Vendor CVEs
Ivanti
All CVEs
446 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-23533 | 0.00 | — | 0.01 | Apr 19, 2024 | An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an authenticated remote attacker to read sensitive information in memory. | |||
| CVE-2024-23531 | 0.00 | — | 0.02 | Apr 19, 2024 | An Integer Overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows an unauthenticated remote attacker to perform denial of service attacks. In certain rare conditions this could also lead to reading content from memory. | |||
| CVE-2024-23530 | 0.00 | — | 0.02 | Apr 19, 2024 | An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an unauthenticated remote attacker to read sensitive information in memory. | |||
| CVE-2024-27975 | 0.00 | — | 0.03 | Apr 19, 2024 | An Use-after-free vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | |||
| CVE-2024-27984 | 0.00 | — | 0.02 | Apr 19, 2024 | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to delete specific type of files and/or cause denial of service. | |||
| CVE-2024-22052 | 0.00 | — | 0.04 | Apr 4, 2024 | A null pointer dereference vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack | |||
| CVE-2024-22023 | 0.00 | — | 0.03 | Apr 4, 2024 | An XML entity expansion or XEE vulnerability in SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated attacker to send specially crafted XML requests in-order-to temporarily cause resource exhaustion thereby resulting in a… | |||
| CVE-2023-39336 | 0.00 | — | 0.10 | Jan 9, 2024 | An unspecified SQL Injection vulnerability in Ivanti Endpoint Manager released prior to 2022 SU 5 allows an attacker with access to the internal network to execute arbitrary SQL queries and retrieve output without the need for authentication. Under specific circumstances, this… | |||
| CVE-2023-46220 | 0.00 | — | 0.11 | Dec 19, 2023 | An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution. | |||
| CVE-2023-46261 | 0.00 | — | 0.11 | Dec 19, 2023 | An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution. | |||
| CVE-2023-46266 | 0.00 | — | 0.03 | Dec 19, 2023 | An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack. | |||
| CVE-2023-46260 | 0.00 | — | 0.10 | Dec 19, 2023 | An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution. | |||
| CVE-2023-46258 | 0.00 | — | 0.07 | Dec 19, 2023 | An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution. | |||
| CVE-2023-46803 | 0.00 | — | 0.04 | Dec 19, 2023 | An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS). | |||
| CVE-2023-46224 | 0.00 | — | 0.07 | Dec 19, 2023 | An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution. | |||
| CVE-2023-46221 | 0.00 | — | 0.07 | Dec 19, 2023 | An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution. | |||
| CVE-2023-46216 | 0.00 | — | 0.36 | Dec 19, 2023 | An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution. | |||
| CVE-2023-46222 | 0.00 | — | 0.07 | Dec 19, 2023 | An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution. | |||
| CVE-2023-46217 | 0.00 | — | 0.36 | Dec 19, 2023 | An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution. | |||
| CVE-2023-46265 | 0.00 | — | 0.04 | Dec 19, 2023 | An unauthenticated could abuse a XXE vulnerability in the Smart Device Server to leak data or perform a Server-Side Request Forgery (SSRF). | |||
| CVE-2023-46257 | 0.00 | — | 0.11 | Dec 19, 2023 | An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution. | |||
| CVE-2023-46804 | 0.00 | — | 0.04 | Dec 19, 2023 | An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS). | |||
| CVE-2023-46225 | 0.00 | — | 0.11 | Dec 19, 2023 | An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution. | |||
| CVE-2023-46259 | 0.00 | — | 0.11 | Dec 19, 2023 | An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution. | |||
| CVE-2023-46223 | 0.00 | — | 0.07 | Dec 19, 2023 | An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution. | |||
| CVE-2023-39340 | 0.00 | — | 0.02 | Dec 16, 2023 | A vulnerability exists on all versions of Ivanti Connect Secure below 22.6R2 where an attacker can send a specific request which may lead to Denial of Service (DoS) of the appliance. | |||
| CVE-2023-41719 | 0.00 | — | 0.03 | Dec 14, 2023 | A vulnerability exists on all versions of Ivanti Connect Secure below 22.6R2 where an attacker impersonating an administrator may craft a specific web request which may lead to remote code execution. | |||
| CVE-2023-41720 | 0.00 | — | 0.01 | Dec 14, 2023 | A vulnerability exists on all versions of Ivanti Connect Secure below 22.6R2 where an attacker with a foothold on an Ivanti Connect Secure (ICS) appliance can escalate their privileges by exploiting a vulnerable installed application. This vulnerability allows the attacker to… | |||
| CVE-2023-39337 | 0.00 | — | 0.02 | Nov 14, 2023 | A security vulnerability in EPMM Versions 11.10, 11.9 and 11.8 older allows a threat actor with knowledge of an enrolled device identifier to access and extract sensitive information, including device and environment configuration details, as well as secrets. This vulnerability… | |||
| CVE-2023-39335 | 0.00 | — | 0.02 | Nov 14, 2023 | A security vulnerability has been identified in EPMM Versions 11.10, 11.9 and 11.8 and older allowing an unauthenticated threat actor to impersonate any existing user during the device enrollment process. This issue poses a significant security risk, as it enables unauthorized… | |||
| CVE-2023-35080 | 0.00 | — | 0.01 | Nov 14, 2023 | A vulnerability has been identified in the Ivanti Secure Access Windows client, which could allow a locally authenticated attacker to exploit a vulnerable configuration, potentially leading to various security risks, including the escalation of privileges, denial of service, or… | |||
| CVE-2023-38544 | 0.00 | — | 0.00 | Nov 14, 2023 | A logged in user can modify specific files that may lead to unauthorized changes in system-wide configuration settings. This vulnerability could be exploited to compromise the integrity and security of the network on the affected system. | |||
| CVE-2023-38043 | 0.00 | — | 0.00 | Nov 14, 2023 | A vulnerability exists on all versions of the Ivanti Secure Access Client below 22.6R1.1, which could allow a locally authenticated attacker to exploit a vulnerable configuration, potentially leading to a denial of service (DoS) condition on the user machine and, in some cases,… | |||
| CVE-2023-38543 | 0.00 | — | 0.00 | Nov 14, 2023 | A vulnerability exists on all versions of the Ivanti Secure Access Client below 22.6R1.1, which could allow a locally authenticated attacker to exploit a vulnerable configuration, potentially leading to a denial of service (DoS) condition on the user machine. | |||
| CVE-2023-41726 | 0.00 | — | 0.01 | Nov 3, 2023 | Ivanti Avalanche Incorrect Default Permissions allows Local Privilege Escalation Vulnerability | |||
| CVE-2023-41725 | 0.00 | — | 0.01 | Nov 3, 2023 | Ivanti Avalanche EnterpriseServer Service Unrestricted File Upload Local Privilege Escalation Vulnerability | |||
| CVE-2022-43554 | 0.00 | — | 0.00 | Nov 3, 2023 | Ivanti Avalanche Smart Device Service Missing Authentication Local Privilege Escalation Vulnerability | |||
| CVE-2022-43555 | 0.00 | — | 0.00 | Nov 3, 2023 | Ivanti Avalanche Printer Device Service Missing Authentication Local Privilege Escalation Vulnerability | |||
| CVE-2022-44569 | 0.00 | — | 0.01 | Nov 3, 2023 | A locally authenticated attacker with low privileges can bypass authentication due to insecure inter-process communication. | |||
| CVE-2023-38041 | 0.00 | — | 0.01 | Oct 25, 2023 | A logged in user may elevate its permissions by abusing a Time-of-Check to Time-of-Use (TOCTOU) race condition. When a particular process flow is initiated, an attacker can exploit this condition to gain unauthorized elevated privileges on the affected system. | |||
| CVE-2023-35083 | 0.00 | — | 0.01 | Oct 18, 2023 | Allows an authenticated attacker with network access to read arbitrary files on Endpoint Manager recently discovered on 2022 SU3 and all previous versions potentially leading to the leakage of sensitive information. | |||
| CVE-2023-35084 | 0.00 | — | 0.03 | Oct 18, 2023 | Unsafe Deserialization of User Input could lead to Execution of Unauthorized Operations in Ivanti Endpoint Manager 2022 su3 and all previous versions, which could allow an attacker to execute commands remotely. | |||
| CVE-2023-38343 | 0.00 | — | 0.01 | Sep 21, 2023 | An XXE (XML external entity injection) vulnerability exists in the CSEP component of Ivanti Endpoint Manager before 2022 SU4. External entity references are enabled in the XML parser configuration. Exploitation of this vulnerability can lead to file disclosure or Server Side… | |||
| CVE-2023-38344 | 0.00 | — | 0.01 | Sep 21, 2023 | An issue was discovered in Ivanti Endpoint Manager before 2022 SU4. A file disclosure vulnerability exists in the GetFileContents SOAP action exposed via /landesk/managementsuite/core/core.secure/OsdScript.asmx. The application does not sufficiently restrict user-supplied paths,… | |||
| CVE-2023-32561 | 0.00 | — | 0.02 | Aug 10, 2023 | A previously generated artifact by an administrator could be accessed by an attacker. The contents of this artifact could lead to authentication bypass. Fixed in version 6.4.1. | |||
| CVE-2023-32565 | 0.00 | — | 0.02 | Aug 10, 2023 | An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack. Fixed in version 6.4.1. | |||
| CVE-2023-32566 | 0.00 | — | 0.02 | Aug 10, 2023 | An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack. Fixed in version 6.4.1. | |||
| CVE-2023-32567 | 0.00 | — | 0.02 | Aug 10, 2023 | Ivanti Avalanche decodeToMap XML External Entity Processing. Fixed in version 6.4.1.236 | |||
| CVE-2023-35077 | 0.00 | — | 0.01 | Jul 21, 2023 | An out-of-bounds write vulnerability on windows operating systems causes the Ivanti AntiVirus Product to crash. Update to Ivanti AV Product version 7.9.1.285 or above. | |||
| CVE-2023-28127 | 0.00 | — | 0.59 | May 9, 2023 | A path traversal vulnerability exists in Avalanche version 6.3.x and below that when exploited could result in possible information disclosure. |
- CVE-2024-23533Apr 19, 2024risk 0.00cvss —epss 0.01
An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an authenticated remote attacker to read sensitive information in memory.
- CVE-2024-23531Apr 19, 2024risk 0.00cvss —epss 0.02
An Integer Overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows an unauthenticated remote attacker to perform denial of service attacks. In certain rare conditions this could also lead to reading content from memory.
- CVE-2024-23530Apr 19, 2024risk 0.00cvss —epss 0.02
An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an unauthenticated remote attacker to read sensitive information in memory.
- CVE-2024-27975Apr 19, 2024risk 0.00cvss —epss 0.03
An Use-after-free vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
- CVE-2024-27984Apr 19, 2024risk 0.00cvss —epss 0.02
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to delete specific type of files and/or cause denial of service.
- CVE-2024-22052Apr 4, 2024risk 0.00cvss —epss 0.04
A null pointer dereference vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated malicious user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack
- CVE-2024-22023Apr 4, 2024risk 0.00cvss —epss 0.03
An XML entity expansion or XEE vulnerability in SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated attacker to send specially crafted XML requests in-order-to temporarily cause resource exhaustion thereby resulting in a…
- CVE-2023-39336Jan 9, 2024risk 0.00cvss —epss 0.10
An unspecified SQL Injection vulnerability in Ivanti Endpoint Manager released prior to 2022 SU 5 allows an attacker with access to the internal network to execute arbitrary SQL queries and retrieve output without the need for authentication. Under specific circumstances, this…
- CVE-2023-46220Dec 19, 2023risk 0.00cvss —epss 0.11
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
- CVE-2023-46261Dec 19, 2023risk 0.00cvss —epss 0.11
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
- CVE-2023-46266Dec 19, 2023risk 0.00cvss —epss 0.03
An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack.
- CVE-2023-46260Dec 19, 2023risk 0.00cvss —epss 0.10
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
- CVE-2023-46258Dec 19, 2023risk 0.00cvss —epss 0.07
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
- CVE-2023-46803Dec 19, 2023risk 0.00cvss —epss 0.04
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS).
- CVE-2023-46224Dec 19, 2023risk 0.00cvss —epss 0.07
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
- CVE-2023-46221Dec 19, 2023risk 0.00cvss —epss 0.07
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
- CVE-2023-46216Dec 19, 2023risk 0.00cvss —epss 0.36
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
- CVE-2023-46222Dec 19, 2023risk 0.00cvss —epss 0.07
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
- CVE-2023-46217Dec 19, 2023risk 0.00cvss —epss 0.36
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
- CVE-2023-46265Dec 19, 2023risk 0.00cvss —epss 0.04
An unauthenticated could abuse a XXE vulnerability in the Smart Device Server to leak data or perform a Server-Side Request Forgery (SSRF).
- CVE-2023-46257Dec 19, 2023risk 0.00cvss —epss 0.11
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
- CVE-2023-46804Dec 19, 2023risk 0.00cvss —epss 0.04
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS).
- CVE-2023-46225Dec 19, 2023risk 0.00cvss —epss 0.11
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
- CVE-2023-46259Dec 19, 2023risk 0.00cvss —epss 0.11
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
- CVE-2023-46223Dec 19, 2023risk 0.00cvss —epss 0.07
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.
- CVE-2023-39340Dec 16, 2023risk 0.00cvss —epss 0.02
A vulnerability exists on all versions of Ivanti Connect Secure below 22.6R2 where an attacker can send a specific request which may lead to Denial of Service (DoS) of the appliance.
- CVE-2023-41719Dec 14, 2023risk 0.00cvss —epss 0.03
A vulnerability exists on all versions of Ivanti Connect Secure below 22.6R2 where an attacker impersonating an administrator may craft a specific web request which may lead to remote code execution.
- CVE-2023-41720Dec 14, 2023risk 0.00cvss —epss 0.01
A vulnerability exists on all versions of Ivanti Connect Secure below 22.6R2 where an attacker with a foothold on an Ivanti Connect Secure (ICS) appliance can escalate their privileges by exploiting a vulnerable installed application. This vulnerability allows the attacker to…
- CVE-2023-39337Nov 14, 2023risk 0.00cvss —epss 0.02
A security vulnerability in EPMM Versions 11.10, 11.9 and 11.8 older allows a threat actor with knowledge of an enrolled device identifier to access and extract sensitive information, including device and environment configuration details, as well as secrets. This vulnerability…
- CVE-2023-39335Nov 14, 2023risk 0.00cvss —epss 0.02
A security vulnerability has been identified in EPMM Versions 11.10, 11.9 and 11.8 and older allowing an unauthenticated threat actor to impersonate any existing user during the device enrollment process. This issue poses a significant security risk, as it enables unauthorized…
- CVE-2023-35080Nov 14, 2023risk 0.00cvss —epss 0.01
A vulnerability has been identified in the Ivanti Secure Access Windows client, which could allow a locally authenticated attacker to exploit a vulnerable configuration, potentially leading to various security risks, including the escalation of privileges, denial of service, or…
- CVE-2023-38544Nov 14, 2023risk 0.00cvss —epss 0.00
A logged in user can modify specific files that may lead to unauthorized changes in system-wide configuration settings. This vulnerability could be exploited to compromise the integrity and security of the network on the affected system.
- CVE-2023-38043Nov 14, 2023risk 0.00cvss —epss 0.00
A vulnerability exists on all versions of the Ivanti Secure Access Client below 22.6R1.1, which could allow a locally authenticated attacker to exploit a vulnerable configuration, potentially leading to a denial of service (DoS) condition on the user machine and, in some cases,…
- CVE-2023-38543Nov 14, 2023risk 0.00cvss —epss 0.00
A vulnerability exists on all versions of the Ivanti Secure Access Client below 22.6R1.1, which could allow a locally authenticated attacker to exploit a vulnerable configuration, potentially leading to a denial of service (DoS) condition on the user machine.
- CVE-2023-41726Nov 3, 2023risk 0.00cvss —epss 0.01
Ivanti Avalanche Incorrect Default Permissions allows Local Privilege Escalation Vulnerability
- CVE-2023-41725Nov 3, 2023risk 0.00cvss —epss 0.01
Ivanti Avalanche EnterpriseServer Service Unrestricted File Upload Local Privilege Escalation Vulnerability
- CVE-2022-43554Nov 3, 2023risk 0.00cvss —epss 0.00
Ivanti Avalanche Smart Device Service Missing Authentication Local Privilege Escalation Vulnerability
- CVE-2022-43555Nov 3, 2023risk 0.00cvss —epss 0.00
Ivanti Avalanche Printer Device Service Missing Authentication Local Privilege Escalation Vulnerability
- CVE-2022-44569Nov 3, 2023risk 0.00cvss —epss 0.01
A locally authenticated attacker with low privileges can bypass authentication due to insecure inter-process communication.
- CVE-2023-38041Oct 25, 2023risk 0.00cvss —epss 0.01
A logged in user may elevate its permissions by abusing a Time-of-Check to Time-of-Use (TOCTOU) race condition. When a particular process flow is initiated, an attacker can exploit this condition to gain unauthorized elevated privileges on the affected system.
- CVE-2023-35083Oct 18, 2023risk 0.00cvss —epss 0.01
Allows an authenticated attacker with network access to read arbitrary files on Endpoint Manager recently discovered on 2022 SU3 and all previous versions potentially leading to the leakage of sensitive information.
- CVE-2023-35084Oct 18, 2023risk 0.00cvss —epss 0.03
Unsafe Deserialization of User Input could lead to Execution of Unauthorized Operations in Ivanti Endpoint Manager 2022 su3 and all previous versions, which could allow an attacker to execute commands remotely.
- CVE-2023-38343Sep 21, 2023risk 0.00cvss —epss 0.01
An XXE (XML external entity injection) vulnerability exists in the CSEP component of Ivanti Endpoint Manager before 2022 SU4. External entity references are enabled in the XML parser configuration. Exploitation of this vulnerability can lead to file disclosure or Server Side…
- CVE-2023-38344Sep 21, 2023risk 0.00cvss —epss 0.01
An issue was discovered in Ivanti Endpoint Manager before 2022 SU4. A file disclosure vulnerability exists in the GetFileContents SOAP action exposed via /landesk/managementsuite/core/core.secure/OsdScript.asmx. The application does not sufficiently restrict user-supplied paths,…
- CVE-2023-32561Aug 10, 2023risk 0.00cvss —epss 0.02
A previously generated artifact by an administrator could be accessed by an attacker. The contents of this artifact could lead to authentication bypass. Fixed in version 6.4.1.
- CVE-2023-32565Aug 10, 2023risk 0.00cvss —epss 0.02
An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack. Fixed in version 6.4.1.
- CVE-2023-32566Aug 10, 2023risk 0.00cvss —epss 0.02
An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack. Fixed in version 6.4.1.
- CVE-2023-32567Aug 10, 2023risk 0.00cvss —epss 0.02
Ivanti Avalanche decodeToMap XML External Entity Processing. Fixed in version 6.4.1.236
- CVE-2023-35077Jul 21, 2023risk 0.00cvss —epss 0.01
An out-of-bounds write vulnerability on windows operating systems causes the Ivanti AntiVirus Product to crash. Update to Ivanti AV Product version 7.9.1.285 or above.
- CVE-2023-28127May 9, 2023risk 0.00cvss —epss 0.59
A path traversal vulnerability exists in Avalanche version 6.3.x and below that when exploited could result in possible information disclosure.
Page 8 of 9