Filtered by vendor Ivanti
Subscribe
Total
205 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-44569 | 1 Ivanti | 1 Automation | 2023-12-10 | N/A | 7.8 HIGH |
A locally authenticated attacker with low privileges can bypass authentication due to insecure inter-process communication. | |||||
CVE-2023-38035 | 1 Ivanti | 1 Mobileiron Sentry | 2023-12-10 | N/A | 9.8 CRITICAL |
A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration. | |||||
CVE-2023-41725 | 1 Ivanti | 1 Avalanche | 2023-12-10 | N/A | 7.8 HIGH |
Ivanti Avalanche EnterpriseServer Service Unrestricted File Upload Local Privilege Escalation Vulnerability | |||||
CVE-2023-35081 | 1 Ivanti | 1 Endpoint Manager Mobile | 2023-12-10 | N/A | 7.2 HIGH |
A path traversal vulnerability in Ivanti EPMM versions (11.10.x < 11.10.0.3, 11.9.x < 11.9.1.2 and 11.8.x < 11.8.1.2) allows an authenticated administrator to write arbitrary files onto the appliance. | |||||
CVE-2023-32561 | 1 Ivanti | 1 Avalanche | 2023-12-10 | N/A | 7.5 HIGH |
A previously generated artifact by an administrator could be accessed by an attacker. The contents of this artifact could lead to authentication bypass. Fixed in version 6.4.1. | |||||
CVE-2023-38344 | 1 Ivanti | 1 Endpoint Manager | 2023-12-10 | N/A | 6.5 MEDIUM |
An issue was discovered in Ivanti Endpoint Manager before 2022 SU4. A file disclosure vulnerability exists in the GetFileContents SOAP action exposed via /landesk/managementsuite/core/core.secure/OsdScript.asmx. The application does not sufficiently restrict user-supplied paths, allowing for an authenticated attacker to read arbitrary files from a remote system, including the private key used to authenticate to agents for remote access. | |||||
CVE-2023-32566 | 1 Ivanti | 1 Avalanche | 2023-12-10 | N/A | 9.1 CRITICAL |
An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack. Fixed in version 6.4.1. | |||||
CVE-2023-35077 | 2 Ivanti, Microsoft | 2 Endpoint Manager, Windows | 2023-12-10 | N/A | 7.5 HIGH |
An out-of-bounds write vulnerability on windows operating systems causes the Ivanti AntiVirus Product to crash. Update to Ivanti AV Product version 7.9.1.285 or above. | |||||
CVE-2023-38343 | 1 Ivanti | 1 Endpoint Manager | 2023-12-10 | N/A | 7.5 HIGH |
An XXE (XML external entity injection) vulnerability exists in the CSEP component of Ivanti Endpoint Manager before 2022 SU4. External entity references are enabled in the XML parser configuration. Exploitation of this vulnerability can lead to file disclosure or Server Side Request Forgery. | |||||
CVE-2023-32562 | 1 Ivanti | 1 Avalanche | 2023-12-10 | N/A | 9.8 CRITICAL |
An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to achieve a remove code execution. Fixed in version 6.4.1. | |||||
CVE-2023-32567 | 1 Ivanti | 1 Avalanche | 2023-12-10 | N/A | 9.8 CRITICAL |
Ivanti Avalanche decodeToMap XML External Entity Processing. Fixed in version 6.4.1.236 | |||||
CVE-2023-32563 | 1 Ivanti | 1 Avalanche | 2023-12-10 | N/A | 9.8 CRITICAL |
An unauthenticated attacker could achieve the code execution through a RemoteControl server. | |||||
CVE-2022-36976 | 1 Ivanti | 1 Avalanche | 2023-12-10 | N/A | 9.8 CRITICAL |
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the GroupDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15333. | |||||
CVE-2022-36983 | 1 Ivanti | 1 Avalanche | 2023-12-10 | N/A | 9.8 CRITICAL |
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetSettings class. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15919. | |||||
CVE-2022-36981 | 1 Ivanti | 1 Avalanche | 2023-12-10 | N/A | 9.8 CRITICAL |
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.3.101. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the DeviceLogResource class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-15966. | |||||
CVE-2022-36979 | 1 Ivanti | 1 Avalanche | 2023-12-10 | N/A | 9.8 CRITICAL |
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the AvalancheDaoSupport class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15493. | |||||
CVE-2022-36972 | 1 Ivanti | 1 Avalanche | 2023-12-10 | N/A | 9.8 CRITICAL |
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15328. | |||||
CVE-2023-28128 | 1 Ivanti | 1 Avalanche | 2023-12-10 | N/A | 7.2 HIGH |
An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to achieve a remove code execution. | |||||
CVE-2022-36973 | 1 Ivanti | 1 Avalanche | 2023-12-10 | N/A | 8.8 HIGH |
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15329. | |||||
CVE-2022-36975 | 1 Ivanti | 1 Avalanche | 2023-12-10 | N/A | 9.8 CRITICAL |
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15332. |