CVE-2021-22936

Published: Aug 16, 2021Modified: Nov 21, 2024

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

A vulnerability in Pulse Connect Secure before 9.1R12 could allow a threat actor to perform a cross-site script attack against an authenticated administrator via an unsanitized web parameter.

Affected (13)

Products: Ivanti: Connect Secure · Pulsesecure: Pulse Connect Secure

1 product

1 product

Configuration A

13 vulnerable

Vulnerable Software	Affected Versions
Ivanti Connect Secure	Version 9.1
Ivanti Connect Secure	Version 9.1 r1.0
Ivanti Connect Secure	Version 9.1 r10.0
Ivanti Connect Secure	Version 9.1 r11.0
Ivanti Connect Secure	Version 9.1 r2.0
Ivanti Connect Secure	Version 9.1 r3.0
Ivanti Connect Secure	Version 9.1 r4.0
Ivanti Connect Secure	Version 9.1 r5.0
Ivanti Connect Secure	Version 9.1 r6.0
Ivanti Connect Secure	Version 9.1 r7.0
Ivanti Connect Secure	Version 9.1 r8.0
Ivanti Connect Secure	Version 9.1 r9.0
Pulsesecure Pulse Connect Secure	Before 9.1

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44858/?kA23Z000000L6oySAC

Source: support@hackerone.com

Vendor Advisory

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44858/?kA23Z000000L6oySAC

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.