Main Vulnerability Database Vulnerabilities #VU52472

#VU52472 Arbitrary file upload in Ivanti Connect Secure (formerly Pulse Connect Secure) and Ivanti Policy Secure (formerly Pulse Policy Secure) - CVE-2020-8260

Published: April 21, 2021 / Updated: February 20, 2022

Vulnerability identifier: #VU52472

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Green

CVE-ID: CVE-2020-8260

CWE-ID: CWE-434

Exploitation vector: Remote access

Exploit availability: The vulnerability is being exploited in the wild

Vulnerable software:
Ivanti Connect Secure (formerly Pulse Connect Secure)
Ivanti Policy Secure (formerly Pulse Policy Secure)

Software vendor:
Ivanti

Description

The vulnerability allows a remote user to compromise vulnerable system.

The vulnerability exists due to insufficient validation of file during file upload within the administrative web interface. A remote user can upload a malicious gzip file to the system and extract its contents into arbitrary directory.

Successful exploitation of the vulnerability may allow an attacker to compromise the affected system.

Remediation

Install updates from vendor's website.

#VU52472 Arbitrary file upload in Ivanti Connect Secure (formerly Pulse Connect Secure) and Ivanti Policy Secure (formerly Pulse Policy Secure) - CVE-2020-8260

Description

Remediation

External links

Please verify you're human