Main Vulnerability Database Vulnerabilities #VU36717

Open redirect in Ivanti Connect Secure (formerly Pulse Connect Secure) and Ivanti Policy Secure (formerly Pulse Policy Secure) - CVE-2018-14366

Published: September 7, 2018 / Updated: August 8, 2020

Vulnerability identifier: #VU36717

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-14366

CWE-ID: CWE-601

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Ivanti

Affected software:
Ivanti Connect Secure (formerly Pulse Connect Secure)
Ivanti Policy Secure (formerly Pulse Policy Secure)

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

download.cgi in Pulse Secure Pulse Connect Secure 8.1RX before 8.1R13 and 8.3RX before 8.3R4 and Pulse Policy Secure through 5.2RX before 5.2R10 and 5.4RX before 5.4R4 have an Open Redirect Vulnerability.

How to mitigate CVE-2018-14366

Install update from vendor's website.

Sources

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA43877

Open redirect in Ivanti Connect Secure (formerly Pulse Connect Secure) and Ivanti Policy Secure (formerly Pulse Policy Secure) - CVE-2018-14366

Detailed vulnerability description

How to mitigate CVE-2018-14366

Sources

Please verify you're human