Search
Find a vulnerability
Search criteria
62 vulnerabilities found for pulse_policy_secure by pulsesecure
CVE-2020-8262 (GCVE-0-2020-8262)
Vulnerability from nvd – Published: 2020-10-28 12:47 – Updated: 2024-08-04 09:56
VLAI
Summary
A vulnerability in the Pulse Connect Secure / Pulse Policy Secure below 9.1R9 could allow attackers to conduct Cross-Site Scripting (XSS) and Open Redirection for authenticated user web interface.
Severity
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS) - Reflected (CWE-79)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.pulsesecure.net/articles/Pulse_Securit… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Pulse Connect Secure / Pulse Policy Secure |
Affected:
Fixed in 9.1R9
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:56:28.075Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pulse Connect Secure / Pulse Policy Secure",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in 9.1R9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the Pulse Connect Secure / Pulse Policy Secure below 9.1R9 could allow attackers to conduct Cross-Site Scripting (XSS) and Open Redirection for authenticated user web interface."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (XSS) - Reflected (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-28T12:47:55.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8262",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pulse Connect Secure / Pulse Policy Secure",
"version": {
"version_data": [
{
"version_value": "Fixed in 9.1R9"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in the Pulse Connect Secure / Pulse Policy Secure below 9.1R9 could allow attackers to conduct Cross-Site Scripting (XSS) and Open Redirection for authenticated user web interface."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) - Reflected (CWE-79)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601",
"refsource": "MISC",
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8262",
"datePublished": "2020-10-28T12:47:55.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2024-08-04T09:56:28.075Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8261 (GCVE-0-2020-8261)
Vulnerability from nvd – Published: 2020-10-28 12:47 – Updated: 2024-08-04 09:56
VLAI
Summary
A vulnerability in the Pulse Connect Secure / Pulse Policy Secure < 9.1R9 is vulnerable to arbitrary cookie injection.
Severity
No CVSS data available.
CWE
- CWE-120 - Classic Buffer Overflow (CWE-120)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.pulsesecure.net/articles/Pulse_Securit… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Pulse Connect Secure / Pulse Policy Secure |
Affected:
9.1R9
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:56:28.147Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pulse Connect Secure / Pulse Policy Secure",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "9.1R9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the Pulse Connect Secure / Pulse Policy Secure \u003c 9.1R9 is vulnerable to arbitrary cookie injection."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-120",
"description": "Classic Buffer Overflow (CWE-120)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-28T12:47:36.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8261",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pulse Connect Secure / Pulse Policy Secure",
"version": {
"version_data": [
{
"version_value": "9.1R9"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in the Pulse Connect Secure / Pulse Policy Secure \u003c 9.1R9 is vulnerable to arbitrary cookie injection."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Classic Buffer Overflow (CWE-120)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601",
"refsource": "MISC",
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8261",
"datePublished": "2020-10-28T12:47:36.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2024-08-04T09:56:28.147Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15352 (GCVE-0-2020-15352)
Vulnerability from nvd – Published: 2020-10-27 04:10 – Updated: 2024-08-04 13:15
VLAI
Summary
An XML external entity (XXE) vulnerability in Pulse Connect Secure (PCS) before 9.1R9 and Pulse Policy Secure (PPS) before 9.1R9 allows remote authenticated admins to conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.pulsesecure.net/articles/Pulse_Securit… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:15:20.466Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An XML external entity (XXE) vulnerability in Pulse Connect Secure (PCS) before 9.1R9 and Pulse Policy Secure (PPS) before 9.1R9 allows remote authenticated admins to conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-27T04:10:54.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-15352",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An XML external entity (XXE) vulnerability in Pulse Connect Secure (PCS) before 9.1R9 and Pulse Policy Secure (PPS) before 9.1R9 allows remote authenticated admins to conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601",
"refsource": "MISC",
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-15352",
"datePublished": "2020-10-27T04:10:54.000Z",
"dateReserved": "2020-06-26T00:00:00.000Z",
"dateUpdated": "2024-08-04T13:15:20.466Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8238 (GCVE-0-2020-8238)
Vulnerability from nvd – Published: 2020-09-29 13:41 – Updated: 2024-08-04 09:56
VLAI
Summary
A vulnerability in the authenticated user web interface of Pulse Connect Secure and Pulse Policy Secure < 9.1R8.2 could allow attackers to conduct Cross-Site Scripting (XSS).
Severity
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS) - Generic (CWE-79)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://kb.pulsesecure.net/articles/Pulse_Securit… | x_refsource_MISC |
| https://www.gosecure.net/blog/2020/11/13/forget-y… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Pulse Secure | Pulse Connect Secure/ Pulse Policy Secure |
Affected:
Fixed in 9.1R8.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:56:27.951Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44588"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.gosecure.net/blog/2020/11/13/forget-your-perimeter-part-2-four-vulnerabilities-in-pulse-connect-secure/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pulse Connect Secure/ Pulse Policy Secure",
"vendor": "Pulse Secure",
"versions": [
{
"status": "affected",
"version": "Fixed in 9.1R8.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the authenticated user web interface of Pulse Connect Secure and Pulse Policy Secure \u003c 9.1R8.2 could allow attackers to conduct Cross-Site Scripting (XSS)."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (XSS) - Generic (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-01T14:27:38.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44588"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gosecure.net/blog/2020/11/13/forget-your-perimeter-part-2-four-vulnerabilities-in-pulse-connect-secure/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8238",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pulse Connect Secure/ Pulse Policy Secure",
"version": {
"version_data": [
{
"version_value": "Fixed in 9.1R8.2"
}
]
}
}
]
},
"vendor_name": "Pulse Secure"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in the authenticated user web interface of Pulse Connect Secure and Pulse Policy Secure \u003c 9.1R8.2 could allow attackers to conduct Cross-Site Scripting (XSS)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) - Generic (CWE-79)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44588",
"refsource": "MISC",
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44588"
},
{
"name": "https://www.gosecure.net/blog/2020/11/13/forget-your-perimeter-part-2-four-vulnerabilities-in-pulse-connect-secure/",
"refsource": "MISC",
"url": "https://www.gosecure.net/blog/2020/11/13/forget-your-perimeter-part-2-four-vulnerabilities-in-pulse-connect-secure/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8238",
"datePublished": "2020-09-29T13:41:05.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2024-08-04T09:56:27.951Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8222 (GCVE-0-2020-8222)
Vulnerability from nvd – Published: 2020-07-30 12:53 – Updated: 2024-08-04 09:56
VLAI
Summary
A path traversal vulnerability exists in Pulse Connect Secure <9.1R8 that allowed an authenticated attacker via the administrator web interface to perform an arbitrary file reading vulnerability through Meeting.
Severity
No CVSS data available.
CWE
- CWE-22 - Path Traversal (CWE-22)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.pulsesecure.net/articles/Pulse_Securit… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Pulse Connect Secure |
Affected:
Fixed in 9.1R8
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:56:27.511Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pulse Connect Secure",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in 9.1R8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A path traversal vulnerability exists in Pulse Connect Secure \u003c9.1R8 that allowed an authenticated attacker via the administrator web interface to perform an arbitrary file reading vulnerability through Meeting."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Path Traversal (CWE-22)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-30T12:53:02.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8222",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pulse Connect Secure",
"version": {
"version_data": [
{
"version_value": "Fixed in 9.1R8"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A path traversal vulnerability exists in Pulse Connect Secure \u003c9.1R8 that allowed an authenticated attacker via the administrator web interface to perform an arbitrary file reading vulnerability through Meeting."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Path Traversal (CWE-22)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516",
"refsource": "MISC",
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8222",
"datePublished": "2020-07-30T12:53:02.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2024-08-04T09:56:27.511Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8221 (GCVE-0-2020-8221)
Vulnerability from nvd – Published: 2020-07-30 12:53 – Updated: 2024-08-04 09:56
VLAI
Summary
A path traversal vulnerability exists in Pulse Connect Secure <9.1R8 which allows an authenticated attacker to read arbitrary files via the administrator web interface.
Severity
No CVSS data available.
CWE
- CWE-22 - Path Traversal (CWE-22)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.pulsesecure.net/articles/Pulse_Securit… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Pulse Connect Secure |
Affected:
Fixed in
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:56:27.888Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pulse Connect Secure",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A path traversal vulnerability exists in Pulse Connect Secure \u003c9.1R8 which allows an authenticated attacker to read arbitrary files via the administrator web interface."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Path Traversal (CWE-22)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-30T12:53:02.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8221",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pulse Connect Secure",
"version": {
"version_data": [
{
"version_value": "Fixed in"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A path traversal vulnerability exists in Pulse Connect Secure \u003c9.1R8 which allows an authenticated attacker to read arbitrary files via the administrator web interface."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Path Traversal (CWE-22)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516",
"refsource": "MISC",
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8221",
"datePublished": "2020-07-30T12:53:02.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2024-08-04T09:56:27.888Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8220 (GCVE-0-2020-8220)
Vulnerability from nvd – Published: 2020-07-30 12:53 – Updated: 2024-08-04 09:56
VLAI
Summary
A denial of service vulnerability exists in Pulse Connect Secure <9.1R8 that allows an authenticated attacker to perform command injection via the administrator web which can cause DOS.
Severity
No CVSS data available.
CWE
- CWE-400 - Denial of Service (CWE-400)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.pulsesecure.net/articles/Pulse_Securit… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Pulse Connect Secure |
Affected:
Fixed in 9.1R8
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:56:27.763Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pulse Connect Secure",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in 9.1R8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A denial of service vulnerability exists in Pulse Connect Secure \u003c9.1R8 that allows an authenticated attacker to perform command injection via the administrator web which can cause DOS."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Denial of Service (CWE-400)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-30T12:53:02.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8220",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pulse Connect Secure",
"version": {
"version_data": [
{
"version_value": "Fixed in 9.1R8"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A denial of service vulnerability exists in Pulse Connect Secure \u003c9.1R8 that allows an authenticated attacker to perform command injection via the administrator web which can cause DOS."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (CWE-400)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516",
"refsource": "MISC",
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8220",
"datePublished": "2020-07-30T12:53:02.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2024-08-04T09:56:27.763Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8219 (GCVE-0-2020-8219)
Vulnerability from nvd – Published: 2020-07-30 12:53 – Updated: 2024-08-04 09:56
VLAI
Summary
An insufficient permission check vulnerability exists in Pulse Connect Secure <9.1R8 that allows an attacker to change the password of a full administrator.
Severity
No CVSS data available.
CWE
- CWE-280 - Improper Handling of Insufficient Permissions or Privileges (CWE-280)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.pulsesecure.net/articles/Pulse_Securit… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Pulse Connect Secure |
Affected:
Fixed in 9.1R8
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:56:27.612Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pulse Connect Secure",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in 9.1R8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An insufficient permission check vulnerability exists in Pulse Connect Secure \u003c9.1R8 that allows an attacker to change the password of a full administrator."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-280",
"description": "Improper Handling of Insufficient Permissions or Privileges (CWE-280)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-30T12:53:02.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8219",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pulse Connect Secure",
"version": {
"version_data": [
{
"version_value": "Fixed in 9.1R8"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An insufficient permission check vulnerability exists in Pulse Connect Secure \u003c9.1R8 that allows an attacker to change the password of a full administrator."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Handling of Insufficient Permissions or Privileges (CWE-280)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516",
"refsource": "MISC",
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8219",
"datePublished": "2020-07-30T12:53:02.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2024-08-04T09:56:27.612Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8218 (GCVE-0-2020-8218)
Vulnerability from nvd – Published: 2020-07-30 12:53 – Updated: 2025-10-21 23:35Summary
A code injection vulnerability exists in Pulse Connect Secure <9.1R8 that allows an attacker to crafted a URI to perform an arbitrary code execution via the admin web interface.
Severity
7.2 (High)
SSVC
Exploitation: active
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Code Injection (CWE-94)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://kb.pulsesecure.net/articles/Pulse_Securit… | x_refsource_MISC |
| https://www.gosecure.net/blog/2020/11/13/forget-y… | x_refsource_MISC |
| https://www.cisa.gov/known-exploited-vulnerabilit… | government-resource |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Pulse Connect Secure |
Affected:
Fixed in 9.1R8
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:56:27.483Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.gosecure.net/blog/2020/11/13/forget-your-perimeter-part-2-four-vulnerabilities-in-pulse-connect-secure/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2020-8218",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-04T18:20:41.248153Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2022-03-07",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-8218"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:35:38.731Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-8218"
}
],
"timeline": [
{
"lang": "en",
"time": "2022-03-07T00:00:00.000Z",
"value": "CVE-2020-8218 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Pulse Connect Secure",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in 9.1R8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A code injection vulnerability exists in Pulse Connect Secure \u003c9.1R8 that allows an attacker to crafted a URI to perform an arbitrary code execution via the admin web interface."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection (CWE-94)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-01T14:27:42.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gosecure.net/blog/2020/11/13/forget-your-perimeter-part-2-four-vulnerabilities-in-pulse-connect-secure/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8218",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pulse Connect Secure",
"version": {
"version_data": [
{
"version_value": "Fixed in 9.1R8"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A code injection vulnerability exists in Pulse Connect Secure \u003c9.1R8 that allows an attacker to crafted a URI to perform an arbitrary code execution via the admin web interface."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Code Injection (CWE-94)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516",
"refsource": "MISC",
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
},
{
"name": "https://www.gosecure.net/blog/2020/11/13/forget-your-perimeter-part-2-four-vulnerabilities-in-pulse-connect-secure/",
"refsource": "MISC",
"url": "https://www.gosecure.net/blog/2020/11/13/forget-your-perimeter-part-2-four-vulnerabilities-in-pulse-connect-secure/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8218",
"datePublished": "2020-07-30T12:53:02.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2025-10-21T23:35:38.731Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8217 (GCVE-0-2020-8217)
Vulnerability from nvd – Published: 2020-07-30 12:53 – Updated: 2024-08-04 09:56
VLAI
Summary
A cross site scripting (XSS) vulnerability in Pulse Connect Secure <9.1R8 allowed attackers to exploit in the URL used for Citrix ICA.
Severity
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS) - Reflected (CWE-79)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.pulsesecure.net/articles/Pulse_Securit… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Pulse Connect Secure |
Affected:
Fixed in 9.1R8
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:56:27.493Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pulse Connect Secure",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in 9.1R8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A cross site scripting (XSS) vulnerability in Pulse Connect Secure \u003c9.1R8 allowed attackers to exploit in the URL used for Citrix ICA."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (XSS) - Reflected (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-30T12:53:02.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8217",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pulse Connect Secure",
"version": {
"version_data": [
{
"version_value": "Fixed in 9.1R8"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A cross site scripting (XSS) vulnerability in Pulse Connect Secure \u003c9.1R8 allowed attackers to exploit in the URL used for Citrix ICA."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) - Reflected (CWE-79)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516",
"refsource": "MISC",
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8217",
"datePublished": "2020-07-30T12:53:02.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2024-08-04T09:56:27.493Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8216 (GCVE-0-2020-8216)
Vulnerability from nvd – Published: 2020-07-30 12:53 – Updated: 2024-08-04 09:56
VLAI
Summary
An information disclosure vulnerability in meeting of Pulse Connect Secure <9.1R8 allowed an authenticated end-users to find meeting details, if they know the Meeting ID.
Severity
No CVSS data available.
CWE
- CWE-200 - Information Disclosure (CWE-200)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.pulsesecure.net/articles/Pulse_Securit… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Pulse Connect Secure |
Affected:
Fixed in 9.1R8
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:56:27.410Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pulse Connect Secure",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in 9.1R8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An information disclosure vulnerability in meeting of Pulse Connect Secure \u003c9.1R8 allowed an authenticated end-users to find meeting details, if they know the Meeting ID."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "Information Disclosure (CWE-200)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-30T12:53:02.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8216",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pulse Connect Secure",
"version": {
"version_data": [
{
"version_value": "Fixed in 9.1R8"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An information disclosure vulnerability in meeting of Pulse Connect Secure \u003c9.1R8 allowed an authenticated end-users to find meeting details, if they know the Meeting ID."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure (CWE-200)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516",
"refsource": "MISC",
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8216",
"datePublished": "2020-07-30T12:53:02.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2024-08-04T09:56:27.410Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8206 (GCVE-0-2020-8206)
Vulnerability from nvd – Published: 2020-07-30 12:53 – Updated: 2024-08-04 09:56
VLAI
Summary
An improper authentication vulnerability exists in Pulse Connect Secure <9.1RB that allows an attacker with a users primary credentials to bypass the Google TOTP.
Severity
No CVSS data available.
CWE
- CWE-287 - Improper Authentication - Generic (CWE-287)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.pulsesecure.net/articles/Pulse_Securit… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Pulse Connect Secure |
Affected:
Fixed in 9.1R8
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:56:27.638Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pulse Connect Secure",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in 9.1R8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An improper authentication vulnerability exists in Pulse Connect Secure \u003c9.1RB that allows an attacker with a users primary credentials to bypass the Google TOTP."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "Improper Authentication - Generic (CWE-287)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-30T12:53:02.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8206",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pulse Connect Secure",
"version": {
"version_data": [
{
"version_value": "Fixed in 9.1R8"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An improper authentication vulnerability exists in Pulse Connect Secure \u003c9.1RB that allows an attacker with a users primary credentials to bypass the Google TOTP."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Authentication - Generic (CWE-287)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516",
"refsource": "MISC",
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8206",
"datePublished": "2020-07-30T12:53:02.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2024-08-04T09:56:27.638Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8204 (GCVE-0-2020-8204)
Vulnerability from nvd – Published: 2020-07-30 12:53 – Updated: 2024-08-04 09:56
VLAI
Summary
A cross site scripting (XSS) vulnerability exists in Pulse Connect Secure <9.1R5 on the PSAL Page.
Severity
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS) - DOM (CWE-79)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.pulsesecure.net/articles/Pulse_Securit… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Pulse Connect Secure |
Affected:
Fixed in 9.1R5
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:56:27.562Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pulse Connect Secure",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in 9.1R5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A cross site scripting (XSS) vulnerability exists in Pulse Connect Secure \u003c9.1R5 on the PSAL Page."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (XSS) - DOM (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-30T12:53:02.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8204",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pulse Connect Secure",
"version": {
"version_data": [
{
"version_value": "Fixed in 9.1R5"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A cross site scripting (XSS) vulnerability exists in Pulse Connect Secure \u003c9.1R5 on the PSAL Page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) - DOM (CWE-79)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516",
"refsource": "MISC",
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8204",
"datePublished": "2020-07-30T12:53:02.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2024-08-04T09:56:27.562Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-12880 (GCVE-0-2020-12880)
Vulnerability from nvd – Published: 2020-07-27 22:10 – Updated: 2024-08-04 12:11
VLAI
Summary
An issue was discovered in Pulse Policy Secure (PPS) and Pulse Connect Secure (PCS) Virtual Appliance before 9.1R8. By manipulating a certain kernel boot parameter, it can be tricked into dropping into a root shell in a pre-install phase where the entire source code of the appliance is available and can be retrieved. (The source code is otherwise inaccessible because the appliance has its hard disks encrypted, and no root shell is available during normal operation.)
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://kb.pulsesecure.net/?atype=sa | x_refsource_MISC |
| https://kb.pulsesecure.net/articles/Pulse_Securit… | x_refsource_CONFIRM |
Date Public
2020-07-27 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:11:18.205Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://kb.pulsesecure.net/?atype=sa"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2020-07-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Pulse Policy Secure (PPS) and Pulse Connect Secure (PCS) Virtual Appliance before 9.1R8. By manipulating a certain kernel boot parameter, it can be tricked into dropping into a root shell in a pre-install phase where the entire source code of the appliance is available and can be retrieved. (The source code is otherwise inaccessible because the appliance has its hard disks encrypted, and no root shell is available during normal operation.)"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-27T22:10:12.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://kb.pulsesecure.net/?atype=sa"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-12880",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Pulse Policy Secure (PPS) and Pulse Connect Secure (PCS) Virtual Appliance before 9.1R8. By manipulating a certain kernel boot parameter, it can be tricked into dropping into a root shell in a pre-install phase where the entire source code of the appliance is available and can be retrieved. (The source code is otherwise inaccessible because the appliance has its hard disks encrypted, and no root shell is available during normal operation.)"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://kb.pulsesecure.net/?atype=sa",
"refsource": "MISC",
"url": "https://kb.pulsesecure.net/?atype=sa"
},
{
"name": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516",
"refsource": "CONFIRM",
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-12880",
"datePublished": "2020-07-27T22:10:12.000Z",
"dateReserved": "2020-05-15T00:00:00.000Z",
"dateUpdated": "2024-08-04T12:11:18.205Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-11582 (GCVE-0-2020-11582)
Vulnerability from nvd – Published: 2020-04-06 20:03 – Updated: 2024-08-04 11:35
VLAI
Summary
An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) through 2020-04-06. The applet in tncc.jar, executed on macOS, Linux, and Solaris clients when a Host Checker policy is enforced, launches a TCP server that accepts local connections on a random port. This can be reached by local HTTP clients, because up to 25 invalid lines are ignored, and because DNS rebinding can occur. (This server accepts, for example, a setcookie command that might be relevant to CVE-2020-11581 exploitation.)
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://git.lsd.cat/g/pulse-host-checker-rce | x_refsource_MISC |
| https://kb.pulsesecure.net/articles/Pulse_Securit… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:35:13.293Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://git.lsd.cat/g/pulse-host-checker-rce"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44426"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) through 2020-04-06. The applet in tncc.jar, executed on macOS, Linux, and Solaris clients when a Host Checker policy is enforced, launches a TCP server that accepts local connections on a random port. This can be reached by local HTTP clients, because up to 25 invalid lines are ignored, and because DNS rebinding can occur. (This server accepts, for example, a setcookie command that might be relevant to CVE-2020-11581 exploitation.)"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-08T20:06:02.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://git.lsd.cat/g/pulse-host-checker-rce"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44426"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-11582",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) through 2020-04-06. The applet in tncc.jar, executed on macOS, Linux, and Solaris clients when a Host Checker policy is enforced, launches a TCP server that accepts local connections on a random port. This can be reached by local HTTP clients, because up to 25 invalid lines are ignored, and because DNS rebinding can occur. (This server accepts, for example, a setcookie command that might be relevant to CVE-2020-11581 exploitation.)"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://git.lsd.cat/g/pulse-host-checker-rce",
"refsource": "MISC",
"url": "https://git.lsd.cat/g/pulse-host-checker-rce"
},
{
"name": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44426",
"refsource": "CONFIRM",
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44426"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-11582",
"datePublished": "2020-04-06T20:03:20.000Z",
"dateReserved": "2020-04-06T00:00:00.000Z",
"dateUpdated": "2024-08-04T11:35:13.293Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-11581 (GCVE-0-2020-11581)
Vulnerability from nvd – Published: 2020-04-06 20:03 – Updated: 2024-08-04 11:35
VLAI
Summary
An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) through 2020-04-06. The applet in tncc.jar, executed on macOS, Linux, and Solaris clients when a Host Checker policy is enforced, allows a man-in-the-middle attacker to perform OS command injection attacks (against a client) via shell metacharacters to the doCustomRemediateInstructions method, because Runtime.getRuntime().exec() is used.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://git.lsd.cat/g/pulse-host-checker-rce | x_refsource_MISC |
| https://kb.pulsesecure.net/articles/Pulse_Securit… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:35:13.241Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://git.lsd.cat/g/pulse-host-checker-rce"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44426"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) through 2020-04-06. The applet in tncc.jar, executed on macOS, Linux, and Solaris clients when a Host Checker policy is enforced, allows a man-in-the-middle attacker to perform OS command injection attacks (against a client) via shell metacharacters to the doCustomRemediateInstructions method, because Runtime.getRuntime().exec() is used."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-08T20:06:03.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://git.lsd.cat/g/pulse-host-checker-rce"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44426"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-11581",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) through 2020-04-06. The applet in tncc.jar, executed on macOS, Linux, and Solaris clients when a Host Checker policy is enforced, allows a man-in-the-middle attacker to perform OS command injection attacks (against a client) via shell metacharacters to the doCustomRemediateInstructions method, because Runtime.getRuntime().exec() is used."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://git.lsd.cat/g/pulse-host-checker-rce",
"refsource": "MISC",
"url": "https://git.lsd.cat/g/pulse-host-checker-rce"
},
{
"name": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44426",
"refsource": "CONFIRM",
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44426"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-11581",
"datePublished": "2020-04-06T20:03:38.000Z",
"dateReserved": "2020-04-06T00:00:00.000Z",
"dateUpdated": "2024-08-04T11:35:13.241Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8262 (GCVE-0-2020-8262)
Vulnerability from cvelistv5 – Published: 2020-10-28 12:47 – Updated: 2024-08-04 09:56
VLAI
Summary
A vulnerability in the Pulse Connect Secure / Pulse Policy Secure below 9.1R9 could allow attackers to conduct Cross-Site Scripting (XSS) and Open Redirection for authenticated user web interface.
Severity
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS) - Reflected (CWE-79)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.pulsesecure.net/articles/Pulse_Securit… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Pulse Connect Secure / Pulse Policy Secure |
Affected:
Fixed in 9.1R9
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:56:28.075Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pulse Connect Secure / Pulse Policy Secure",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in 9.1R9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the Pulse Connect Secure / Pulse Policy Secure below 9.1R9 could allow attackers to conduct Cross-Site Scripting (XSS) and Open Redirection for authenticated user web interface."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (XSS) - Reflected (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-28T12:47:55.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8262",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pulse Connect Secure / Pulse Policy Secure",
"version": {
"version_data": [
{
"version_value": "Fixed in 9.1R9"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in the Pulse Connect Secure / Pulse Policy Secure below 9.1R9 could allow attackers to conduct Cross-Site Scripting (XSS) and Open Redirection for authenticated user web interface."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) - Reflected (CWE-79)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601",
"refsource": "MISC",
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8262",
"datePublished": "2020-10-28T12:47:55.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2024-08-04T09:56:28.075Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8261 (GCVE-0-2020-8261)
Vulnerability from cvelistv5 – Published: 2020-10-28 12:47 – Updated: 2024-08-04 09:56
VLAI
Summary
A vulnerability in the Pulse Connect Secure / Pulse Policy Secure < 9.1R9 is vulnerable to arbitrary cookie injection.
Severity
No CVSS data available.
CWE
- CWE-120 - Classic Buffer Overflow (CWE-120)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.pulsesecure.net/articles/Pulse_Securit… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Pulse Connect Secure / Pulse Policy Secure |
Affected:
9.1R9
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:56:28.147Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pulse Connect Secure / Pulse Policy Secure",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "9.1R9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the Pulse Connect Secure / Pulse Policy Secure \u003c 9.1R9 is vulnerable to arbitrary cookie injection."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-120",
"description": "Classic Buffer Overflow (CWE-120)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-28T12:47:36.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8261",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pulse Connect Secure / Pulse Policy Secure",
"version": {
"version_data": [
{
"version_value": "9.1R9"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in the Pulse Connect Secure / Pulse Policy Secure \u003c 9.1R9 is vulnerable to arbitrary cookie injection."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Classic Buffer Overflow (CWE-120)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601",
"refsource": "MISC",
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8261",
"datePublished": "2020-10-28T12:47:36.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2024-08-04T09:56:28.147Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15352 (GCVE-0-2020-15352)
Vulnerability from cvelistv5 – Published: 2020-10-27 04:10 – Updated: 2024-08-04 13:15
VLAI
Summary
An XML external entity (XXE) vulnerability in Pulse Connect Secure (PCS) before 9.1R9 and Pulse Policy Secure (PPS) before 9.1R9 allows remote authenticated admins to conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.pulsesecure.net/articles/Pulse_Securit… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:15:20.466Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An XML external entity (XXE) vulnerability in Pulse Connect Secure (PCS) before 9.1R9 and Pulse Policy Secure (PPS) before 9.1R9 allows remote authenticated admins to conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-27T04:10:54.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-15352",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An XML external entity (XXE) vulnerability in Pulse Connect Secure (PCS) before 9.1R9 and Pulse Policy Secure (PPS) before 9.1R9 allows remote authenticated admins to conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601",
"refsource": "MISC",
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-15352",
"datePublished": "2020-10-27T04:10:54.000Z",
"dateReserved": "2020-06-26T00:00:00.000Z",
"dateUpdated": "2024-08-04T13:15:20.466Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8238 (GCVE-0-2020-8238)
Vulnerability from cvelistv5 – Published: 2020-09-29 13:41 – Updated: 2024-08-04 09:56
VLAI
Summary
A vulnerability in the authenticated user web interface of Pulse Connect Secure and Pulse Policy Secure < 9.1R8.2 could allow attackers to conduct Cross-Site Scripting (XSS).
Severity
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS) - Generic (CWE-79)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://kb.pulsesecure.net/articles/Pulse_Securit… | x_refsource_MISC |
| https://www.gosecure.net/blog/2020/11/13/forget-y… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Pulse Secure | Pulse Connect Secure/ Pulse Policy Secure |
Affected:
Fixed in 9.1R8.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:56:27.951Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44588"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.gosecure.net/blog/2020/11/13/forget-your-perimeter-part-2-four-vulnerabilities-in-pulse-connect-secure/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pulse Connect Secure/ Pulse Policy Secure",
"vendor": "Pulse Secure",
"versions": [
{
"status": "affected",
"version": "Fixed in 9.1R8.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the authenticated user web interface of Pulse Connect Secure and Pulse Policy Secure \u003c 9.1R8.2 could allow attackers to conduct Cross-Site Scripting (XSS)."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (XSS) - Generic (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-01T14:27:38.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44588"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gosecure.net/blog/2020/11/13/forget-your-perimeter-part-2-four-vulnerabilities-in-pulse-connect-secure/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8238",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pulse Connect Secure/ Pulse Policy Secure",
"version": {
"version_data": [
{
"version_value": "Fixed in 9.1R8.2"
}
]
}
}
]
},
"vendor_name": "Pulse Secure"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in the authenticated user web interface of Pulse Connect Secure and Pulse Policy Secure \u003c 9.1R8.2 could allow attackers to conduct Cross-Site Scripting (XSS)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) - Generic (CWE-79)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44588",
"refsource": "MISC",
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44588"
},
{
"name": "https://www.gosecure.net/blog/2020/11/13/forget-your-perimeter-part-2-four-vulnerabilities-in-pulse-connect-secure/",
"refsource": "MISC",
"url": "https://www.gosecure.net/blog/2020/11/13/forget-your-perimeter-part-2-four-vulnerabilities-in-pulse-connect-secure/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8238",
"datePublished": "2020-09-29T13:41:05.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2024-08-04T09:56:27.951Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8204 (GCVE-0-2020-8204)
Vulnerability from cvelistv5 – Published: 2020-07-30 12:53 – Updated: 2024-08-04 09:56
VLAI
Summary
A cross site scripting (XSS) vulnerability exists in Pulse Connect Secure <9.1R5 on the PSAL Page.
Severity
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS) - DOM (CWE-79)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.pulsesecure.net/articles/Pulse_Securit… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Pulse Connect Secure |
Affected:
Fixed in 9.1R5
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:56:27.562Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pulse Connect Secure",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in 9.1R5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A cross site scripting (XSS) vulnerability exists in Pulse Connect Secure \u003c9.1R5 on the PSAL Page."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (XSS) - DOM (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-30T12:53:02.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8204",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pulse Connect Secure",
"version": {
"version_data": [
{
"version_value": "Fixed in 9.1R5"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A cross site scripting (XSS) vulnerability exists in Pulse Connect Secure \u003c9.1R5 on the PSAL Page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) - DOM (CWE-79)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516",
"refsource": "MISC",
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8204",
"datePublished": "2020-07-30T12:53:02.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2024-08-04T09:56:27.562Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8217 (GCVE-0-2020-8217)
Vulnerability from cvelistv5 – Published: 2020-07-30 12:53 – Updated: 2024-08-04 09:56
VLAI
Summary
A cross site scripting (XSS) vulnerability in Pulse Connect Secure <9.1R8 allowed attackers to exploit in the URL used for Citrix ICA.
Severity
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS) - Reflected (CWE-79)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.pulsesecure.net/articles/Pulse_Securit… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Pulse Connect Secure |
Affected:
Fixed in 9.1R8
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:56:27.493Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pulse Connect Secure",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in 9.1R8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A cross site scripting (XSS) vulnerability in Pulse Connect Secure \u003c9.1R8 allowed attackers to exploit in the URL used for Citrix ICA."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site Scripting (XSS) - Reflected (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-30T12:53:02.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8217",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pulse Connect Secure",
"version": {
"version_data": [
{
"version_value": "Fixed in 9.1R8"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A cross site scripting (XSS) vulnerability in Pulse Connect Secure \u003c9.1R8 allowed attackers to exploit in the URL used for Citrix ICA."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) - Reflected (CWE-79)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516",
"refsource": "MISC",
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8217",
"datePublished": "2020-07-30T12:53:02.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2024-08-04T09:56:27.493Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8219 (GCVE-0-2020-8219)
Vulnerability from cvelistv5 – Published: 2020-07-30 12:53 – Updated: 2024-08-04 09:56
VLAI
Summary
An insufficient permission check vulnerability exists in Pulse Connect Secure <9.1R8 that allows an attacker to change the password of a full administrator.
Severity
No CVSS data available.
CWE
- CWE-280 - Improper Handling of Insufficient Permissions or Privileges (CWE-280)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.pulsesecure.net/articles/Pulse_Securit… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Pulse Connect Secure |
Affected:
Fixed in 9.1R8
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:56:27.612Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pulse Connect Secure",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in 9.1R8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An insufficient permission check vulnerability exists in Pulse Connect Secure \u003c9.1R8 that allows an attacker to change the password of a full administrator."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-280",
"description": "Improper Handling of Insufficient Permissions or Privileges (CWE-280)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-30T12:53:02.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8219",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pulse Connect Secure",
"version": {
"version_data": [
{
"version_value": "Fixed in 9.1R8"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An insufficient permission check vulnerability exists in Pulse Connect Secure \u003c9.1R8 that allows an attacker to change the password of a full administrator."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Handling of Insufficient Permissions or Privileges (CWE-280)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516",
"refsource": "MISC",
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8219",
"datePublished": "2020-07-30T12:53:02.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2024-08-04T09:56:27.612Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8216 (GCVE-0-2020-8216)
Vulnerability from cvelistv5 – Published: 2020-07-30 12:53 – Updated: 2024-08-04 09:56
VLAI
Summary
An information disclosure vulnerability in meeting of Pulse Connect Secure <9.1R8 allowed an authenticated end-users to find meeting details, if they know the Meeting ID.
Severity
No CVSS data available.
CWE
- CWE-200 - Information Disclosure (CWE-200)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.pulsesecure.net/articles/Pulse_Securit… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Pulse Connect Secure |
Affected:
Fixed in 9.1R8
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:56:27.410Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pulse Connect Secure",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in 9.1R8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An information disclosure vulnerability in meeting of Pulse Connect Secure \u003c9.1R8 allowed an authenticated end-users to find meeting details, if they know the Meeting ID."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "Information Disclosure (CWE-200)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-30T12:53:02.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8216",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pulse Connect Secure",
"version": {
"version_data": [
{
"version_value": "Fixed in 9.1R8"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An information disclosure vulnerability in meeting of Pulse Connect Secure \u003c9.1R8 allowed an authenticated end-users to find meeting details, if they know the Meeting ID."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure (CWE-200)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516",
"refsource": "MISC",
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8216",
"datePublished": "2020-07-30T12:53:02.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2024-08-04T09:56:27.410Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8220 (GCVE-0-2020-8220)
Vulnerability from cvelistv5 – Published: 2020-07-30 12:53 – Updated: 2024-08-04 09:56
VLAI
Summary
A denial of service vulnerability exists in Pulse Connect Secure <9.1R8 that allows an authenticated attacker to perform command injection via the administrator web which can cause DOS.
Severity
No CVSS data available.
CWE
- CWE-400 - Denial of Service (CWE-400)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.pulsesecure.net/articles/Pulse_Securit… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Pulse Connect Secure |
Affected:
Fixed in 9.1R8
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:56:27.763Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pulse Connect Secure",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in 9.1R8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A denial of service vulnerability exists in Pulse Connect Secure \u003c9.1R8 that allows an authenticated attacker to perform command injection via the administrator web which can cause DOS."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Denial of Service (CWE-400)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-30T12:53:02.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8220",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pulse Connect Secure",
"version": {
"version_data": [
{
"version_value": "Fixed in 9.1R8"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A denial of service vulnerability exists in Pulse Connect Secure \u003c9.1R8 that allows an authenticated attacker to perform command injection via the administrator web which can cause DOS."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (CWE-400)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516",
"refsource": "MISC",
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8220",
"datePublished": "2020-07-30T12:53:02.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2024-08-04T09:56:27.763Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8218 (GCVE-0-2020-8218)
Vulnerability from cvelistv5 – Published: 2020-07-30 12:53 – Updated: 2025-10-21 23:35Summary
A code injection vulnerability exists in Pulse Connect Secure <9.1R8 that allows an attacker to crafted a URI to perform an arbitrary code execution via the admin web interface.
Severity
7.2 (High)
SSVC
Exploitation: active
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Code Injection (CWE-94)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://kb.pulsesecure.net/articles/Pulse_Securit… | x_refsource_MISC |
| https://www.gosecure.net/blog/2020/11/13/forget-y… | x_refsource_MISC |
| https://www.cisa.gov/known-exploited-vulnerabilit… | government-resource |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Pulse Connect Secure |
Affected:
Fixed in 9.1R8
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:56:27.483Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.gosecure.net/blog/2020/11/13/forget-your-perimeter-part-2-four-vulnerabilities-in-pulse-connect-secure/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2020-8218",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-04T18:20:41.248153Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2022-03-07",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-8218"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:35:38.731Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-8218"
}
],
"timeline": [
{
"lang": "en",
"time": "2022-03-07T00:00:00.000Z",
"value": "CVE-2020-8218 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Pulse Connect Secure",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in 9.1R8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A code injection vulnerability exists in Pulse Connect Secure \u003c9.1R8 that allows an attacker to crafted a URI to perform an arbitrary code execution via the admin web interface."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection (CWE-94)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-01T14:27:42.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gosecure.net/blog/2020/11/13/forget-your-perimeter-part-2-four-vulnerabilities-in-pulse-connect-secure/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8218",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pulse Connect Secure",
"version": {
"version_data": [
{
"version_value": "Fixed in 9.1R8"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A code injection vulnerability exists in Pulse Connect Secure \u003c9.1R8 that allows an attacker to crafted a URI to perform an arbitrary code execution via the admin web interface."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Code Injection (CWE-94)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516",
"refsource": "MISC",
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
},
{
"name": "https://www.gosecure.net/blog/2020/11/13/forget-your-perimeter-part-2-four-vulnerabilities-in-pulse-connect-secure/",
"refsource": "MISC",
"url": "https://www.gosecure.net/blog/2020/11/13/forget-your-perimeter-part-2-four-vulnerabilities-in-pulse-connect-secure/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8218",
"datePublished": "2020-07-30T12:53:02.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2025-10-21T23:35:38.731Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8221 (GCVE-0-2020-8221)
Vulnerability from cvelistv5 – Published: 2020-07-30 12:53 – Updated: 2024-08-04 09:56
VLAI
Summary
A path traversal vulnerability exists in Pulse Connect Secure <9.1R8 which allows an authenticated attacker to read arbitrary files via the administrator web interface.
Severity
No CVSS data available.
CWE
- CWE-22 - Path Traversal (CWE-22)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.pulsesecure.net/articles/Pulse_Securit… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Pulse Connect Secure |
Affected:
Fixed in
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:56:27.888Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pulse Connect Secure",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A path traversal vulnerability exists in Pulse Connect Secure \u003c9.1R8 which allows an authenticated attacker to read arbitrary files via the administrator web interface."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Path Traversal (CWE-22)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-30T12:53:02.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8221",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pulse Connect Secure",
"version": {
"version_data": [
{
"version_value": "Fixed in"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A path traversal vulnerability exists in Pulse Connect Secure \u003c9.1R8 which allows an authenticated attacker to read arbitrary files via the administrator web interface."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Path Traversal (CWE-22)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516",
"refsource": "MISC",
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8221",
"datePublished": "2020-07-30T12:53:02.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2024-08-04T09:56:27.888Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8206 (GCVE-0-2020-8206)
Vulnerability from cvelistv5 – Published: 2020-07-30 12:53 – Updated: 2024-08-04 09:56
VLAI
Summary
An improper authentication vulnerability exists in Pulse Connect Secure <9.1RB that allows an attacker with a users primary credentials to bypass the Google TOTP.
Severity
No CVSS data available.
CWE
- CWE-287 - Improper Authentication - Generic (CWE-287)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.pulsesecure.net/articles/Pulse_Securit… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Pulse Connect Secure |
Affected:
Fixed in 9.1R8
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:56:27.638Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pulse Connect Secure",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in 9.1R8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An improper authentication vulnerability exists in Pulse Connect Secure \u003c9.1RB that allows an attacker with a users primary credentials to bypass the Google TOTP."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "Improper Authentication - Generic (CWE-287)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-30T12:53:02.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8206",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pulse Connect Secure",
"version": {
"version_data": [
{
"version_value": "Fixed in 9.1R8"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An improper authentication vulnerability exists in Pulse Connect Secure \u003c9.1RB that allows an attacker with a users primary credentials to bypass the Google TOTP."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Authentication - Generic (CWE-287)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516",
"refsource": "MISC",
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8206",
"datePublished": "2020-07-30T12:53:02.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2024-08-04T09:56:27.638Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8222 (GCVE-0-2020-8222)
Vulnerability from cvelistv5 – Published: 2020-07-30 12:53 – Updated: 2024-08-04 09:56
VLAI
Summary
A path traversal vulnerability exists in Pulse Connect Secure <9.1R8 that allowed an authenticated attacker via the administrator web interface to perform an arbitrary file reading vulnerability through Meeting.
Severity
No CVSS data available.
CWE
- CWE-22 - Path Traversal (CWE-22)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.pulsesecure.net/articles/Pulse_Securit… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Pulse Connect Secure |
Affected:
Fixed in 9.1R8
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:56:27.511Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pulse Connect Secure",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in 9.1R8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A path traversal vulnerability exists in Pulse Connect Secure \u003c9.1R8 that allowed an authenticated attacker via the administrator web interface to perform an arbitrary file reading vulnerability through Meeting."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Path Traversal (CWE-22)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-30T12:53:02.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8222",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pulse Connect Secure",
"version": {
"version_data": [
{
"version_value": "Fixed in 9.1R8"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A path traversal vulnerability exists in Pulse Connect Secure \u003c9.1R8 that allowed an authenticated attacker via the administrator web interface to perform an arbitrary file reading vulnerability through Meeting."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Path Traversal (CWE-22)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516",
"refsource": "MISC",
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8222",
"datePublished": "2020-07-30T12:53:02.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2024-08-04T09:56:27.511Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-12880 (GCVE-0-2020-12880)
Vulnerability from cvelistv5 – Published: 2020-07-27 22:10 – Updated: 2024-08-04 12:11
VLAI
Summary
An issue was discovered in Pulse Policy Secure (PPS) and Pulse Connect Secure (PCS) Virtual Appliance before 9.1R8. By manipulating a certain kernel boot parameter, it can be tricked into dropping into a root shell in a pre-install phase where the entire source code of the appliance is available and can be retrieved. (The source code is otherwise inaccessible because the appliance has its hard disks encrypted, and no root shell is available during normal operation.)
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://kb.pulsesecure.net/?atype=sa | x_refsource_MISC |
| https://kb.pulsesecure.net/articles/Pulse_Securit… | x_refsource_CONFIRM |
Date Public
2020-07-27 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:11:18.205Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://kb.pulsesecure.net/?atype=sa"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2020-07-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Pulse Policy Secure (PPS) and Pulse Connect Secure (PCS) Virtual Appliance before 9.1R8. By manipulating a certain kernel boot parameter, it can be tricked into dropping into a root shell in a pre-install phase where the entire source code of the appliance is available and can be retrieved. (The source code is otherwise inaccessible because the appliance has its hard disks encrypted, and no root shell is available during normal operation.)"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-27T22:10:12.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://kb.pulsesecure.net/?atype=sa"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-12880",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Pulse Policy Secure (PPS) and Pulse Connect Secure (PCS) Virtual Appliance before 9.1R8. By manipulating a certain kernel boot parameter, it can be tricked into dropping into a root shell in a pre-install phase where the entire source code of the appliance is available and can be retrieved. (The source code is otherwise inaccessible because the appliance has its hard disks encrypted, and no root shell is available during normal operation.)"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://kb.pulsesecure.net/?atype=sa",
"refsource": "MISC",
"url": "https://kb.pulsesecure.net/?atype=sa"
},
{
"name": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516",
"refsource": "CONFIRM",
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-12880",
"datePublished": "2020-07-27T22:10:12.000Z",
"dateReserved": "2020-05-15T00:00:00.000Z",
"dateUpdated": "2024-08-04T12:11:18.205Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}