Vulnerabilities > Ivanti > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-09-30 | CVE-2022-21826 | HTTP Request Smuggling vulnerability in multiple products Pulse Secure version 9.115 and below may be susceptible to client-side http request smuggling, When the application receives a POST request, it ignores the request's Content-Length header and leaves the POST body on the TCP/TLS socket. | 5.4 |
| 2022-09-23 | CVE-2022-30121 | Unspecified vulnerability in Ivanti Endpoint Manager The “LANDesk(R) Management Agent” service exposes a socket and once connected, it is possible to launch commands only for signed executables. | 6.7 |
| 2022-04-11 | CVE-2022-22571 | Cross-site Scripting vulnerability in Ivanti Incapptic Connect An authenticated high privileged user can perform a stored XSS attack due to incorrect output encoding in Incapptic connect and affects all current versions. | 4.8 |
| 2022-02-01 | CVE-2021-38560 | Cross-site Scripting vulnerability in Ivanti Service Manager 2021.1 Ivanti Service Manager 2021.1 allows reflected XSS via the appName parameter associated with ConfigDB calls, such as in RelocateAttachments.aspx. | 6.1 |
| 2022-01-10 | CVE-2022-21823 | Insecure Storage of Sensitive Information vulnerability in Ivanti Workspace Control A insecure storage of sensitive information vulnerability exists in Ivanti Workspace Control <2021.2 (10.7.30.0) that could allow an attacker with locally authenticated low privileges to obtain key information due to an unspecified attack vector. | 5.5 |
| 2021-08-16 | CVE-2021-22933 | Path Traversal vulnerability in multiple products A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform an arbitrary file delete via a maliciously crafted web request. | 6.5 |
| 2021-08-16 | CVE-2021-22936 | Cross-site Scripting vulnerability in multiple products A vulnerability in Pulse Connect Secure before 9.1R12 could allow a threat actor to perform a cross-site script attack against an authenticated administrator via an unsanitized web parameter. | 6.1 |
| 2020-11-16 | CVE-2020-13773 | Cross-site Scripting vulnerability in Ivanti Endpoint Manager Ivanti Endpoint Manager through 2020.1.1 allows XSS via /LDMS/frm_splitfrm.aspx, /LDMS/licensecheck.aspx, /LDMS/frm_splitcollapse.aspx, /LDMS/alert_log.aspx, /LDMS/ServerList.aspx, /LDMS/frm_coremainfrm.aspx, /LDMS/frm_findfrm.aspx, /LDMS/frm_taskfrm.aspx, and /LDMS/query_browsecomp.aspx. | 5.4 |
| 2020-11-16 | CVE-2020-13772 | Unspecified vulnerability in Ivanti Endpoint Manager In /ldclient/ldprov.cgi in Ivanti Endpoint Manager through 2020.1.1, an attacker is able to disclose information about the server operating system, local pathnames, and environment variables with no authentication required. | 5.3 |
| 2020-10-28 | CVE-2020-8262 | Cross-site Scripting vulnerability in multiple products A vulnerability in the Pulse Connect Secure / Pulse Policy Secure below 9.1R9 could allow attackers to conduct Cross-Site Scripting (XSS) and Open Redirection for authenticated user web interface. | 6.1 |