An XML external entity (XXE) vulnerability in Pulse Connect Secure (PCS) before 9.1R9 and Pulse Policy Secure (PPS) before 9.1R9 allows remote authenticated admins to conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.
2020-10-27T05:15:12.787
2024-11-21T05:05:23.800
Modified
CVSSv3.1: 7.2 (HIGH)
AV:N/AC:L/Au:S/C:P/I:P/A:P
8.0
6.4
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | ivanti | connect_secure | 9.1 | Yes |
| Application | ivanti | connect_secure | 9.1 | Yes |
| Application | ivanti | connect_secure | 9.1 | Yes |
| Application | ivanti | connect_secure | 9.1 | Yes |
| Application | ivanti | connect_secure | 9.1 | Yes |
| Application | ivanti | connect_secure | 9.1 | Yes |
| Application | ivanti | connect_secure | 9.1 | Yes |
| Application | ivanti | connect_secure | 9.1 | Yes |
| Application | ivanti | connect_secure | 9.1 | Yes |
| Application | ivanti | connect_secure | 9.1 | Yes |
| Application | ivanti | connect_secure | 9.1 | Yes |
| Application | ivanti | connect_secure | 9.1 | Yes |
| Application | ivanti | connect_secure | 9.1 | Yes |
| Application | ivanti | connect_secure | 9.1 | Yes |
| Application | pulsesecure | pulse_connect_secure | ≤ 9.0 | Yes |
| Application | ivanti | policy_secure | 9.1 | Yes |
| Application | ivanti | policy_secure | 9.1 | Yes |
| Application | ivanti | policy_secure | 9.1 | Yes |
| Application | ivanti | policy_secure | 9.1 | Yes |
| Application | ivanti | policy_secure | 9.1 | Yes |
| Application | ivanti | policy_secure | 9.1 | Yes |
| Application | ivanti | policy_secure | 9.1 | Yes |
| Application | ivanti | policy_secure | 9.1 | Yes |
| Application | ivanti | policy_secure | 9.1 | Yes |
| Application | ivanti | policy_secure | 9.1 | Yes |
| Application | ivanti | policy_secure | 9.1 | Yes |
| Application | pulsesecure | pulse_policy_secure | ≤ 9.0 | Yes |