VYPR

Vendor CVEs

Ivanti

All CVEs

446 total · sorted by risk
  • CVE-2024-39711Nov 13, 2024
    risk 0.01cvss epss 0.02

    Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

  • CVE-2024-38656Nov 13, 2024
    risk 0.01cvss epss 0.02

    Argument injection in Ivanti Connect Secure before version 22.7R2.2 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

  • CVE-2024-32844Nov 13, 2024
    risk 0.01cvss epss 0.02

    SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

  • CVE-2024-34787Nov 13, 2024
    risk 0.01cvss epss 0.18

    Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. User interaction is required.

  • CVE-2024-32847Nov 13, 2024
    risk 0.01cvss epss 0.03

    SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

  • CVE-2024-32841Nov 13, 2024
    risk 0.01cvss epss 0.03

    SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

  • CVE-2024-34782Nov 13, 2024
    risk 0.01cvss epss 0.02

    SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

  • CVE-2024-39710Nov 13, 2024
    risk 0.01cvss epss 0.02

    Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

  • CVE-2024-37376Nov 13, 2024
    risk 0.01cvss epss 0.03

    SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

  • CVE-2024-9420Nov 12, 2024
    risk 0.01cvss epss 0.01

    A use-after-free in Ivanti Connect Secure before version 22.7R2.3 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker to achieve remote code execution

  • CVE-2024-50327Nov 12, 2024
    risk 0.01cvss epss 0.01

    SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

  • CVE-2024-50322Nov 12, 2024
    risk 0.01cvss epss 0.06

    Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. User interaction is required.

  • CVE-2024-50321Nov 12, 2024
    risk 0.01cvss epss 0.01

    An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.

  • CVE-2024-50319Nov 12, 2024
    risk 0.01cvss epss 0.01

    An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.

  • CVE-2024-50318Nov 12, 2024
    risk 0.01cvss epss 0.01

    A null pointer dereference in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.

  • CVE-2024-50317Nov 12, 2024
    risk 0.01cvss epss 0.01

    A null pointer dereference in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.

  • CVE-2024-37397Sep 12, 2024
    risk 0.01cvss epss 0.59

    An External XML Entity (XXE) vulnerability in the provisioning web service of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to leak API secrets.

  • CVE-2024-32843Sep 12, 2024
    risk 0.01cvss epss 0.02

    An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

  • CVE-2024-32846Sep 12, 2024
    risk 0.01cvss epss 0.02

    An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

  • CVE-2024-32842Sep 12, 2024
    risk 0.01cvss epss 0.02

    An unspecified SQL injection in Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker with admin privileges to achieve remote code execution.

  • CVE-2024-38652Aug 14, 2024
    risk 0.01cvss epss 0.08

    Path traversal in the skin management component of Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to achieve denial of service via arbitrary file deletion.

  • CVE-2024-36136Aug 14, 2024
    risk 0.01cvss epss 0.02

    An off-by-one error in WLInfoRailService in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to crash the service, resulting in a DoS.

  • CVE-2024-7569Aug 13, 2024
    risk 0.01cvss epss 0.02

    An information disclosure vulnerability in Ivanti ITSM on-prem and Neurons for ITSM versions 2023.4 and earlier allows an unauthenticated attacker to obtain the OIDC client secret via debug information.

  • CVE-2024-34788Aug 7, 2024
    risk 0.01cvss epss 0.01

    An improper authentication vulnerability in web component of EPMM prior to 12.1.0.1 allows a remote malicious user to access potentially sensitive information

  • CVE-2024-25000Apr 19, 2024
    risk 0.01cvss epss 0.03

    A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.

  • CVE-2024-24999Apr 19, 2024
    risk 0.01cvss epss 0.03

    A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.

  • CVE-2024-24997Apr 19, 2024
    risk 0.01cvss epss 0.03

    A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.

  • CVE-2024-27976Apr 19, 2024
    risk 0.01cvss epss 0.03

    A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.

  • CVE-2024-29204Apr 19, 2024
    risk 0.01cvss epss 0.04

    A Heap Overflow vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands

  • CVE-2024-21894Apr 4, 2024
    risk 0.01cvss epss 0.19

    A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack. In certain conditions this may…

  • CVE-2024-22053Apr 4, 2024
    risk 0.01cvss epss 0.04

    A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack or in certain conditions read…

  • CVE-2023-46808Mar 31, 2024
    risk 0.01cvss epss 0.02

    An file upload vulnerability in Ivanti ITSM before 2023.4, allows an authenticated remote user to perform file writes to the server. Successful exploitation may lead to execution of commands in the context of non-root user.

  • CVE-2023-28323Jun 30, 2023
    risk 0.01cvss epss 0.03

    A deserialization of untrusted data exists in EPM 2022 Su3 and all prior versions that allows an unauthenticated user to elevate rights. This exploit could potentially be used in conjunction with other OS (Operating System) vulnerabilities to escalate privileges on the machine…

  • CVE-2022-36980Mar 29, 2023
    risk 0.01cvss epss 0.83

    This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within…

  • CVE-2022-36977Mar 29, 2023
    risk 0.01cvss epss 0.07

    This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists…

  • CVE-2022-35254Dec 5, 2022
    risk 0.01cvss epss 0.03

    An unauthenticated attacker can cause a denial-of-service to the following products: Ivanti Connect Secure (ICS) in versions prior to 9.1R14.3, 9.1R15.2, 9.1R16.2, and 22.2R4, Ivanti Policy Secure (IPS) in versions prior to 9.1R17 and 22.3R1, and Ivanti Neurons for Zero-Trust…

  • CVE-2022-27773Dec 5, 2022
    risk 0.01cvss epss 0.03

    A privilege escalation vulnerability is identified in Ivanti EPM (LANDesk Management Suite) that allows a user to execute commands with elevated privileges.

  • CVE-2022-35258Dec 5, 2022
    risk 0.01cvss epss 0.03

    An unauthenticated attacker can cause a denial-of-service to the following products: Ivanti Connect Secure (ICS) in versions prior to 9.1R14.3, 9.1R15.2, 9.1R16.2, and 22.2R4, Ivanti Policy Secure (IPS) in versions prior to 9.1R17 and 22.3R1, and Ivanti Neurons for Zero-Trust…

  • CVE-2022-21828Mar 4, 2022
    risk 0.01cvss epss 0.04

    A user with high privilege access to the Incapptic Connect web console can remotely execute code on the Incapptic Connect server using a unspecified attack vector in Incapptic Connect version 1.40.0, 1.39.1, 1.39.0, 1.38.1, 1.38.0, 1.37.1, 1.37.0, 1.36.0, 1.35.5, 1.35.4 and…

  • CVE-2021-42133Dec 7, 2021
    risk 0.01cvss epss 0.03

    An exposed dangerous function vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform an arbitrary file write.

  • CVE-2021-42128Dec 7, 2021
    risk 0.01cvss epss 0.04

    An exposed dangerous function vulnerability exists in Ivanti Avalanche before 6.3.3 using inforail Service allows Privilege Escalation via Enterprise Server Service.

  • CVE-2020-12441Aug 6, 2020
    risk 0.01cvss epss 0.04

    Denial-of-Service (DoS) in Ivanti Service Manager HEAT Remote Control 7.4 due to a buffer overflow in the protocol parser of the ‘HEATRemoteService’ agent. The DoS can be triggered by sending a specially crafted network packet.

  • CVE-2019-12377Jun 3, 2019
    risk 0.01cvss epss 0.06

    A vulnerable upl/async_upload.asp web API endpoint in Ivanti LANDESK Management Suite (LDMS, aka Endpoint Manager) 10.0.1.168 Service Update 5 allows arbitrary file upload, which may lead to arbitrary remote code execution.

  • CVE-2008-2468Sep 18, 2008
    risk 0.01cvss epss 0.10

    Multiple buffer overflows in the QIP Server Service (aka qipsrvr.exe) in LANDesk Management Suite, Security Suite, and Server Manager 8.8 and earlier allow remote attackers to execute arbitrary code via a crafted heal request, related to the StringToMap and StringSize arguments.

  • CVE-2026-1602Feb 10, 2026
    risk 0.00cvss epss 0.01

    SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.

  • CVE-2025-13662Dec 9, 2025
    risk 0.00cvss epss 0.00

    Improper verification of cryptographic signatures in the patch management component of Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary code. User Interaction is required.

  • CVE-2025-13661Dec 9, 2025
    risk 0.00cvss epss 0.01

    Path traversal in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote authenticated attacker to write arbitrary files outside of the intended directory. User interaction is required.

  • CVE-2025-13659Dec 9, 2025
    risk 0.00cvss epss 0.02

    Improper control of dynamically managed code resources in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote, unauthenticated attacker to write arbitrary files on the server, potentially leading to remote code execution. User interaction is required.

  • CVE-2025-10573Dec 9, 2025
    risk 0.00cvss epss 0.29

    Stored XSS in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary JavaScript in the context of an administrator session. User interaction is required.

  • CVE-2025-10918Nov 11, 2025
    risk 0.00cvss epss 0.00

    Insecure default permissions in the agent of Ivanti Endpoint Manager before version 2024 SU4 allows a local authenticated attacker to write arbitrary files anywhere on disk

Page 4 of 9