Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2017-17947

A cross site scripting issue has been found in custompage.cgi in Pulse Secure Pulse Connect Secure (PCS) before 8.0R17.0, 8.1.x before 8.1R13, 8.2.x before 8.2R9, and 8.3.x before 8.3R3 and Pulse Policy Secure (PPS) before 5.2R10, 5.3.x before 5.3R9, and 5.4.x before 5.4R3 due to one of the URL parameters not being sanitized. Exploitation does require the user to be logged in as administrator; the issue is not applicable to the end user portal.

Published

2018-01-16T21:29:00.250

Last Modified

2024-11-21T03:19:02.030

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 4.8 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:S/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: SINGLE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

6.8

Impact Score

2.9

Weaknesses

Type: Primary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	pulsesecure	pulse_connect_secure	< 8.0r17.0	Yes
Application	pulsesecure	pulse_connect_secure	< 8.1r13	Yes
Application	pulsesecure	pulse_connect_secure	≤ 8.2r9	Yes
Application	pulsesecure	pulse_connect_secure	< 8.3r3	Yes

References

http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA43018 Patch, Vendor Advisory ([email protected])
http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA43018 Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)