VYPR

Vendor CVEs

Ivanti

All CVEs

446 total · sorted by risk
  • CVE-2024-13180Jan 14, 2025
    risk 0.03cvss epss 0.28

    Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to leak sensitive information. This CVE addresses incomplete fixes from CVE-2024-47011.

  • CVE-2025-0283Jan 8, 2025
    risk 0.03cvss epss 0.17

    A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a local authenticated attacker to escalate their privileges.

  • CVE-2024-47008Oct 8, 2024
    risk 0.03cvss epss 0.47

    Server-side request forgery in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to leak sensitive information.

  • CVE-2024-32840Sep 12, 2024
    risk 0.03cvss epss 0.25

    An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

  • CVE-2024-34779Sep 12, 2024
    risk 0.03cvss epss 0.24

    An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

  • CVE-2024-34785Sep 12, 2024
    risk 0.03cvss epss 0.25

    An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

  • CVE-2024-32845Sep 12, 2024
    risk 0.03cvss epss 0.24

    An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

  • CVE-2024-8191Sep 10, 2024
    risk 0.03cvss epss 0.20

    SQL injection in the management console of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution.

  • CVE-2024-24996Apr 19, 2024
    risk 0.03cvss epss 0.32

    A Heap overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows an unauthenticated remote attacker to execute arbitrary commands.

  • CVE-2023-46262Dec 19, 2023
    risk 0.03cvss epss 0.83

    An unauthenticated attacked could send a specifically crafted web request causing a Server-Side Request Forgery (SSRF) in Ivanti Avalanche Remote Control server.

  • CVE-2022-36983Mar 29, 2023
    risk 0.03cvss epss 0.05

    This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetSettings class. The issue results from the lack of…

  • CVE-2010-2892Nov 15, 2010
    risk 0.03cvss epss 0.04

    gsb/drivers.php in LANDesk Management Gateway 4.0 through 4.0-1.48 and 4.2 through 4.2-1.8 allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in the DRIVES parameter, as demonstrated by a cross-site request forgery (CSRF) attack.

  • CVE-2008-6195Feb 20, 2009
    risk 0.03cvss epss 0.03

    Directory traversal vulnerability in the PXE TFTP Service (PXEMTFTP.exe) in LANDesk Management Suite (LDMS) 8.80.1.1 and earlier allows remote attackers to read arbitrary files via a subdirectory name followed by ".." sequences, a different vulnerability than CVE-2008-1643.

  • CVE-2025-6771Jul 8, 2025
    risk 0.02cvss epss 0.15

    OS command injection in Ivanti Endpoint Manager Mobile (EPMM) before version 12.5.0.2,12.4.0.3 and 12.3.0.3 allows a remote authenticated attacker with high privileges to achieve remote code execution

  • CVE-2025-22467Feb 11, 2025
    risk 0.02cvss epss 0.04

    A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6 allows a remote authenticated attacker to achieve remote code execution.

  • CVE-2024-13158Jan 14, 2025
    risk 0.02cvss epss 0.03

    An unbounded resource search path in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

  • CVE-2024-11005Nov 12, 2024
    risk 0.02cvss epss 0.02

    Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.1 (Not Applicable to 9.1Rx) allows a remote authenticated attacker with admin privileges to achieve remote code execution.

  • CVE-2024-11006Nov 12, 2024
    risk 0.02cvss epss 0.02

    Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.1 (Not Applicable to 9.1Rx) allows a remote authenticated attacker with admin privileges to achieve remote code execution.

  • CVE-2024-11007Nov 12, 2024
    risk 0.02cvss epss 0.02

    Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.1 (Not Applicable to 9.1Rx) allows a remote authenticated attacker with admin privileges to achieve remote code execution.

  • CVE-2024-50329Nov 12, 2024
    risk 0.02cvss epss 0.02

    Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required.

  • CVE-2024-50328Nov 12, 2024
    risk 0.02cvss epss 0.02

    SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

  • CVE-2024-29848May 31, 2024
    risk 0.02cvss epss 0.64

    An unrestricted file upload vulnerability in web component of Ivanti Avalanche before 6.4.x allows an authenticated, privileged user to execute arbitrary commands as SYSTEM.

  • CVE-2024-23532Apr 19, 2024
    risk 0.02cvss epss 0.02

    An out-of-bounds Read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows an authenticated remote attacker to perform denial of service attacks. In certain conditions this could also lead to remote code execution.

  • CVE-2021-22962Dec 19, 2023
    risk 0.02cvss epss 0.91

    An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack.

  • CVE-2022-36976Mar 29, 2023
    risk 0.02cvss epss 0.07

    This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the GroupDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An…

  • CVE-2022-36972Mar 29, 2023
    risk 0.02cvss epss 0.07

    This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An…

  • CVE-2022-36973Mar 29, 2023
    risk 0.02cvss epss 0.06

    This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within…

  • CVE-2022-36975Mar 29, 2023
    risk 0.02cvss epss 0.07

    This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An…

  • CVE-2022-36979Mar 29, 2023
    risk 0.02cvss epss 0.07

    This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within…

  • CVE-2022-44574Mar 10, 2023
    risk 0.02cvss epss 0.65

    An improper authentication vulnerability exists in Avalanche version 6.3.x and below allows unauthenticated attacker to modify properties on specific port.

  • CVE-2022-22572Apr 11, 2022
    risk 0.02cvss epss 0.02

    A non-admin user with user management permission can escalate his privilege to admin user via password reset functionality. The vulnerability affects Incapptic Connect version < 1.40.1.

  • CVE-2021-42131Dec 7, 2021
    risk 0.02cvss epss 0.67

    A SQL Injection vulnerability exists in Ivanti Avalance before 6.3.3 allows an attacker with access to the Inforail Service to perform privilege escalation.

  • CVE-2019-10651Jul 11, 2019
    risk 0.02cvss epss 0.04

    An issue was discovered in the Core Server in Ivanti Endpoint Manager (EPM) 2017.3 before SU7 and 2018.x before 2018.3 SU3, with remote code execution. In other words, the issue affects 2017.3, 2018.1, and 2018.3 installations that lack the April 2019 update.

  • CVE-2025-10985Oct 14, 2025
    risk 0.01cvss epss 0.21

    OS command injection in the admin panel of Ivanti EPMM before version 12.6.0.2, 12.5.0.4, and 12.4.0.4 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

  • CVE-2025-10243Oct 14, 2025
    risk 0.01cvss epss 0.21

    OS command injection in the admin panel of Ivanti EPMM before version 12.6.0.2, 12.5.0.4, and 12.4.0.4 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

  • CVE-2025-10242Oct 14, 2025
    risk 0.01cvss epss 0.21

    OS command injection in the admin panel of Ivanti EPMM before version 12.6.0.2, 12.5.0.4, and 12.4.0.4 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

  • CVE-2025-8297Aug 12, 2025
    risk 0.01cvss epss 0.01

    Incomplete restriction of configuration in Ivanti Avalanche before version 6.4.8.8008 allows a remote authenticated attacker with admin privileges to achieve remote code execution

  • CVE-2025-8296Aug 12, 2025
    risk 0.01cvss epss 0.01

    SQL injection in Ivanti Avalanche before version 6.4.8.8008 allows a remote authenticated attacker with admin privileges to execute arbitrary SQL queries. In certain conditions, this can also lead to remote code execution

  • CVE-2025-6770Jul 8, 2025
    risk 0.01cvss epss 0.12

    OS command injection in Ivanti Endpoint Manager Mobile (EPMM) before version 12.5.0.2 allows a remote authenticated attacker with high privileges to achieve remote code execution

  • CVE-2025-22462May 13, 2025
    risk 0.01cvss epss 0.02

    An authentication bypass in Ivanti Neurons for ITSM (on-prem only) before 2023.4, 2024.2 and 2024.3 with the May 2025 Security Patch allows a remote unauthenticated attacker to gain administrative access to the system.

  • CVE-2024-37401Dec 11, 2024
    risk 0.01cvss epss 0.01

    An out-of-bounds read in IPsec of Ivanti Connect Secure before version 22.7R2.1 allows a remote unauthenticated attacker to cause a denial of service.

  • CVE-2024-11772Dec 10, 2024
    risk 0.01cvss epss 0.08

    Command injection in the admin web console of Ivanti CSA before version 5.0.3 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

  • CVE-2024-11639Dec 10, 2024
    risk 0.01cvss epss 0.05

    An authentication bypass in the admin web console of Ivanti CSA before 5.0.3 allows a remote unauthenticated attacker to gain administrative access

  • CVE-2024-11634Dec 10, 2024
    risk 0.01cvss epss 0.02

    Command injection in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to achieve remote code execution. (Not applicable to 9.1Rx)

  • CVE-2024-11633Dec 10, 2024
    risk 0.01cvss epss 0.02

    Argument injection in Ivanti Connect Secure before version 22.7R2.4 allows a remote authenticated attacker with admin privileges to achieve remote code execution

  • CVE-2024-38655Nov 13, 2024
    risk 0.01cvss epss 0.02

    Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.1 and 9.1R18.9 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

  • CVE-2024-34784Nov 13, 2024
    risk 0.01cvss epss 0.02

    SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

  • CVE-2024-34780Nov 13, 2024
    risk 0.01cvss epss 0.02

    SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

  • CVE-2024-39712Nov 13, 2024
    risk 0.01cvss epss 0.02

    Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

  • CVE-2024-32839Nov 13, 2024
    risk 0.01cvss epss 0.03

    SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

Page 3 of 9