Avalanche
by Ivanti
CVEs (113)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-42132 | Hig | 0.63 | 8.8 | 0.70 | Dec 7, 2021 | A command Injection vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform arbitrary command execution. | ||
| CVE-2021-42131 | Hig | 0.63 | 8.8 | 0.67 | Dec 7, 2021 | A SQL Injection vulnerability exists in Ivanti Avalance before 6.3.3 allows an attacker with access to the Inforail Service to perform privilege escalation. | ||
| CVE-2021-42129 | Hig | 0.63 | 8.8 | 0.77 | Dec 7, 2021 | A command injection vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform arbitrary command execution. | ||
| CVE-2021-42130 | Hig | 0.62 | 8.8 | 0.62 | Dec 7, 2021 | A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform arbitrary code execution. | ||
| CVE-2024-38652 | Cri | 0.60 | 9.1 | 0.08 | Aug 14, 2024 | Path traversal in the skin management component of Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to achieve denial of service via arbitrary file deletion. | ||
| CVE-2023-46266 | Cri | 0.59 | 9.1 | 0.03 | Dec 19, 2023 | An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack. | ||
| CVE-2023-32565 | Cri | 0.59 | 9.1 | 0.02 | Aug 10, 2023 | An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack. Fixed in version 6.4.1. | ||
| CVE-2023-32566 | Cri | 0.59 | 9.1 | 0.02 | Aug 10, 2023 | An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack. Fixed in version 6.4.1. | ||
| CVE-2022-36980 | Hig | 0.59 | 8.1 | 0.83 | Mar 29, 2023 | This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within… | ||
| CVE-2022-36973 | Hig | 0.58 | 8.8 | 0.06 | Mar 29, 2023 | This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within… | ||
| CVE-2022-36971 | Hig | 0.58 | 8.8 | 0.15 | Mar 29, 2023 | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists… | ||
| CVE-2021-42126 | Hig | 0.58 | 8.8 | 0.04 | Dec 7, 2021 | An improper authorization control vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform privilege escalation. | ||
| CVE-2024-27976 | Hig | 0.57 | 8.8 | 0.03 | Apr 19, 2024 | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | ||
| CVE-2024-27975 | Hig | 0.57 | 8.8 | 0.03 | Apr 19, 2024 | An Use-after-free vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | ||
| CVE-2024-25000 | Hig | 0.57 | 8.8 | 0.03 | Apr 19, 2024 | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | ||
| CVE-2024-24999 | Hig | 0.57 | 8.8 | 0.03 | Apr 19, 2024 | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | ||
| CVE-2024-24998 | Hig | 0.57 | 8.8 | 0.03 | Apr 19, 2024 | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | ||
| CVE-2024-24997 | Hig | 0.57 | 8.8 | 0.03 | Apr 19, 2024 | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | ||
| CVE-2024-23534 | Hig | 0.57 | 8.8 | 0.03 | Apr 19, 2024 | An Unrestricted File-upload vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | ||
| CVE-2023-28128 | Hig | 0.57 | 7.2 | 0.85 | May 9, 2023 | An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to achieve a remove code execution. |
- risk 0.63cvss 8.8epss 0.70
A command Injection vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform arbitrary command execution.
- risk 0.63cvss 8.8epss 0.67
A SQL Injection vulnerability exists in Ivanti Avalance before 6.3.3 allows an attacker with access to the Inforail Service to perform privilege escalation.
- risk 0.63cvss 8.8epss 0.77
A command injection vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform arbitrary command execution.
- risk 0.62cvss 8.8epss 0.62
A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform arbitrary code execution.
- risk 0.60cvss 9.1epss 0.08
Path traversal in the skin management component of Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to achieve denial of service via arbitrary file deletion.
- risk 0.59cvss 9.1epss 0.03
An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack.
- risk 0.59cvss 9.1epss 0.02
An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack. Fixed in version 6.4.1.
- risk 0.59cvss 9.1epss 0.02
An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack. Fixed in version 6.4.1.
- risk 0.59cvss 8.1epss 0.83
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within…
- risk 0.58cvss 8.8epss 0.06
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within…
- risk 0.58cvss 8.8epss 0.15
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists…
- risk 0.58cvss 8.8epss 0.04
An improper authorization control vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform privilege escalation.
- risk 0.57cvss 8.8epss 0.03
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
- risk 0.57cvss 8.8epss 0.03
An Use-after-free vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
- risk 0.57cvss 8.8epss 0.03
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
- risk 0.57cvss 8.8epss 0.03
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
- risk 0.57cvss 8.8epss 0.03
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
- risk 0.57cvss 8.8epss 0.03
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
- risk 0.57cvss 8.8epss 0.03
An Unrestricted File-upload vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
- risk 0.57cvss 7.2epss 0.85
An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to achieve a remove code execution.
Page 3 of 6