CVE-2019-11543

Vulnerability

CVE-2019-11543 is a cross-site scripting (XSS) vulnerability in the admin web console of Pulse Secure Pulse Connect Secure (PCS) versions 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, and 8.1RX before 8.1R15.1, and Pulse Policy Secure versions 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, and 5.2RX before 5.2R12.1 [1]. The vulnerability allows an attacker to inject arbitrary web script or HTML via a crafted request to the admin console.

Exploitation

An attacker must have network access to the admin web console. No authentication is required to trigger the XSS, as the vulnerability is pre-authentication. The attacker can craft a malicious URI that, when visited by an administrator, executes the injected script in the context of the admin session [1].

Impact

Successful exploitation could allow the attacker to execute arbitrary JavaScript in the context of the admin's browser session, potentially leading to session hijacking, defacement, or further compromise of the Pulse Secure appliance [1]. The attacker could perform actions with the privileges of the administrator.

Mitigation

Pulse Secure has released patches for all affected versions: PCS 9.0R3.4, 8.3R7.1, and 8.1R15.1; Pulse Policy Secure 9.0R3.2, 5.4R7.1, and 5.2R12.1. No workarounds are available; applying the vendor-supplied patches is the only mitigation [1].