Avalanche

avalanche

Vendor: Ivanti • 117 CVEs

CVEs (117)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-36972 1Ivanti 1Avalanche Nov 21, 2024 Mar 29, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execut...Show more This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15328.Show less
CVE-2022-36971 1Ivanti 1Avalanche Nov 21, 2024 Mar 29, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authenticatio...Show more This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the JwtTokenUtility class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-15301.Show less
CVE-2022-44574 1Ivanti 1Avalanche Nov 21, 2024 Mar 10, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 An improper authentication vulnerability exists in Avalanche version 6.3.x and below allows unauthenticated attacker to modify properties on specific port.
CVE-2021-30497 1Ivanti 1Avalanche Nov 21, 2024 Apr 6, 2022 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Ivanti Avalanche (Premise) 6.3.2 allows remote unauthenticated users to read arbitrary files via Absolute Path Traversal. The imageFilePath parameter processed by the /AvalancheWeb/image endpoint is not verified to be wi...Show more Ivanti Avalanche (Premise) 6.3.2 allows remote unauthenticated users to read arbitrary files via Absolute Path Traversal. The imageFilePath parameter processed by the /AvalancheWeb/image endpoint is not verified to be within the scope of the image folder, e.g., the attacker can obtain sensitive information via the C:/Windows/system32/config/system.sav value.Show less
CVE-2021-42133 1Ivanti 1Avalanche Nov 21, 2024 Dec 7, 2021 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 An exposed dangerous function vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform an arbitrary file write.
CVE-2021-42132 1Ivanti 1Avalanche Nov 21, 2024 Dec 7, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A command Injection vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform arbitrary command execution.
CVE-2021-42131 1Ivanti 1Avalanche Nov 21, 2024 Dec 7, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A SQL Injection vulnerability exists in Ivanti Avalance before 6.3.3 allows an attacker with access to the Inforail Service to perform privilege escalation.
CVE-2021-42130 1Ivanti 1Avalanche Nov 21, 2024 Dec 7, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform arbitrary code execution.
CVE-2021-42129 1Ivanti 1Avalanche Nov 21, 2024 Dec 7, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A command injection vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform arbitrary command execution.
CVE-2021-42128 1Ivanti 1Avalanche Nov 21, 2024 Dec 7, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An exposed dangerous function vulnerability exists in Ivanti Avalanche before 6.3.3 using inforail Service allows Privilege Escalation via Enterprise Server Service.
CVE-2021-42127 1Ivanti 1Avalanche Nov 21, 2024 Dec 7, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 using Inforail Service allows arbitrary code execution via Data Repository Service.
CVE-2021-42126 1Ivanti 1Avalanche Nov 21, 2024 Dec 7, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An improper authorization control vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform privilege escalation.
CVE-2021-42125 1Ivanti 1Avalanche Nov 21, 2024 Dec 7, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An unrestricted file upload vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to write dangerous files.
CVE-2021-42124 1Ivanti 1Avalanche Nov 21, 2024 Dec 7, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An improper access control vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform a session takeover.
CVE-2020-12442 1Ivanti 1Avalanche Nov 21, 2024 Apr 28, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Ivanti Avalanche 6.3 allows a SQL injection that is vaguely associated with the Apache HTTP Server, aka Bug 683250.
CVE-2018-8902 1Ivanti 1Avalanche Nov 21, 2024 Jun 29, 2018 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 An issue was discovered in Ivanti Avalanche for all versions between 5.3 and 6.2. The impacted products used a single shared key encryption model to encrypt data. A user with access to system databases can use the discov...Show more An issue was discovered in Ivanti Avalanche for all versions between 5.3 and 6.2. The impacted products used a single shared key encryption model to encrypt data. A user with access to system databases can use the discovered key to access potentially confidential stored data, which may include Wi-Fi passwords. This discovered key can be used for all instances of the product.Show less
CVE-2018-8901 1Ivanti 1Avalanche Nov 21, 2024 Jun 29, 2018 N/A· v4 7.8 HIGH· v3 2.1 LOW· v2 An issue was discovered in Ivanti Avalanche for all versions between 5.3 and 6.2. A local user with database access privileges can read the encrypted passwords for users who authenticate via LDAP to Avalanche services. T...Show more An issue was discovered in Ivanti Avalanche for all versions between 5.3 and 6.2. A local user with database access privileges can read the encrypted passwords for users who authenticate via LDAP to Avalanche services. These passwords are stored in the Avalanche databases. This issue only affects customers who have enabled LDAP authentication in their configuration.Show less

Previous 1 2 3 4 56