Policy Secure
by Ivanti
CVEs (59)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-39709 | Hig | 0.51 | 7.8 | 0.00 | Nov 13, 2024 | Incorrect file permissions in Ivanti Connect Secure before version 22.6R2 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1 (Not Applicable to 9.1Rx) allow a local authenticated attacker to escalate their privileges. | ||
| CVE-2024-47906 | Hig | 0.51 | 7.8 | 0.00 | Nov 12, 2024 | Excessive binary privileges in Ivanti Connect Secure before version 22.7R2.3 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.2 (Not Applicable to 9.1Rx) allows a local authenticated attacker to escalate privileges. | ||
| CVE-2024-8495 | Hig | 0.49 | 7.5 | 0.01 | Nov 12, 2024 | A null pointer dereference in Ivanti Connect Secure before version 22.7R2.1 and Ivanti Policy Secure before version 22.7R1.1 allows a remote unauthenticated attacker to cause a denial of service. | ||
| CVE-2024-29205 | Hig | 0.49 | 7.5 | 0.02 | Apr 25, 2024 | An Improper Check for Unusual or Exceptional Conditions vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a remote unauthenticated attacker to send specially crafted requests in-order-to cause service disruptions. | ||
| CVE-2024-22052 | Hig | 0.49 | 7.5 | 0.04 | Apr 4, 2024 | A null pointer dereference vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack | ||
| CVE-2022-35258 | Hig | 0.49 | 7.5 | 0.03 | Dec 5, 2022 | An unauthenticated attacker can cause a denial-of-service to the following products: Ivanti Connect Secure (ICS) in versions prior to 9.1R14.3, 9.1R15.2, 9.1R16.2, and 22.2R4, Ivanti Policy Secure (IPS) in versions prior to 9.1R17 and 22.3R1, and Ivanti Neurons for Zero-Trust… | ||
| CVE-2022-35254 | Hig | 0.49 | 7.5 | 0.03 | Dec 5, 2022 | An unauthenticated attacker can cause a denial-of-service to the following products: Ivanti Connect Secure (ICS) in versions prior to 9.1R14.3, 9.1R15.2, 9.1R16.2, and 22.2R4, Ivanti Policy Secure (IPS) in versions prior to 9.1R17 and 22.3R1, and Ivanti Neurons for Zero-Trust… | ||
| CVE-2025-0283 | Hig | 0.47 | 7.0 | 0.17 | Jan 8, 2025 | A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a local authenticated attacker to escalate their privileges. | ||
| CVE-2024-38655 | Hig | 0.47 | 7.2 | 0.02 | Nov 13, 2024 | Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.1 and 9.1R18.9 allows a remote authenticated attacker with admin privileges to achieve remote code execution. | ||
| CVE-2024-12058 | Med | 0.44 | 6.8 | 0.01 | Feb 11, 2025 | External control of a file name in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to read arbitrary files. | ||
| CVE-2025-0293 | Med | 0.43 | 6.6 | 0.00 | Jul 8, 2025 | CLRF injection in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated attacker with admin rights to write to a protected configuration file on disk. | ||
| CVE-2025-5450 | Med | 0.41 | 6.3 | 0.00 | Jul 8, 2025 | Improper access control in the certificate management component of Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated admin with read-only rights to modify settings that should be restricted. | ||
| CVE-2024-13830 | Med | 0.40 | 6.1 | 0.01 | Feb 11, 2025 | Reflected XSS in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3 allows a remote unauthenticated attacker to obtain admin privileges. User interaction is required. | ||
| CVE-2024-11004 | Med | 0.40 | 6.1 | 0.01 | Nov 12, 2024 | Reflected XSS in Ivanti Connect Secure before version 22.7R2.1 and Ivanti Policy Secure before version 22.7R1.1 allows a remote unauthenticated attacker to obtain admin privileges. User interaction is required. | ||
| CVE-2024-13843 | Med | 0.39 | 6.0 | 0.00 | Feb 11, 2025 | Cleartext storage of information in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3 allows a local authenticated attacker with admin privileges to read sensitive data. | ||
| CVE-2024-13842 | Med | 0.39 | 6.0 | 0.00 | Feb 11, 2025 | A hardcoded key in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.3 allows a local authenticated attacker with admin privileges to read sensitive data. | ||
| CVE-2025-0292 | Med | 0.36 | 5.5 | 0.01 | Jul 8, 2025 | SSRF in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated attacker with admin rights to access internal network services. | ||
| CVE-2025-5463 | Med | 0.36 | 5.5 | 0.00 | Jul 8, 2025 | Insertion of sensitive information into a log file in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a local authenticated attacker to obtain that information. | ||
| CVE-2024-22023 | Med | 0.35 | 5.3 | 0.03 | Apr 4, 2024 | An XML entity expansion or XEE vulnerability in SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated attacker to send specially crafted XML requests in-order-to temporarily cause resource exhaustion thereby resulting in a… | ||
| CVE-2023-39339 | Med | 0.32 | 4.9 | 0.01 | Jul 12, 2025 | A vulnerability exists on all versions of Ivanti Policy Secure below 22.6R1 where an authenticated administrator can perform an arbitrary file read via a maliciously crafted web request. |
- risk 0.51cvss 7.8epss 0.00
Incorrect file permissions in Ivanti Connect Secure before version 22.6R2 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1 (Not Applicable to 9.1Rx) allow a local authenticated attacker to escalate their privileges.
- risk 0.51cvss 7.8epss 0.00
Excessive binary privileges in Ivanti Connect Secure before version 22.7R2.3 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.2 (Not Applicable to 9.1Rx) allows a local authenticated attacker to escalate privileges.
- risk 0.49cvss 7.5epss 0.01
A null pointer dereference in Ivanti Connect Secure before version 22.7R2.1 and Ivanti Policy Secure before version 22.7R1.1 allows a remote unauthenticated attacker to cause a denial of service.
- risk 0.49cvss 7.5epss 0.02
An Improper Check for Unusual or Exceptional Conditions vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a remote unauthenticated attacker to send specially crafted requests in-order-to cause service disruptions.
- risk 0.49cvss 7.5epss 0.04
A null pointer dereference vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack
- risk 0.49cvss 7.5epss 0.03
An unauthenticated attacker can cause a denial-of-service to the following products: Ivanti Connect Secure (ICS) in versions prior to 9.1R14.3, 9.1R15.2, 9.1R16.2, and 22.2R4, Ivanti Policy Secure (IPS) in versions prior to 9.1R17 and 22.3R1, and Ivanti Neurons for Zero-Trust…
- risk 0.49cvss 7.5epss 0.03
An unauthenticated attacker can cause a denial-of-service to the following products: Ivanti Connect Secure (ICS) in versions prior to 9.1R14.3, 9.1R15.2, 9.1R16.2, and 22.2R4, Ivanti Policy Secure (IPS) in versions prior to 9.1R17 and 22.3R1, and Ivanti Neurons for Zero-Trust…
- risk 0.47cvss 7.0epss 0.17
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a local authenticated attacker to escalate their privileges.
- risk 0.47cvss 7.2epss 0.02
Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.1 and 9.1R18.9 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- risk 0.44cvss 6.8epss 0.01
External control of a file name in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to read arbitrary files.
- risk 0.43cvss 6.6epss 0.00
CLRF injection in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated attacker with admin rights to write to a protected configuration file on disk.
- risk 0.41cvss 6.3epss 0.00
Improper access control in the certificate management component of Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated admin with read-only rights to modify settings that should be restricted.
- risk 0.40cvss 6.1epss 0.01
Reflected XSS in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3 allows a remote unauthenticated attacker to obtain admin privileges. User interaction is required.
- risk 0.40cvss 6.1epss 0.01
Reflected XSS in Ivanti Connect Secure before version 22.7R2.1 and Ivanti Policy Secure before version 22.7R1.1 allows a remote unauthenticated attacker to obtain admin privileges. User interaction is required.
- risk 0.39cvss 6.0epss 0.00
Cleartext storage of information in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3 allows a local authenticated attacker with admin privileges to read sensitive data.
- risk 0.39cvss 6.0epss 0.00
A hardcoded key in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.3 allows a local authenticated attacker with admin privileges to read sensitive data.
- risk 0.36cvss 5.5epss 0.01
SSRF in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated attacker with admin rights to access internal network services.
- risk 0.36cvss 5.5epss 0.00
Insertion of sensitive information into a log file in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a local authenticated attacker to obtain that information.
- risk 0.35cvss 5.3epss 0.03
An XML entity expansion or XEE vulnerability in SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated attacker to send specially crafted XML requests in-order-to temporarily cause resource exhaustion thereby resulting in a…
- risk 0.32cvss 4.9epss 0.01
A vulnerability exists on all versions of Ivanti Policy Secure below 22.6R1 where an authenticated administrator can perform an arbitrary file read via a maliciously crafted web request.
Page 2 of 3