Endpoint Manager Mobile
by Ivanti
CVEs (106)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-13168 | 0.00 | — | 0.02 | Jan 14, 2025 | An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service. | |||
| CVE-2024-13169 | 0.00 | — | 0.00 | Jan 14, 2025 | An out-of-bounds read in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a local authenticated attacker to escalate their privileges. | |||
| CVE-2024-13170 | 0.00 | — | 0.02 | Jan 14, 2025 | An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service. | |||
| CVE-2024-13172 | 0.00 | — | 0.01 | Jan 14, 2025 | Improper signature verification in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code execution. Local user interaction is required. | |||
| CVE-2024-10811 | 0.00 | — | 0.03 | Jan 14, 2025 | Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information. | |||
| CVE-2024-10256 | 0.00 | — | 0.00 | Dec 10, 2024 | Insufficient permissions in Ivanti Patch SDK before version 9.7.703 allows a local authenticated attacker to delete arbitrary files. | |||
| CVE-2024-50323 | 0.00 | — | 0.01 | Nov 12, 2024 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. User interaction is required. | |||
| CVE-2024-7612 | 0.00 | — | 0.00 | Oct 8, 2024 | Insecure permissions in Ivanti EPMM before 12.1.0.4 allow a local authenticated attacker to modify sensitive application components. | |||
| CVE-2024-8441 | 0.00 | — | 0.00 | Sep 10, 2024 | An uncontrolled search path in the agent of Ivanti EPM before 2022 SU6, or the 2024 September update allows a local authenticated attacker with admin privileges to escalate their privileges to SYSTEM. | |||
| CVE-2024-8322 | 0.00 | — | 0.01 | Sep 10, 2024 | Weak authentication in Patch Management of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker to access restricted functionality. | |||
| CVE-2024-8321 | 0.00 | — | 0.02 | Sep 10, 2024 | Missing authentication in Network Isolation of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to isolate managed devices from the network. | |||
| CVE-2024-8320 | 0.00 | — | 0.01 | Sep 10, 2024 | Missing authentication in Network Isolation of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to spoof Network Isolation status of managed devices. | |||
| CVE-2024-29822 | 0.00 | — | 0.64 | May 31, 2024 | An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code. | |||
| CVE-2023-39336 | 0.00 | — | 0.10 | Jan 9, 2024 | An unspecified SQL Injection vulnerability in Ivanti Endpoint Manager released prior to 2022 SU 5 allows an attacker with access to the internal network to execute arbitrary SQL queries and retrieve output without the need for authentication. Under specific circumstances, this… | |||
| CVE-2023-35083 | 0.00 | — | 0.01 | Oct 18, 2023 | Allows an authenticated attacker with network access to read arbitrary files on Endpoint Manager recently discovered on 2022 SU3 and all previous versions potentially leading to the leakage of sensitive information. | |||
| CVE-2023-35084 | 0.00 | — | 0.03 | Oct 18, 2023 | Unsafe Deserialization of User Input could lead to Execution of Unauthorized Operations in Ivanti Endpoint Manager 2022 su3 and all previous versions, which could allow an attacker to execute commands remotely. | |||
| CVE-2023-38344 | 0.00 | — | 0.01 | Sep 21, 2023 | An issue was discovered in Ivanti Endpoint Manager before 2022 SU4. A file disclosure vulnerability exists in the GetFileContents SOAP action exposed via /landesk/managementsuite/core/core.secure/OsdScript.asmx. The application does not sufficiently restrict user-supplied paths,… | |||
| CVE-2023-38343 | 0.00 | — | 0.01 | Sep 21, 2023 | An XXE (XML external entity injection) vulnerability exists in the CSEP component of Ivanti Endpoint Manager before 2022 SU4. External entity references are enabled in the XML parser configuration. Exploitation of this vulnerability can lead to file disclosure or Server Side… | |||
| CVE-2023-35077 | 0.00 | — | 0.01 | Jul 21, 2023 | An out-of-bounds write vulnerability on windows operating systems causes the Ivanti AntiVirus Product to crash. Update to Ivanti AV Product version 7.9.1.285 or above. | |||
| CVE-2022-35259 | 0.00 | — | 0.01 | Dec 5, 2022 | XML Injection with Endpoint Manager 2022. 3 and below causing a download of a malicious file to run and possibly execute to gain unauthorized privileges. |
- CVE-2024-13168Jan 14, 2025risk 0.00cvss —epss 0.02
An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service.
- CVE-2024-13169Jan 14, 2025risk 0.00cvss —epss 0.00
An out-of-bounds read in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a local authenticated attacker to escalate their privileges.
- CVE-2024-13170Jan 14, 2025risk 0.00cvss —epss 0.02
An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service.
- CVE-2024-13172Jan 14, 2025risk 0.00cvss —epss 0.01
Improper signature verification in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code execution. Local user interaction is required.
- CVE-2024-10811Jan 14, 2025risk 0.00cvss —epss 0.03
Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
- CVE-2024-10256Dec 10, 2024risk 0.00cvss —epss 0.00
Insufficient permissions in Ivanti Patch SDK before version 9.7.703 allows a local authenticated attacker to delete arbitrary files.
- CVE-2024-50323Nov 12, 2024risk 0.00cvss —epss 0.01
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. User interaction is required.
- CVE-2024-7612Oct 8, 2024risk 0.00cvss —epss 0.00
Insecure permissions in Ivanti EPMM before 12.1.0.4 allow a local authenticated attacker to modify sensitive application components.
- CVE-2024-8441Sep 10, 2024risk 0.00cvss —epss 0.00
An uncontrolled search path in the agent of Ivanti EPM before 2022 SU6, or the 2024 September update allows a local authenticated attacker with admin privileges to escalate their privileges to SYSTEM.
- CVE-2024-8322Sep 10, 2024risk 0.00cvss —epss 0.01
Weak authentication in Patch Management of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker to access restricted functionality.
- CVE-2024-8321Sep 10, 2024risk 0.00cvss —epss 0.02
Missing authentication in Network Isolation of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to isolate managed devices from the network.
- CVE-2024-8320Sep 10, 2024risk 0.00cvss —epss 0.01
Missing authentication in Network Isolation of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to spoof Network Isolation status of managed devices.
- CVE-2024-29822May 31, 2024risk 0.00cvss —epss 0.64
An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.
- CVE-2023-39336Jan 9, 2024risk 0.00cvss —epss 0.10
An unspecified SQL Injection vulnerability in Ivanti Endpoint Manager released prior to 2022 SU 5 allows an attacker with access to the internal network to execute arbitrary SQL queries and retrieve output without the need for authentication. Under specific circumstances, this…
- CVE-2023-35083Oct 18, 2023risk 0.00cvss —epss 0.01
Allows an authenticated attacker with network access to read arbitrary files on Endpoint Manager recently discovered on 2022 SU3 and all previous versions potentially leading to the leakage of sensitive information.
- CVE-2023-35084Oct 18, 2023risk 0.00cvss —epss 0.03
Unsafe Deserialization of User Input could lead to Execution of Unauthorized Operations in Ivanti Endpoint Manager 2022 su3 and all previous versions, which could allow an attacker to execute commands remotely.
- CVE-2023-38344Sep 21, 2023risk 0.00cvss —epss 0.01
An issue was discovered in Ivanti Endpoint Manager before 2022 SU4. A file disclosure vulnerability exists in the GetFileContents SOAP action exposed via /landesk/managementsuite/core/core.secure/OsdScript.asmx. The application does not sufficiently restrict user-supplied paths,…
- CVE-2023-38343Sep 21, 2023risk 0.00cvss —epss 0.01
An XXE (XML external entity injection) vulnerability exists in the CSEP component of Ivanti Endpoint Manager before 2022 SU4. External entity references are enabled in the XML parser configuration. Exploitation of this vulnerability can lead to file disclosure or Server Side…
- CVE-2023-35077Jul 21, 2023risk 0.00cvss —epss 0.01
An out-of-bounds write vulnerability on windows operating systems causes the Ivanti AntiVirus Product to crash. Update to Ivanti AV Product version 7.9.1.285 or above.
- CVE-2022-35259Dec 5, 2022risk 0.00cvss —epss 0.01
XML Injection with Endpoint Manager 2022. 3 and below causing a download of a malicious file to run and possibly execute to gain unauthorized privileges.
Page 5 of 6