Cross-site scripting in Ivanti Connect Secure (formerly Pulse Connect Secure) - CVE-2018-20807
Published: June 28, 2019 / Updated: August 8, 2020
Vulnerability identifier: #VU35772
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-20807
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Ivanti
Affected software:
Ivanti Connect Secure (formerly Pulse Connect Secure)
Ivanti Connect Secure (formerly Pulse Connect Secure)
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
An XSS issue has been found in welcome.cgi in Pulse Secure Pulse Connect Secure (PCS) 8.1.x before 8.1R12, 8.2.x before 8.2R9, and 8.3.x before 8.3R3 due to one of the URL parameters not being sanitized properly.
How to mitigate CVE-2018-20807
Install update from vendor's website.