Filtered by vendor Ivanti
Subscribe
Total
323 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-13772 | 1 Ivanti | 1 Endpoint Manager | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| In /ldclient/ldprov.cgi in Ivanti Endpoint Manager through 2020.1.1, an attacker is able to disclose information about the server operating system, local pathnames, and environment variables with no authentication required. | |||||
| CVE-2020-13771 | 1 Ivanti | 1 Endpoint Manager | 2024-11-21 | 6.9 MEDIUM | 7.8 HIGH |
| Various components in Ivanti Endpoint Manager through 2020.1.1 rely on Windows search order when loading a (nonexistent) library file, allowing (under certain conditions) one to gain code execution (and elevation of privileges to the level of privilege held by the vulnerable component such as NT AUTHORITY\SYSTEM) via DLL hijacking. This affects ldiscn32.exe, IpmiRedirectionService.exe, LDAPWhoAmI.exe, and ldprofile.exe. | |||||
| CVE-2020-13770 | 1 Ivanti | 1 Endpoint Manager | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| Several services are accessing named pipes in Ivanti Endpoint Manager through 2020.1.1 with default or overly permissive security attributes; as these services run as user ‘NT AUTHORITY\SYSTEM’, the issue can be used to escalate privileges from a local standard or service account having SeImpersonatePrivilege (eg. user ‘NT AUTHORITY\NETWORK SERVICE’). | |||||
| CVE-2020-13769 | 1 Ivanti | 1 Endpoint Manager | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| LDMS/alert_log.aspx in Ivanti Endpoint Manager through 2020.1 allows SQL Injection via a /remotecontrolauth/api/device request. | |||||
| CVE-2020-12880 | 2 Ivanti, Pulsesecure | 4 Connect Secure, Policy Secure, Pulse Connect Secure and 1 more | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| An issue was discovered in Pulse Policy Secure (PPS) and Pulse Connect Secure (PCS) Virtual Appliance before 9.1R8. By manipulating a certain kernel boot parameter, it can be tricked into dropping into a root shell in a pre-install phase where the entire source code of the appliance is available and can be retrieved. (The source code is otherwise inaccessible because the appliance has its hard disks encrypted, and no root shell is available during normal operation.) | |||||
| CVE-2020-12442 | 1 Ivanti | 1 Avalanche | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Ivanti Avalanche 6.3 allows a SQL injection that is vaguely associated with the Apache HTTP Server, aka Bug 683250. | |||||
| CVE-2020-12441 | 1 Ivanti | 2 Desktop\&server Management, Service Manager Heat Remote Control | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Denial-of-Service (DoS) in Ivanti Service Manager HEAT Remote Control 7.4 due to a buffer overflow in the protocol parser of the ‘HEATRemoteService’ agent. The DoS can be triggered by sending a specially crafted network packet. | |||||
| CVE-2020-11533 | 1 Ivanti | 1 Workspace Control | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| Ivanti Workspace Control before 10.4.30.0, when SCCM integration is enabled, allows local users to obtain sensitive information (keying material). | |||||
| CVE-2019-19675 | 1 Ivanti | 1 Workspace Control | 2024-11-21 | 4.4 MEDIUM | 7.8 HIGH |
| In Ivanti Workspace Control before 10.3.180.0. a locally authenticated user with low privileges can bypass Managed Application Security by leveraging an unspecified attack vector in Workspace Preferences, when it is enabled. As a result, the attacker can start applications that should be blocked. | |||||
| CVE-2019-19138 | 1 Ivanti | 1 Workspace Control | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Ivanti Workspace Control before 10.4.50.0 allows attackers to degrade integrity. | |||||
| CVE-2019-17066 | 1 Ivanti | 1 Workspace Control | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| In Ivanti WorkSpace Control before 10.4.40.0, a user can elevate rights on the system by hijacking certain user registries. This is possible because pwrgrid.exe first checks the Current User registry hives (HKCU) when starting an application with elevated rights. | |||||
| CVE-2019-16382 | 1 Ivanti | 1 Workspace Control | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Ivanti Workspace Control 10.3.110.0. One is able to bypass Ivanti's FileGuard folder protection by renaming the WMTemp work folder used by PowerGrid. A malicious PowerGrid XML file can then be created, after which the folder is renamed back to its original value. Also, CVE-2018-15591 exploitation can consequently be achieved by using PowerGrid with the /SEE parameter to execute the arbitrary command specified in the XML file. | |||||
| CVE-2019-12377 | 1 Ivanti | 1 Landesk Management Suite | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerable upl/async_upload.asp web API endpoint in Ivanti LANDESK Management Suite (LDMS, aka Endpoint Manager) 10.0.1.168 Service Update 5 allows arbitrary file upload, which may lead to arbitrary remote code execution. | |||||
| CVE-2019-12376 | 1 Ivanti | 1 Landesk Management Suite | 2024-11-21 | 2.7 LOW | 4.5 MEDIUM |
| Use of a hard-coded encryption key in Ivanti LANDESK Management Suite (LDMS, aka Endpoint Manager) 10.0.1.168 Service Update 5 may lead to full managed endpoint compromise by an authenticated user with read privileges. | |||||
| CVE-2019-12375 | 1 Ivanti | 1 Landesk Management Suite | 2024-11-21 | 4.1 MEDIUM | 6.3 MEDIUM |
| Open directories in Ivanti LANDESK Management Suite (LDMS, aka Endpoint Manager) 10.0.1.168 Service Update 5 may lead to remote information disclosure and arbitrary code execution. | |||||
| CVE-2019-12374 | 1 Ivanti | 1 Landesk Management Suite | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| A SQL Injection vulnerability exists in Ivanti LANDESK Management Suite (LDMS, aka Endpoint Manager) 10.0.1.168 Service Update 5 due to improper username sanitization in the Basic Authentication implementation in core/provisioning.secure/ProvisioningSecure.asmx in Provisioning.Secure.dll. | |||||
| CVE-2019-12373 | 1 Ivanti | 1 Landesk Management Suite | 2024-11-21 | 2.7 LOW | 9.0 CRITICAL |
| Improper access control and open directories in Ivanti LANDESK Management Suite (LDMS, aka Endpoint Manager) 10.0.1.168 Service Update 5 may lead to remote disclosure of administrator passwords. | |||||
| CVE-2019-11543 | 2 Ivanti, Pulsesecure | 3 Connect Secure, Pulse Connect Secure, Pulse Policy Secure | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| XSS exists in the admin web console in Pulse Secure Pulse Connect Secure (PCS) 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, and 5.2RX before 5.2R12.1. | |||||
| CVE-2019-11542 | 2 Ivanti, Pulsesecure | 3 Connect Secure, Pulse Connect Secure, Pulse Policy Secure | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1, an authenticated attacker (via the admin web interface) can send a specially crafted message resulting in a stack buffer overflow. | |||||
| CVE-2019-11541 | 2 Ivanti, Pulsesecure | 2 Connect Secure, Pulse Connect Secure | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, and 8.2RX before 8.2R12.1, users using SAML authentication with the Reuse Existing NC (Pulse) Session option may see authentication leaks. | |||||