Main Vulnerability Database Vulnerabilities #VU35773

Cross-site scripting in Ivanti Connect Secure (formerly Pulse Connect Secure) - CVE-2018-20808

Published: June 28, 2019 / Updated: August 8, 2020

Vulnerability identifier: #VU35773

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-20808

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Ivanti

Affected software:
Ivanti Connect Secure (formerly Pulse Connect Secure)

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

An XSS issue has been found with rd.cgi in Pulse Secure Pulse Connect Secure 8.3RX before 8.3R3 due to improper header sanitization. This is not applicable to 8.1RX.

How to mitigate CVE-2018-20808

Install update from vendor's website.

Sources

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA43877/

Cross-site scripting in Ivanti Connect Secure (formerly Pulse Connect Secure) - CVE-2018-20808

Detailed vulnerability description

How to mitigate CVE-2018-20808

Sources

Please verify you're human