CVE-2020-8243

Published: Sep 30, 2020Modified: Dec 18, 2025CISA KEV

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: NVD

Description

A vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could allow an authenticated attacker to upload custom template to perform an arbitrary code execution.

Affected (28)

Products: Ivanti: Connect Secure, Policy Secure

Ivanti

2 products

Connect Secure

Policy Secure

Configuration A

28 vulnerable

Vulnerable Software	Affected Versions
Ivanti Connect Secure	Up to 9.0
Ivanti Connect Secure	Version 9.1
Ivanti Connect Secure	Version 9.1 r1
Ivanti Connect Secure	Version 9.1 r2
Ivanti Connect Secure	Version 9.1 r3
Ivanti Connect Secure	Version 9.1 r4.1
Ivanti Connect Secure	Version 9.1 r4.2
Ivanti Connect Secure	Version 9.1 r4.3
Ivanti Connect Secure	Version 9.1 r4
Ivanti Connect Secure	Version 9.1 r5
Ivanti Connect Secure	Version 9.1 r6
Ivanti Connect Secure	Version 9.1 r7
Ivanti Connect Secure	Version 9.1 r8.1
Ivanti Connect Secure	Version 9.1 r8
Ivanti Policy Secure	Up to 9.0
Ivanti Policy Secure	Version 9.1
Ivanti Policy Secure	Version 9.1 r1
Ivanti Policy Secure	Version 9.1 r2
Ivanti Policy Secure	Version 9.1 r3
Ivanti Policy Secure	Version 9.1 r4.1
Ivanti Policy Secure	Version 9.1 r4.2
Ivanti Policy Secure	Version 9.1 r4.3
Ivanti Policy Secure	Version 9.1 r4
Ivanti Policy Secure	Version 9.1 r5
Ivanti Policy Secure	Version 9.1 r6
Ivanti Policy Secure	Version 9.1 r7
Ivanti Policy Secure	Version 9.1 r8.1
Ivanti Policy Secure	Version 9.1 r8

Related CWEs

CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (3)

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44588

Source: support@hackerone.com

Vendor Advisory

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44588

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-8243

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

US Government Resource

Timeline

No history available yet.