Avalanche
by Ivanti
CVEs (113)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-46260 | Cri | 0.64 | 9.8 | 0.10 | Dec 19, 2023 | An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution. | ||
| CVE-2023-46258 | Cri | 0.64 | 9.8 | 0.07 | Dec 19, 2023 | An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution. | ||
| CVE-2023-46224 | Cri | 0.64 | 9.8 | 0.07 | Dec 19, 2023 | An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution. | ||
| CVE-2023-46223 | Cri | 0.64 | 9.8 | 0.07 | Dec 19, 2023 | An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution. | ||
| CVE-2023-46222 | Cri | 0.64 | 9.8 | 0.07 | Dec 19, 2023 | An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution. | ||
| CVE-2023-46221 | Cri | 0.64 | 9.8 | 0.07 | Dec 19, 2023 | An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution. | ||
| CVE-2023-32567 | Cri | 0.64 | 9.8 | 0.02 | Aug 10, 2023 | Ivanti Avalanche decodeToMap XML External Entity Processing. Fixed in version 6.4.1.236 | ||
| CVE-2022-36983 | Cri | 0.64 | 9.8 | 0.05 | Mar 29, 2023 | This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetSettings class. The issue results from the lack of… | ||
| CVE-2022-36979 | Cri | 0.64 | 9.8 | 0.07 | Mar 29, 2023 | This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within… | ||
| CVE-2022-36978 | Cri | 0.64 | 9.8 | 0.07 | Mar 29, 2023 | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists… | ||
| CVE-2022-36977 | Cri | 0.64 | 9.8 | 0.07 | Mar 29, 2023 | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists… | ||
| CVE-2022-36976 | Cri | 0.64 | 9.8 | 0.07 | Mar 29, 2023 | This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the GroupDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An… | ||
| CVE-2022-36975 | Cri | 0.64 | 9.8 | 0.07 | Mar 29, 2023 | This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An… | ||
| CVE-2022-36972 | Cri | 0.64 | 9.8 | 0.07 | Mar 29, 2023 | This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An… | ||
| CVE-2021-42128 | Cri | 0.64 | 9.8 | 0.04 | Dec 7, 2021 | An exposed dangerous function vulnerability exists in Ivanti Avalanche before 6.3.3 using inforail Service allows Privilege Escalation via Enterprise Server Service. | ||
| CVE-2021-42125 | Hig | 0.64 | 8.8 | 0.82 | Dec 7, 2021 | An unrestricted file upload vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to write dangerous files. | ||
| CVE-2020-12442 | Cri | 0.64 | 9.8 | 0.02 | Apr 28, 2020 | Ivanti Avalanche 6.3 allows a SQL injection that is vaguely associated with the Apache HTTP Server, aka Bug 683250. | ||
| CVE-2024-24994 | Hig | 0.63 | 8.8 | 0.68 | Apr 19, 2024 | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | ||
| CVE-2024-24992 | Hig | 0.63 | 8.8 | 0.71 | Apr 19, 2024 | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | ||
| CVE-2024-23535 | Hig | 0.63 | 8.8 | 0.68 | Apr 19, 2024 | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. |
- risk 0.64cvss 9.8epss 0.10
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
- risk 0.64cvss 9.8epss 0.07
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
- risk 0.64cvss 9.8epss 0.07
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
- risk 0.64cvss 9.8epss 0.07
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
- risk 0.64cvss 9.8epss 0.07
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
- risk 0.64cvss 9.8epss 0.07
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
- risk 0.64cvss 9.8epss 0.02
Ivanti Avalanche decodeToMap XML External Entity Processing. Fixed in version 6.4.1.236
- risk 0.64cvss 9.8epss 0.05
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetSettings class. The issue results from the lack of…
- risk 0.64cvss 9.8epss 0.07
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within…
- risk 0.64cvss 9.8epss 0.07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists…
- risk 0.64cvss 9.8epss 0.07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists…
- risk 0.64cvss 9.8epss 0.07
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the GroupDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An…
- risk 0.64cvss 9.8epss 0.07
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An…
- risk 0.64cvss 9.8epss 0.07
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An…
- risk 0.64cvss 9.8epss 0.04
An exposed dangerous function vulnerability exists in Ivanti Avalanche before 6.3.3 using inforail Service allows Privilege Escalation via Enterprise Server Service.
- risk 0.64cvss 8.8epss 0.82
An unrestricted file upload vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to write dangerous files.
- risk 0.64cvss 9.8epss 0.02
Ivanti Avalanche 6.3 allows a SQL injection that is vaguely associated with the Apache HTTP Server, aka Bug 683250.
- risk 0.63cvss 8.8epss 0.68
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
- risk 0.63cvss 8.8epss 0.71
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
- risk 0.63cvss 8.8epss 0.68
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
Page 2 of 6