Connect Secure
by Ivanti
CVEs (79)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-13830 | 0.00 | — | 0.01 | Feb 11, 2025 | Reflected XSS in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3 allows a remote unauthenticated attacker to obtain admin privileges. User interaction is required. | |||
| CVE-2024-12058 | 0.00 | — | 0.01 | Feb 11, 2025 | External control of a file name in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to read arbitrary files. | |||
| CVE-2024-10644 | 0.00 | — | 0.02 | Feb 11, 2025 | Code injection in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-37377 | 0.00 | — | 0.02 | Dec 11, 2024 | A heap-based buffer overflow in IPsec of Ivanti Connect Secure before version 22.7R2.3 allows a remote unauthenticated attacker to cause a denial of service. | |||
| CVE-2024-9844 | 0.00 | — | 0.01 | Dec 10, 2024 | Insufficient server-side controls in Secure Application Manager of Ivanti Connect Secure before version 22.7R2.4 allows a remote authenticated attacker to bypass restrictions. | |||
| CVE-2024-37400 | 0.00 | — | 0.02 | Nov 13, 2024 | An out of bounds read in Ivanti Connect Secure before version 22.7R2.3 allows a remote unauthenticated attacker to trigger an infinite loop, causing a denial of service. | |||
| CVE-2024-38649 | 0.00 | — | 0.02 | Nov 13, 2024 | An out-of-bounds write in IPsec of Ivanti Connect Secure before version 22.7R2.1(Not Applicable to 9.1Rx) allows a remote unauthenticated attacker to cause a denial of service. | |||
| CVE-2024-39709 | 0.00 | — | 0.00 | Nov 13, 2024 | Incorrect file permissions in Ivanti Connect Secure before version 22.6R2 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1 (Not Applicable to 9.1Rx) allow a local authenticated attacker to escalate their privileges. | |||
| CVE-2024-11004 | 0.00 | — | 0.01 | Nov 12, 2024 | Reflected XSS in Ivanti Connect Secure before version 22.7R2.1 and Ivanti Policy Secure before version 22.7R1.1 allows a remote unauthenticated attacker to obtain admin privileges. User interaction is required. | |||
| CVE-2024-8495 | 0.00 | — | 0.01 | Nov 12, 2024 | A null pointer dereference in Ivanti Connect Secure before version 22.7R2.1 and Ivanti Policy Secure before version 22.7R1.1 allows a remote unauthenticated attacker to cause a denial of service. | |||
| CVE-2024-47909 | 0.00 | — | 0.01 | Nov 12, 2024 | A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to cause a denial of service. | |||
| CVE-2024-47907 | 0.00 | — | 0.01 | Nov 12, 2024 | A stack-based buffer overflow in IPsec of Ivanti Connect Secure before version 22.7R2.3 allows a remote unauthenticated attacker to cause a denial of service. | |||
| CVE-2024-47906 | 0.00 | — | 0.00 | Nov 12, 2024 | Excessive binary privileges in Ivanti Connect Secure before version 22.7R2.3 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.2 (Not Applicable to 9.1Rx) allows a local authenticated attacker to escalate privileges. | |||
| CVE-2024-47905 | 0.00 | — | 0.01 | Nov 12, 2024 | A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to cause a denial of service. | |||
| CVE-2024-22052 | 0.00 | — | 0.04 | Apr 4, 2024 | A null pointer dereference vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack | |||
| CVE-2024-22023 | 0.00 | — | 0.03 | Apr 4, 2024 | An XML entity expansion or XEE vulnerability in SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated attacker to send specially crafted XML requests in-order-to temporarily cause resource exhaustion thereby resulting in a… | |||
| CVE-2023-39340 | 0.00 | — | 0.02 | Dec 16, 2023 | A vulnerability exists on all versions of Ivanti Connect Secure below 22.6R2 where an attacker can send a specific request which may lead to Denial of Service (DoS) of the appliance. | |||
| CVE-2023-41719 | 0.00 | — | 0.03 | Dec 14, 2023 | A vulnerability exists on all versions of Ivanti Connect Secure below 22.6R2 where an attacker impersonating an administrator may craft a specific web request which may lead to remote code execution. | |||
| CVE-2023-41720 | 0.00 | — | 0.01 | Dec 14, 2023 | A vulnerability exists on all versions of Ivanti Connect Secure below 22.6R2 where an attacker with a foothold on an Ivanti Connect Secure (ICS) appliance can escalate their privileges by exploiting a vulnerable installed application. This vulnerability allows the attacker to… |
- CVE-2024-13830Feb 11, 2025risk 0.00cvss —epss 0.01
Reflected XSS in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3 allows a remote unauthenticated attacker to obtain admin privileges. User interaction is required.
- CVE-2024-12058Feb 11, 2025risk 0.00cvss —epss 0.01
External control of a file name in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to read arbitrary files.
- CVE-2024-10644Feb 11, 2025risk 0.00cvss —epss 0.02
Code injection in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-37377Dec 11, 2024risk 0.00cvss —epss 0.02
A heap-based buffer overflow in IPsec of Ivanti Connect Secure before version 22.7R2.3 allows a remote unauthenticated attacker to cause a denial of service.
- CVE-2024-9844Dec 10, 2024risk 0.00cvss —epss 0.01
Insufficient server-side controls in Secure Application Manager of Ivanti Connect Secure before version 22.7R2.4 allows a remote authenticated attacker to bypass restrictions.
- CVE-2024-37400Nov 13, 2024risk 0.00cvss —epss 0.02
An out of bounds read in Ivanti Connect Secure before version 22.7R2.3 allows a remote unauthenticated attacker to trigger an infinite loop, causing a denial of service.
- CVE-2024-38649Nov 13, 2024risk 0.00cvss —epss 0.02
An out-of-bounds write in IPsec of Ivanti Connect Secure before version 22.7R2.1(Not Applicable to 9.1Rx) allows a remote unauthenticated attacker to cause a denial of service.
- CVE-2024-39709Nov 13, 2024risk 0.00cvss —epss 0.00
Incorrect file permissions in Ivanti Connect Secure before version 22.6R2 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1 (Not Applicable to 9.1Rx) allow a local authenticated attacker to escalate their privileges.
- CVE-2024-11004Nov 12, 2024risk 0.00cvss —epss 0.01
Reflected XSS in Ivanti Connect Secure before version 22.7R2.1 and Ivanti Policy Secure before version 22.7R1.1 allows a remote unauthenticated attacker to obtain admin privileges. User interaction is required.
- CVE-2024-8495Nov 12, 2024risk 0.00cvss —epss 0.01
A null pointer dereference in Ivanti Connect Secure before version 22.7R2.1 and Ivanti Policy Secure before version 22.7R1.1 allows a remote unauthenticated attacker to cause a denial of service.
- CVE-2024-47909Nov 12, 2024risk 0.00cvss —epss 0.01
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to cause a denial of service.
- CVE-2024-47907Nov 12, 2024risk 0.00cvss —epss 0.01
A stack-based buffer overflow in IPsec of Ivanti Connect Secure before version 22.7R2.3 allows a remote unauthenticated attacker to cause a denial of service.
- CVE-2024-47906Nov 12, 2024risk 0.00cvss —epss 0.00
Excessive binary privileges in Ivanti Connect Secure before version 22.7R2.3 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.2 (Not Applicable to 9.1Rx) allows a local authenticated attacker to escalate privileges.
- CVE-2024-47905Nov 12, 2024risk 0.00cvss —epss 0.01
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to cause a denial of service.
- CVE-2024-22052Apr 4, 2024risk 0.00cvss —epss 0.04
A null pointer dereference vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack
- CVE-2024-22023Apr 4, 2024risk 0.00cvss —epss 0.03
An XML entity expansion or XEE vulnerability in SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated attacker to send specially crafted XML requests in-order-to temporarily cause resource exhaustion thereby resulting in a…
- CVE-2023-39340Dec 16, 2023risk 0.00cvss —epss 0.02
A vulnerability exists on all versions of Ivanti Connect Secure below 22.6R2 where an attacker can send a specific request which may lead to Denial of Service (DoS) of the appliance.
- CVE-2023-41719Dec 14, 2023risk 0.00cvss —epss 0.03
A vulnerability exists on all versions of Ivanti Connect Secure below 22.6R2 where an attacker impersonating an administrator may craft a specific web request which may lead to remote code execution.
- CVE-2023-41720Dec 14, 2023risk 0.00cvss —epss 0.01
A vulnerability exists on all versions of Ivanti Connect Secure below 22.6R2 where an attacker with a foothold on an Ivanti Connect Secure (ICS) appliance can escalate their privileges by exploiting a vulnerable installed application. This vulnerability allows the attacker to…
Page 4 of 4