VYPR

Vendor CVEs

Ivanti

All CVEs

446 total · sorted by risk
  • CVE-2024-13161KEVJan 14, 2025
    risk 0.19cvss epss 0.89

    Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.

  • CVE-2024-9380KEVOct 8, 2024
    risk 0.19cvss epss 0.63

    An OS command injection vulnerability in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to obtain remote code execution.

  • CVE-2024-8190KEVSep 10, 2024
    risk 0.19cvss epss 0.89

    An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to obtain remote code execution. The attacker must have admin level privileges to exploit this vulnerability.

  • CVE-2023-35081KEVAug 3, 2023
    risk 0.19cvss epss 0.63

    A path traversal vulnerability in Ivanti EPMM versions (11.10.x < 11.10.0.3, 11.9.x < 11.9.1.2 and 11.8.x < 11.8.1.2) allows an authenticated administrator to write arbitrary files onto the appliance.

  • CVE-2025-4428KEVMay 13, 2025
    risk 0.18cvss epss 0.88

    Remote Code Execution in API component in Ivanti Endpoint Manager Mobile 12.5.0.0 and prior on unspecified platforms allows authenticated attackers to execute arbitrary code via crafted API requests.

  • CVE-2024-9379KEVOct 8, 2024
    risk 0.18cvss epss 0.44

    SQL injection in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.

  • CVE-2026-1603KEVFeb 10, 2026
    risk 0.17cvss epss 0.81

    An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthenticated attacker to leak specific stored credential data.

  • CVE-2024-37404Oct 18, 2024
    risk 0.10cvss epss 0.67

    Improper Input Validation in the admin portal of Ivanti Connect Secure before 22.7R2.1 and 9.1R18.9, or Ivanti Policy Secure before 22.7R1.1 allows a remote authenticated attacker to achieve remote code execution.

  • CVE-2023-32560Aug 10, 2023
    risk 0.10cvss epss 0.99

    An attacker can send a specially crafted message to the Wavelink Avalanche Manager, which could result in service disruption or arbitrary code execution. Thanks to a Researcher at Tenable for finding and reporting. Fixed in version 6.4.1.

  • CVE-2023-28324Jun 30, 2023
    risk 0.10cvss epss 0.12

    A improper input validation vulnerability exists in Ivanti Endpoint Manager 2022 and below that could allow privilege escalation or remote code execution.

  • CVE-2023-28128May 9, 2023
    risk 0.10cvss epss 0.85

    An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to achieve a remove code execution.

  • CVE-2007-1674Apr 18, 2007
    risk 0.09cvss epss 0.73

    Stack-based buffer overflow in the Alert Service (aolnsrvr.exe) in LANDesk Management Suite 8.7 allows remote attackers to execute arbitrary code via a crafted packet to port 65535/UDP.

  • CVE-2024-22024Feb 13, 2024
    risk 0.08cvss epss 0.95

    An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication.

  • CVE-2012-1195Feb 18, 2012
    risk 0.08cvss epss 0.68

    Unrestricted file upload vulnerability in andesk/managementsuite/core/core.anonymous/ServerSetup.asmx in the ServerSetup web service in Lenovo ThinkManagement Console 9.0.3 allows remote attackers to execute arbitrary code by uploading a file with an executable extension via a…

  • CVE-2024-50324Nov 12, 2024
    risk 0.07cvss epss 0.18

    Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

  • CVE-2024-38653Aug 14, 2024
    risk 0.07cvss epss 0.92

    XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to read arbitrary files on the server.

  • CVE-2023-32563Aug 10, 2023
    risk 0.07cvss epss 0.90

    An unauthenticated attacker could achieve the code execution through a RemoteControl server.

  • CVE-2022-36978Mar 29, 2023
    risk 0.07cvss epss 0.07

    This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists…

  • CVE-2022-36981Mar 29, 2023
    risk 0.07cvss epss 0.83

    This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.3.101. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within…

  • CVE-2022-36971Mar 29, 2023
    risk 0.07cvss epss 0.15

    This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists…

  • CVE-2021-30497Apr 6, 2022
    risk 0.07cvss epss 0.97

    Ivanti Avalanche (Premise) 6.3.2 allows remote unauthenticated users to read arbitrary files via Absolute Path Traversal. The imageFilePath parameter processed by the /AvalancheWeb/image endpoint is not verified to be within the scope of the image folder, e.g., the attacker can…

  • CVE-2012-1196Feb 18, 2012
    risk 0.07cvss epss 0.56

    Directory traversal vulnerability in the VulCore web service (WSVulnerabilityCore/VulCore.asmx) in Lenovo ThinkManagement Console 9.0.3 allows remote attackers to delete arbitrary files via a .. (dot dot) in the filename parameter in a SetTaskLogByFile SOAP request.

  • CVE-2024-34781Nov 13, 2024
    risk 0.06cvss epss 0.68

    SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

  • CVE-2024-50330Nov 12, 2024
    risk 0.06cvss epss 0.41

    SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote unauthenticated attacker to achieve remote code execution.

  • CVE-2024-50326Nov 12, 2024
    risk 0.06cvss epss 0.26

    SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

  • CVE-2024-29847Sep 12, 2024
    risk 0.06cvss epss 0.53

    Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution.

  • CVE-2023-41474Jan 25, 2024
    risk 0.06cvss epss 0.38

    Directory Traversal vulnerability in Ivanti Avalanche 6.3.4.153 allows a remote authenticated attacker to obtain sensitive information via the javax.faces.resource component.

  • CVE-2023-46263Dec 19, 2023
    risk 0.06cvss epss 0.82

    An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker to achieve a remote code execution.

  • CVE-2021-42132Dec 7, 2021
    risk 0.06cvss epss 0.70

    A command Injection vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform arbitrary command execution.

  • CVE-2021-42130Dec 7, 2021
    risk 0.06cvss epss 0.62

    A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform arbitrary code execution.

  • CVE-2021-42129Dec 7, 2021
    risk 0.06cvss epss 0.77

    A command injection vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform arbitrary command execution.

  • CVE-2024-13162Jan 14, 2025
    risk 0.05cvss epss 0.64

    SQL injection in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. This CVE addresses incomplete fixes from CVE-2024-32848.

  • CVE-2024-24992Apr 19, 2024
    risk 0.05cvss epss 0.71

    A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.

  • CVE-2024-23535Apr 19, 2024
    risk 0.05cvss epss 0.68

    A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.

  • CVE-2024-21888Jan 31, 2024
    risk 0.05cvss epss 0.87

    A privilege escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator.

  • CVE-2023-46264Dec 19, 2023
    risk 0.05cvss epss 0.90

    An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker to achieve a remove code execution.

  • CVE-2021-42125Dec 7, 2021
    risk 0.05cvss epss 0.82

    An unrestricted file upload vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to write dangerous files.

  • CVE-2024-50320Nov 12, 2024
    risk 0.04cvss epss 0.31

    An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.

  • CVE-2024-47011Oct 8, 2024
    risk 0.04cvss epss 0.57

    Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to leak sensitive information

  • CVE-2024-34783Sep 12, 2024
    risk 0.04cvss epss 0.43

    An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

  • CVE-2024-32848Sep 12, 2024
    risk 0.04cvss epss 0.43

    An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

  • CVE-2024-37399Aug 14, 2024
    risk 0.04cvss epss 0.28

    A NULL pointer dereference in WLAvalancheService in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to crash the service, resulting in a DoS.

  • CVE-2024-24994Apr 19, 2024
    risk 0.04cvss epss 0.68

    A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.

  • CVE-2023-32562Aug 10, 2023
    risk 0.04cvss epss 0.38

    An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to achieve a remove code execution. Fixed in version 6.4.1.

  • CVE-2023-32564Aug 10, 2023
    risk 0.04cvss epss 0.37

    An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker to achieve a remove code execution.

  • CVE-2022-36974Mar 29, 2023
    risk 0.04cvss epss 0.84

    This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists…

  • CVE-2021-42127Dec 7, 2021
    risk 0.04cvss epss 0.66

    A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 using Inforail Service allows arbitrary code execution via Data Repository Service.

  • CVE-2024-47908Feb 11, 2025
    risk 0.03cvss epss 0.22

    OS command injection in the admin web console of Ivanti CSA before version 5.0.5 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

  • CVE-2024-13163Jan 14, 2025
    risk 0.03cvss epss 0.09

    Deserialization of untrusted data in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code execution. Local user interaction is required.

  • CVE-2024-13171Jan 14, 2025
    risk 0.03cvss epss 0.18

    Insufficient filename validation in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code execution. Local user interaction is required.

Page 2 of 9