Pulse Connect Secure before 9.1R11.4 that could lead to an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface. | 7.2 |
| 2021-05-27 | CVE-2021-22908 | Classic Buffer Overflow vulnerability in multiple products A buffer overflow vulnerability exists in Windows File Resource Profiles in 9.X allows a remote authenticated user with privileges to browse SMB shares to execute arbitrary code as the root user. | 8.8 |
| 2020-11-12 | CVE-2020-13770 | Incorrect Default Permissions vulnerability in Ivanti Endpoint Manager Several services are accessing named pipes in Ivanti Endpoint Manager through 2020.1.1 with default or overly permissive security attributes; as these services run as user ‘NT AUTHORITY\SYSTEM’, the issue can be used to escalate privileges from a local standard or service account having SeImpersonatePrivilege (eg. | 7.2 |
| 2020-10-27 | CVE-2020-15352 | XXE vulnerability in multiple products An XML external entity (XXE) vulnerability in Pulse Connect Secure (PCS) before 9.1R9 and Pulse Policy Secure (PPS) before 9.1R9 allows remote authenticated admins to conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. | 7.2 |
| 2020-09-30 | CVE-2020-8243 | Code Injection vulnerability in multiple products A vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could allow an authenticated attacker to upload custom template to perform an arbitrary code execution. | 7.2 |
| 2020-08-06 | CVE-2020-13793 | Use of Hard-coded Credentials vulnerability in Ivanti DSM Netinst 5.1 Unsafe storage of AD credentials in Ivanti DSM netinst 5.1 due to a static, hard-coded encryption key. | 7.5 |
| 2020-07-30 | CVE-2020-8219 | Incorrect Default Permissions vulnerability in multiple products An insufficient permission check vulnerability exists in Pulse Connect Secure <9.1R8 that allows an attacker to change the password of a full administrator. | 7.2 |
| 2020-07-30 | CVE-2020-8218 | Code Injection vulnerability in multiple products A code injection vulnerability exists in Pulse Connect Secure <9.1R8 that allows an attacker to crafted a URI to perform an arbitrary code execution via the admin web interface. | 7.2 |