EPM
by Ivanti
CVEs (48)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-37376 | 0.01 | — | 0.11 | Nov 13, 2024 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-37397 | 0.01 | — | 0.13 | Sep 12, 2024 | An External XML Entity (XXE) vulnerability in the provisioning web service of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to leak API secrets. | |||
| CVE-2024-32843 | 0.01 | — | 0.11 | Sep 12, 2024 | An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-32846 | 0.01 | — | 0.11 | Sep 12, 2024 | An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-32842 | 0.01 | — | 0.11 | Sep 12, 2024 | An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-13164 | 0.00 | — | 0.00 | Jan 14, 2025 | An uninitialized resource in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a local authenticated attacker to escalate their privileges. | |||
| CVE-2024-13166 | 0.00 | — | 0.02 | Jan 14, 2025 | An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service. | |||
| CVE-2024-13167 | 0.00 | — | 0.02 | Jan 14, 2025 | An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service. | |||
| CVE-2024-13168 | 0.00 | — | 0.02 | Jan 14, 2025 | An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service. | |||
| CVE-2024-13169 | 0.00 | — | 0.00 | Jan 14, 2025 | An out-of-bounds read in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a local authenticated attacker to escalate their privileges. | |||
| CVE-2024-13170 | 0.00 | — | 0.02 | Jan 14, 2025 | An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service. | |||
| CVE-2024-13172 | 0.00 | — | 0.01 | Jan 14, 2025 | Improper signature verification in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code execution. Local user interaction is required. | |||
| CVE-2024-10811 | 0.00 | — | 0.05 | Jan 14, 2025 | Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information. | |||
| CVE-2024-34784 | 0.00 | — | 0.06 | Nov 13, 2024 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-34780 | 0.00 | — | 0.06 | Nov 13, 2024 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-32844 | 0.00 | — | 0.06 | Nov 13, 2024 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-34782 | 0.00 | — | 0.06 | Nov 13, 2024 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-37381 | 0.00 | — | 0.00 | Jul 29, 2024 | An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2024 flat allows an authenticated attacker within the same network to execute arbitrary code. | |||
| CVE-2024-29823 | 0.00 | — | 0.02 | May 31, 2024 | An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code. | |||
| CVE-2024-29827 | 0.00 | — | 0.00 | May 31, 2024 | An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code. |
- CVE-2024-37376Nov 13, 2024risk 0.01cvss —epss 0.11
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-37397Sep 12, 2024risk 0.01cvss —epss 0.13
An External XML Entity (XXE) vulnerability in the provisioning web service of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to leak API secrets.
- CVE-2024-32843Sep 12, 2024risk 0.01cvss —epss 0.11
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-32846Sep 12, 2024risk 0.01cvss —epss 0.11
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-32842Sep 12, 2024risk 0.01cvss —epss 0.11
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-13164Jan 14, 2025risk 0.00cvss —epss 0.00
An uninitialized resource in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a local authenticated attacker to escalate their privileges.
- CVE-2024-13166Jan 14, 2025risk 0.00cvss —epss 0.02
An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service.
- CVE-2024-13167Jan 14, 2025risk 0.00cvss —epss 0.02
An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service.
- CVE-2024-13168Jan 14, 2025risk 0.00cvss —epss 0.02
An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service.
- CVE-2024-13169Jan 14, 2025risk 0.00cvss —epss 0.00
An out-of-bounds read in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a local authenticated attacker to escalate their privileges.
- CVE-2024-13170Jan 14, 2025risk 0.00cvss —epss 0.02
An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service.
- CVE-2024-13172Jan 14, 2025risk 0.00cvss —epss 0.01
Improper signature verification in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code execution. Local user interaction is required.
- CVE-2024-10811Jan 14, 2025risk 0.00cvss —epss 0.05
Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
- CVE-2024-34784Nov 13, 2024risk 0.00cvss —epss 0.06
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-34780Nov 13, 2024risk 0.00cvss —epss 0.06
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-32844Nov 13, 2024risk 0.00cvss —epss 0.06
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-34782Nov 13, 2024risk 0.00cvss —epss 0.06
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-37381Jul 29, 2024risk 0.00cvss —epss 0.00
An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2024 flat allows an authenticated attacker within the same network to execute arbitrary code.
- CVE-2024-29823May 31, 2024risk 0.00cvss —epss 0.02
An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.
- CVE-2024-29827May 31, 2024risk 0.00cvss —epss 0.00
An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.
Page 2 of 3