Vendor CVEs
Ivanti
All CVEs
446 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-13161 | 0.19 | — | 0.89 | KEV | Jan 14, 2025 | Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information. | ||
| CVE-2024-9380 | 0.19 | — | 0.63 | KEV | Oct 8, 2024 | An OS command injection vulnerability in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to obtain remote code execution. | ||
| CVE-2024-8190 | 0.19 | — | 0.89 | KEV | Sep 10, 2024 | An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to obtain remote code execution. The attacker must have admin level privileges to exploit this vulnerability. | ||
| CVE-2023-35081 | 0.19 | — | 0.63 | KEV | Aug 3, 2023 | A path traversal vulnerability in Ivanti EPMM versions (11.10.x < 11.10.0.3, 11.9.x < 11.9.1.2 and 11.8.x < 11.8.1.2) allows an authenticated administrator to write arbitrary files onto the appliance. | ||
| CVE-2025-4428 | 0.18 | — | 0.88 | KEV | May 13, 2025 | Remote Code Execution in API component in Ivanti Endpoint Manager Mobile 12.5.0.0 and prior on unspecified platforms allows authenticated attackers to execute arbitrary code via crafted API requests. | ||
| CVE-2024-9379 | 0.18 | — | 0.44 | KEV | Oct 8, 2024 | SQL injection in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements. | ||
| CVE-2026-1603 | 0.17 | — | 0.81 | KEV | Feb 10, 2026 | An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthenticated attacker to leak specific stored credential data. | ||
| CVE-2024-37404 | 0.10 | — | 0.67 | Oct 18, 2024 | Improper Input Validation in the admin portal of Ivanti Connect Secure before 22.7R2.1 and 9.1R18.9, or Ivanti Policy Secure before 22.7R1.1 allows a remote authenticated attacker to achieve remote code execution. | |||
| CVE-2023-32560 | 0.10 | — | 0.99 | Aug 10, 2023 | An attacker can send a specially crafted message to the Wavelink Avalanche Manager, which could result in service disruption or arbitrary code execution. Thanks to a Researcher at Tenable for finding and reporting. Fixed in version 6.4.1. | |||
| CVE-2023-28324 | 0.10 | — | 0.12 | Jun 30, 2023 | A improper input validation vulnerability exists in Ivanti Endpoint Manager 2022 and below that could allow privilege escalation or remote code execution. | |||
| CVE-2023-28128 | 0.10 | — | 0.85 | May 9, 2023 | An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to achieve a remove code execution. | |||
| CVE-2007-1674 | 0.09 | — | 0.73 | Apr 18, 2007 | Stack-based buffer overflow in the Alert Service (aolnsrvr.exe) in LANDesk Management Suite 8.7 allows remote attackers to execute arbitrary code via a crafted packet to port 65535/UDP. | |||
| CVE-2024-22024 | 0.08 | — | 0.95 | Feb 13, 2024 | An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication. | |||
| CVE-2012-1195 | 0.08 | — | 0.68 | Feb 18, 2012 | Unrestricted file upload vulnerability in andesk/managementsuite/core/core.anonymous/ServerSetup.asmx in the ServerSetup web service in Lenovo ThinkManagement Console 9.0.3 allows remote attackers to execute arbitrary code by uploading a file with an executable extension via a… | |||
| CVE-2024-50324 | 0.07 | — | 0.18 | Nov 12, 2024 | Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-38653 | 0.07 | — | 0.92 | Aug 14, 2024 | XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to read arbitrary files on the server. | |||
| CVE-2023-32563 | 0.07 | — | 0.90 | Aug 10, 2023 | An unauthenticated attacker could achieve the code execution through a RemoteControl server. | |||
| CVE-2022-36978 | 0.07 | — | 0.07 | Mar 29, 2023 | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists… | |||
| CVE-2022-36981 | 0.07 | — | 0.83 | Mar 29, 2023 | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.3.101. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within… | |||
| CVE-2022-36971 | 0.07 | — | 0.15 | Mar 29, 2023 | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists… | |||
| CVE-2021-30497 | 0.07 | — | 0.97 | Apr 6, 2022 | Ivanti Avalanche (Premise) 6.3.2 allows remote unauthenticated users to read arbitrary files via Absolute Path Traversal. The imageFilePath parameter processed by the /AvalancheWeb/image endpoint is not verified to be within the scope of the image folder, e.g., the attacker can… | |||
| CVE-2012-1196 | 0.07 | — | 0.56 | Feb 18, 2012 | Directory traversal vulnerability in the VulCore web service (WSVulnerabilityCore/VulCore.asmx) in Lenovo ThinkManagement Console 9.0.3 allows remote attackers to delete arbitrary files via a .. (dot dot) in the filename parameter in a SetTaskLogByFile SOAP request. | |||
| CVE-2024-34781 | 0.06 | — | 0.68 | Nov 13, 2024 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-50330 | 0.06 | — | 0.41 | Nov 12, 2024 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote unauthenticated attacker to achieve remote code execution. | |||
| CVE-2024-50326 | 0.06 | — | 0.26 | Nov 12, 2024 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-29847 | 0.06 | — | 0.53 | Sep 12, 2024 | Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution. | |||
| CVE-2023-41474 | 0.06 | — | 0.38 | Jan 25, 2024 | Directory Traversal vulnerability in Ivanti Avalanche 6.3.4.153 allows a remote authenticated attacker to obtain sensitive information via the javax.faces.resource component. | |||
| CVE-2023-46263 | 0.06 | — | 0.82 | Dec 19, 2023 | An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker to achieve a remote code execution. | |||
| CVE-2021-42132 | 0.06 | — | 0.70 | Dec 7, 2021 | A command Injection vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform arbitrary command execution. | |||
| CVE-2021-42130 | 0.06 | — | 0.62 | Dec 7, 2021 | A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform arbitrary code execution. | |||
| CVE-2021-42129 | 0.06 | — | 0.77 | Dec 7, 2021 | A command injection vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform arbitrary command execution. | |||
| CVE-2024-13162 | 0.05 | — | 0.64 | Jan 14, 2025 | SQL injection in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. This CVE addresses incomplete fixes from CVE-2024-32848. | |||
| CVE-2024-24992 | 0.05 | — | 0.71 | Apr 19, 2024 | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | |||
| CVE-2024-23535 | 0.05 | — | 0.68 | Apr 19, 2024 | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | |||
| CVE-2024-21888 | 0.05 | — | 0.87 | Jan 31, 2024 | A privilege escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator. | |||
| CVE-2023-46264 | 0.05 | — | 0.90 | Dec 19, 2023 | An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker to achieve a remove code execution. | |||
| CVE-2021-42125 | 0.05 | — | 0.82 | Dec 7, 2021 | An unrestricted file upload vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to write dangerous files. | |||
| CVE-2024-50320 | 0.04 | — | 0.31 | Nov 12, 2024 | An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service. | |||
| CVE-2024-47011 | 0.04 | — | 0.57 | Oct 8, 2024 | Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to leak sensitive information | |||
| CVE-2024-34783 | 0.04 | — | 0.43 | Sep 12, 2024 | An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-32848 | 0.04 | — | 0.43 | Sep 12, 2024 | An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-37399 | 0.04 | — | 0.28 | Aug 14, 2024 | A NULL pointer dereference in WLAvalancheService in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to crash the service, resulting in a DoS. | |||
| CVE-2024-24994 | 0.04 | — | 0.68 | Apr 19, 2024 | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | |||
| CVE-2023-32562 | 0.04 | — | 0.38 | Aug 10, 2023 | An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to achieve a remove code execution. Fixed in version 6.4.1. | |||
| CVE-2023-32564 | 0.04 | — | 0.37 | Aug 10, 2023 | An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker to achieve a remove code execution. | |||
| CVE-2022-36974 | 0.04 | — | 0.84 | Mar 29, 2023 | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists… | |||
| CVE-2021-42127 | 0.04 | — | 0.66 | Dec 7, 2021 | A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 using Inforail Service allows arbitrary code execution via Data Repository Service. | |||
| CVE-2024-47908 | 0.03 | — | 0.22 | Feb 11, 2025 | OS command injection in the admin web console of Ivanti CSA before version 5.0.5 allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||
| CVE-2024-13163 | 0.03 | — | 0.09 | Jan 14, 2025 | Deserialization of untrusted data in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code execution. Local user interaction is required. | |||
| CVE-2024-13171 | 0.03 | — | 0.18 | Jan 14, 2025 | Insufficient filename validation in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code execution. Local user interaction is required. |
- risk 0.19cvss —epss 0.89
Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
- risk 0.19cvss —epss 0.63
An OS command injection vulnerability in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to obtain remote code execution.
- risk 0.19cvss —epss 0.89
An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to obtain remote code execution. The attacker must have admin level privileges to exploit this vulnerability.
- risk 0.19cvss —epss 0.63
A path traversal vulnerability in Ivanti EPMM versions (11.10.x < 11.10.0.3, 11.9.x < 11.9.1.2 and 11.8.x < 11.8.1.2) allows an authenticated administrator to write arbitrary files onto the appliance.
- risk 0.18cvss —epss 0.88
Remote Code Execution in API component in Ivanti Endpoint Manager Mobile 12.5.0.0 and prior on unspecified platforms allows authenticated attackers to execute arbitrary code via crafted API requests.
- risk 0.18cvss —epss 0.44
SQL injection in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.
- risk 0.17cvss —epss 0.81
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthenticated attacker to leak specific stored credential data.
- CVE-2024-37404Oct 18, 2024risk 0.10cvss —epss 0.67
Improper Input Validation in the admin portal of Ivanti Connect Secure before 22.7R2.1 and 9.1R18.9, or Ivanti Policy Secure before 22.7R1.1 allows a remote authenticated attacker to achieve remote code execution.
- CVE-2023-32560Aug 10, 2023risk 0.10cvss —epss 0.99
An attacker can send a specially crafted message to the Wavelink Avalanche Manager, which could result in service disruption or arbitrary code execution. Thanks to a Researcher at Tenable for finding and reporting. Fixed in version 6.4.1.
- CVE-2023-28324Jun 30, 2023risk 0.10cvss —epss 0.12
A improper input validation vulnerability exists in Ivanti Endpoint Manager 2022 and below that could allow privilege escalation or remote code execution.
- CVE-2023-28128May 9, 2023risk 0.10cvss —epss 0.85
An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to achieve a remove code execution.
- CVE-2007-1674Apr 18, 2007risk 0.09cvss —epss 0.73
Stack-based buffer overflow in the Alert Service (aolnsrvr.exe) in LANDesk Management Suite 8.7 allows remote attackers to execute arbitrary code via a crafted packet to port 65535/UDP.
- CVE-2024-22024Feb 13, 2024risk 0.08cvss —epss 0.95
An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication.
- CVE-2012-1195Feb 18, 2012risk 0.08cvss —epss 0.68
Unrestricted file upload vulnerability in andesk/managementsuite/core/core.anonymous/ServerSetup.asmx in the ServerSetup web service in Lenovo ThinkManagement Console 9.0.3 allows remote attackers to execute arbitrary code by uploading a file with an executable extension via a…
- CVE-2024-50324Nov 12, 2024risk 0.07cvss —epss 0.18
Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-38653Aug 14, 2024risk 0.07cvss —epss 0.92
XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to read arbitrary files on the server.
- CVE-2023-32563Aug 10, 2023risk 0.07cvss —epss 0.90
An unauthenticated attacker could achieve the code execution through a RemoteControl server.
- CVE-2022-36978Mar 29, 2023risk 0.07cvss —epss 0.07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists…
- CVE-2022-36981Mar 29, 2023risk 0.07cvss —epss 0.83
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.3.101. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within…
- CVE-2022-36971Mar 29, 2023risk 0.07cvss —epss 0.15
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists…
- CVE-2021-30497Apr 6, 2022risk 0.07cvss —epss 0.97
Ivanti Avalanche (Premise) 6.3.2 allows remote unauthenticated users to read arbitrary files via Absolute Path Traversal. The imageFilePath parameter processed by the /AvalancheWeb/image endpoint is not verified to be within the scope of the image folder, e.g., the attacker can…
- CVE-2012-1196Feb 18, 2012risk 0.07cvss —epss 0.56
Directory traversal vulnerability in the VulCore web service (WSVulnerabilityCore/VulCore.asmx) in Lenovo ThinkManagement Console 9.0.3 allows remote attackers to delete arbitrary files via a .. (dot dot) in the filename parameter in a SetTaskLogByFile SOAP request.
- CVE-2024-34781Nov 13, 2024risk 0.06cvss —epss 0.68
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-50330Nov 12, 2024risk 0.06cvss —epss 0.41
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote unauthenticated attacker to achieve remote code execution.
- CVE-2024-50326Nov 12, 2024risk 0.06cvss —epss 0.26
SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-29847Sep 12, 2024risk 0.06cvss —epss 0.53
Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution.
- CVE-2023-41474Jan 25, 2024risk 0.06cvss —epss 0.38
Directory Traversal vulnerability in Ivanti Avalanche 6.3.4.153 allows a remote authenticated attacker to obtain sensitive information via the javax.faces.resource component.
- CVE-2023-46263Dec 19, 2023risk 0.06cvss —epss 0.82
An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker to achieve a remote code execution.
- CVE-2021-42132Dec 7, 2021risk 0.06cvss —epss 0.70
A command Injection vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform arbitrary command execution.
- CVE-2021-42130Dec 7, 2021risk 0.06cvss —epss 0.62
A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform arbitrary code execution.
- CVE-2021-42129Dec 7, 2021risk 0.06cvss —epss 0.77
A command injection vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform arbitrary command execution.
- CVE-2024-13162Jan 14, 2025risk 0.05cvss —epss 0.64
SQL injection in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. This CVE addresses incomplete fixes from CVE-2024-32848.
- CVE-2024-24992Apr 19, 2024risk 0.05cvss —epss 0.71
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
- CVE-2024-23535Apr 19, 2024risk 0.05cvss —epss 0.68
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
- CVE-2024-21888Jan 31, 2024risk 0.05cvss —epss 0.87
A privilege escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator.
- CVE-2023-46264Dec 19, 2023risk 0.05cvss —epss 0.90
An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker to achieve a remove code execution.
- CVE-2021-42125Dec 7, 2021risk 0.05cvss —epss 0.82
An unrestricted file upload vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to write dangerous files.
- CVE-2024-50320Nov 12, 2024risk 0.04cvss —epss 0.31
An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.
- CVE-2024-47011Oct 8, 2024risk 0.04cvss —epss 0.57
Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to leak sensitive information
- CVE-2024-34783Sep 12, 2024risk 0.04cvss —epss 0.43
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-32848Sep 12, 2024risk 0.04cvss —epss 0.43
An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-37399Aug 14, 2024risk 0.04cvss —epss 0.28
A NULL pointer dereference in WLAvalancheService in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to crash the service, resulting in a DoS.
- CVE-2024-24994Apr 19, 2024risk 0.04cvss —epss 0.68
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
- CVE-2023-32562Aug 10, 2023risk 0.04cvss —epss 0.38
An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to achieve a remove code execution. Fixed in version 6.4.1.
- CVE-2023-32564Aug 10, 2023risk 0.04cvss —epss 0.37
An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker to achieve a remove code execution.
- CVE-2022-36974Mar 29, 2023risk 0.04cvss —epss 0.84
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists…
- CVE-2021-42127Dec 7, 2021risk 0.04cvss —epss 0.66
A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 using Inforail Service allows arbitrary code execution via Data Repository Service.
- CVE-2024-47908Feb 11, 2025risk 0.03cvss —epss 0.22
OS command injection in the admin web console of Ivanti CSA before version 5.0.5 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
- CVE-2024-13163Jan 14, 2025risk 0.03cvss —epss 0.09
Deserialization of untrusted data in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code execution. Local user interaction is required.
- CVE-2024-13171Jan 14, 2025risk 0.03cvss —epss 0.18
Insufficient filename validation in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code execution. Local user interaction is required.
Page 2 of 9