VYPR

Avalanche

by Ivanti

CVEs (113)

  • CVE-2023-46803HigDec 19, 2023
    risk 0.49cvss 7.5epss 0.04

    An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS).

  • CVE-2023-32561HigAug 10, 2023
    risk 0.49cvss 7.5epss 0.02

    A previously generated artifact by an administrator could be accessed by an attacker. The contents of this artifact could lead to authentication bypass. Fixed in version 6.4.1.

  • CVE-2024-47009HigOct 8, 2024
    risk 0.48cvss 7.3epss 0.02

    Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to bypass authentication.

  • CVE-2024-37373HigAug 14, 2024
    risk 0.47cvss 7.2epss 0.02

    Improper input validation in the Central Filestore in Ivanti Avalanche 6.3.1 allows a remote authenticated attacker with admin rights to achieve RCE.

  • CVE-2024-27984HigApr 19, 2024
    risk 0.46cvss 7.1epss 0.02

    A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to delete specific type of files and/or cause denial of service.

  • CVE-2023-41474MedJan 25, 2024
    risk 0.45cvss 6.5epss 0.38

    Directory Traversal vulnerability in Ivanti Avalanche 6.3.4.153 allows a remote authenticated attacker to obtain sensitive information via the javax.faces.resource component.

  • CVE-2023-28126MedMay 9, 2023
    risk 0.44cvss 5.9epss 0.67

    An authentication bypass vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to gain access by exploiting the SetUser method or can exploit the Race Condition in the authentication message.

  • CVE-2024-27978MedApr 19, 2024
    risk 0.42cvss 6.5epss 0.02

    A Null Pointer Dereference vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows an authenticated remote attacker to perform denial of service attacks.

  • CVE-2024-24991MedApr 19, 2024
    risk 0.42cvss 6.5epss 0.02

    A Null Pointer Dereference vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows an authenticated remote attacker to perform denial of service attacks.

  • CVE-2024-23533MedApr 19, 2024
    risk 0.42cvss 6.5epss 0.01

    An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an authenticated remote attacker to read sensitive information in memory.

  • CVE-2018-8902MedJun 29, 2018
    risk 0.42cvss 6.5epss 0.02

    An issue was discovered in Ivanti Avalanche for all versions between 5.3 and 6.2. The impacted products used a single shared key encryption model to encrypt data. A user with access to system databases can use the discovered key to access potentially confidential stored data,…

  • CVE-2025-8297Aug 12, 2025
    risk 0.01cvss epss 0.01

    Incomplete restriction of configuration in Ivanti Avalanche before version 6.4.8.8008 allows a remote authenticated attacker with admin privileges to achieve remote code execution

  • CVE-2025-8296Aug 12, 2025
    risk 0.01cvss epss 0.01

    SQL injection in Ivanti Avalanche before version 6.4.8.8008 allows a remote authenticated attacker with admin privileges to execute arbitrary SQL queries. In certain conditions, this can also lead to remote code execution

Page 6 of 6