VYPR

Avalanche

by Ivanti

CVEs (113)

  • CVE-2023-32560CriAug 10, 2023
    risk 0.75cvss 9.8epss 0.99

    An attacker can send a specially crafted message to the Wavelink Avalanche Manager, which could result in service disruption or arbitrary code execution. Thanks to a Researcher at Tenable for finding and reporting. Fixed in version 6.4.1.

  • CVE-2023-46264CriDec 19, 2023
    risk 0.71cvss 9.8epss 0.90

    An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker to achieve a remove code execution.

  • CVE-2023-32563CriAug 10, 2023
    risk 0.71cvss 9.8epss 0.90

    An unauthenticated attacker could achieve the code execution through a RemoteControl server.

  • CVE-2023-46263CriDec 19, 2023
    risk 0.70cvss 9.8epss 0.82

    An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker to achieve a remote code execution.

  • CVE-2022-36981CriMar 29, 2023
    risk 0.70cvss 9.8epss 0.83

    This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.3.101. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within…

  • CVE-2022-36974CriMar 29, 2023
    risk 0.70cvss 9.8epss 0.84

    This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists…

  • CVE-2021-42127CriDec 7, 2021
    risk 0.69cvss 9.8epss 0.66

    A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 using Inforail Service allows arbitrary code execution via Data Repository Service.

  • CVE-2023-32564CriAug 10, 2023
    risk 0.67cvss 9.8epss 0.37

    An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker to achieve a remove code execution.

  • CVE-2023-32562CriAug 10, 2023
    risk 0.67cvss 9.8epss 0.38

    An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to achieve a remove code execution. Fixed in version 6.4.1.

  • CVE-2024-24996CriApr 19, 2024
    risk 0.66cvss 9.8epss 0.32

    A Heap overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows an unauthenticated remote attacker to execute arbitrary commands.

  • CVE-2021-22962CriDec 19, 2023
    risk 0.66cvss 9.1epss 0.91

    An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack.

  • CVE-2023-46261CriDec 19, 2023
    risk 0.65cvss 9.8epss 0.11

    An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

  • CVE-2023-46259CriDec 19, 2023
    risk 0.65cvss 9.8epss 0.11

    An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

  • CVE-2023-46257CriDec 19, 2023
    risk 0.65cvss 9.8epss 0.11

    An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

  • CVE-2023-46225CriDec 19, 2023
    risk 0.65cvss 9.8epss 0.11

    An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

  • CVE-2023-46220CriDec 19, 2023
    risk 0.65cvss 9.8epss 0.11

    An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

  • CVE-2023-38036CriJul 12, 2025
    risk 0.64cvss 9.8epss 0.02

    A security vulnerability within Ivanti Avalanche Manager before version 6.4.1 may allow an unauthenticated attacker to create a buffer overflow that could result in service disruption or arbitrary code execution.

  • CVE-2024-29204CriApr 19, 2024
    risk 0.64cvss 9.8epss 0.04

    A Heap Overflow vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands

  • CVE-2024-22061CriApr 19, 2024
    risk 0.64cvss 9.8epss 0.04

    A Heap Overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands

  • CVE-2023-46265CriDec 19, 2023
    risk 0.64cvss 9.8epss 0.04

    An unauthenticated could abuse a XXE vulnerability in the Smart Device Server to leak data or perform a Server-Side Request Forgery (SSRF).

Page 1 of 6