Vulnerabilities > Pulsesecure > Pulse Connect Secure

DATE CVE VULNERABILITY TITLE RISK
2021-05-27 CVE-2021-22899 Command Injection vulnerability in multiple products
A command injection vulnerability exists in Pulse Connect Secure before 9.1R11.4 allows a remote authenticated attacker to perform remote code execution via Windows Resource Profiles Feature
network
low complexity
pulsesecure ivanti CWE-77
8.8
8.8
2021-05-27 CVE-2021-22900 Incorrect Resource Transfer Between Spheres vulnerability in multiple products
A vulnerability allowed multiple unrestricted uploads in Pulse Connect Secure before 9.1R11.4 that could lead to an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface.
network
low complexity
pulsesecure ivanti CWE-669
7.2
7.2
2021-05-27 CVE-2021-22908 Classic Buffer Overflow vulnerability in multiple products
A buffer overflow vulnerability exists in Windows File Resource Profiles in 9.X allows a remote authenticated user with privileges to browse SMB shares to execute arbitrary code as the root user.
network
low complexity
pulsesecure ivanti CWE-120
8.8
8.8
2020-10-28 CVE-2020-8262 Cross-site Scripting vulnerability in multiple products
A vulnerability in the Pulse Connect Secure / Pulse Policy Secure below 9.1R9 could allow attackers to conduct Cross-Site Scripting (XSS) and Open Redirection for authenticated user web interface.
network
low complexity
pulsesecure ivanti CWE-79
6.1
6.1
2020-10-28 CVE-2020-8261 Classic Buffer Overflow vulnerability in multiple products
A vulnerability in the Pulse Connect Secure / Pulse Policy Secure < 9.1R9 is vulnerable to arbitrary cookie injection.
network
low complexity
pulsesecure ivanti CWE-120
4.3
4.3
2020-10-27 CVE-2020-15352 XXE vulnerability in multiple products
An XML external entity (XXE) vulnerability in Pulse Connect Secure (PCS) before 9.1R9 and Pulse Policy Secure (PPS) before 9.1R9 allows remote authenticated admins to conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.
network
low complexity
pulsesecure ivanti CWE-611
7.2
7.2
2020-09-30 CVE-2020-8256 XXE vulnerability in multiple products
A vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could allow an authenticated attacker to gain arbitrary file reading access through Pulse Collaboration via XML External Entity (XXE) vulnerability.
network
low complexity
pulsesecure ivanti CWE-611
4.9
4.9
2020-09-30 CVE-2020-8243 Code Injection vulnerability in multiple products
A vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could allow an authenticated attacker to upload custom template to perform an arbitrary code execution.
network
low complexity
pulsesecure ivanti CWE-94
7.2
7.2
2020-09-30 CVE-2020-8238 Cross-site Scripting vulnerability in multiple products
A vulnerability in the authenticated user web interface of Pulse Connect Secure and Pulse Policy Secure < 9.1R8.2 could allow attackers to conduct Cross-Site Scripting (XSS).
network
low complexity
pulsesecure ivanti CWE-79
6.1
6.1
2020-07-30 CVE-2020-8222 Path Traversal vulnerability in multiple products
A path traversal vulnerability exists in Pulse Connect Secure <9.1R8 that allowed an authenticated attacker via the administrator web interface to perform an arbitrary file reading vulnerability through Meeting.
network
low complexity
pulsesecure ivanti CWE-22
6.8
6.8