Vulnerability identifier: #VU35773

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2018-20808

CWE-ID: CWE-79

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Pulse Connect Secure
Server applications / Remote access servers, VPN

Vendor: Pulse Secure

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

An XSS issue has been found with rd.cgi in Pulse Secure Pulse Connect Secure 8.3RX before 8.3R3 due to improper header sanitization. This is not applicable to 8.1RX.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Pulse Connect Secure: 8.3

---

CPE

• cpe:2.3:a:pulse_secure:pulse_connect_secure:8.3:*:*:*:*:*:*:*

External links
http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA43877/

---

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?