CVE-2017-11194

Published: Jul 12, 2017Modified: May 13, 2026

6.1

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

Pulse Connect Secure 8.3R1 has Reflected XSS in adminservercacertdetails.cgi. In the admin panel, the certid parameter of adminservercacertdetails.cgi is reflected in the application's response and is not properly sanitized, allowing an attacker to inject tags. An attacker could come up with clever payloads to make the system run commands such as ping, ping6, traceroute, nslookup, arp, etc.

Affected (1)

Products: Pulsesecure: Pulse Connect Secure

1 product

Pulse Connect Secure

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Pulsesecure Pulse Connect Secure	Version 8.3r1.0

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

http://www.sxcurity.pro/Multiple%20XSS%20and%20CSRF%20in%20Pulse%20Connect%20Secure%20v8.3R1.pdf

Source: cve@mitre.org

Third Party Advisory

https://twitter.com/sxcurity/status/884556905145937921

Source: cve@mitre.org

Third Party Advisory

http://www.sxcurity.pro/Multiple%20XSS%20and%20CSRF%20in%20Pulse%20Connect%20Secure%20v8.3R1.pdf

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://twitter.com/sxcurity/status/884556905145937921

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.