VYPR

Vendor CVEs

Pulsesecure

All CVEs

124 total · sorted by risk
  • CVE-2016-0799CriMar 3, 2016
    risk 0.66cvss 9.8epss 0.32

    The fmtstr function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g improperly calculates string lengths, which allows remote attackers to cause a denial of service (overflow and out-of-bounds read) or possibly have unspecified other impact via a…

  • CVE-2016-4787CriMay 26, 2016
    risk 0.65cvss 10.0epss 0.02

    Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r2, 8.0 before 8.0r10, and 7.4 before 7.4r13.4 allow remote attackers to read sensitive system authentication files in an unspecified directory via unknown vectors.

  • CVE-2018-6320CriSep 6, 2018
    risk 0.64cvss 9.8epss 0.04

    A vulnerability has been discovered in login.cgi in Pulse Secure Pulse Connect Secure (PCS) 8.1RX before 8.1R12 and 8.3RX before 8.3R2 and Pulse Policy Secure (PPS) 5.2RX before 5.2R9 and 5.4RX before 5.4R2 wherein an http(s) Host header received from the browser is trusted…

  • CVE-2018-5299CriJan 16, 2018
    risk 0.64cvss 9.8epss 0.03

    A stack-based Buffer Overflow Vulnerability exists in the web server in Pulse Secure Pulse Connect Secure (PCS) before 8.3R4 and Pulse Policy Secure (PPS) before 5.4R4, leading to memory corruption and possibly remote code execution.

  • CVE-2017-11455HigAug 29, 2017
    risk 0.57cvss 8.8epss 0.01

    diag.cgi in Pulse Connect Secure 8.2R1 through 8.2R5, 8.1R1 through 8.1R10 and Pulse Policy Secure 5.3R1 through 5.3R5, 5.2R1 through 5.2R8, and 5.1R1 through 5.1R10 allow remote attackers to hijack the authentication of administrators for requests to start tcpdump, related to…

  • CVE-2017-11196HigJul 12, 2017
    risk 0.57cvss 8.8epss 0.01

    Pulse Connect Secure 8.3R1 has CSRF in logout.cgi. The logout function of the admin panel is not protected by any CSRF tokens, thus allowing an attacker to logout a user by making them visit a malicious web page.

  • CVE-2017-11193HigJul 12, 2017
    risk 0.57cvss 8.8epss 0.01

    Pulse Connect Secure 8.3R1 has CSRF in diag.cgi. In the panel, the diag.cgi file is responsible for running commands such as ping, ping6, traceroute, traceroute6, nslookup, arp, and Portprobe. These functions do not have any protections against CSRF. That can allow an attacker…

  • CVE-2016-4791HigMay 26, 2016
    risk 0.56cvss 8.6epss 0.02

    The administrative user interface in Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r2, 8.0 before 8.0r9, and 7.4 before 7.4r13.4 allows remote administrators to enumerate files, read arbitrary files, and conduct server side request forgery (SSRF) attacks via…

  • CVE-2018-15865HigSep 6, 2018
    risk 0.51cvss 7.8epss 0.00

    The Pulse Secure Desktop (macOS) has a Privilege Escalation Vulnerability.

  • CVE-2016-2408HigAug 2, 2016
    risk 0.51cvss 7.8epss 0.00

    Pulse Secure Desktop before 5.2R2 and Pulse Secure Installer Service before 8.2R2 and below for Windows allow restricted users to gain privileges via unspecified vectors.

  • CVE-2017-14935HigSep 30, 2017
    risk 0.49cvss 7.5epss 0.01

    Pulse Secure Pulse One On-Premise 2.0.1649 and below does not properly validate requests, which allows remote users to query and obtain sensitive information.

  • CVE-2016-4786HigMay 26, 2016
    risk 0.49cvss 7.5epss 0.02

    Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r3, 8.0 before 8.0r11, and 7.4 before 7.4r13.4 allow remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.

  • CVE-2016-0800MedMar 1, 2016
    risk 0.48cvss 5.9epss 0.82

    The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS…

  • CVE-2018-7572MedSep 12, 2018
    risk 0.44cvss 6.8epss 0.00

    Pulse Secure Client 9.0R1 and 5.3RX before 5.3R5, when configured to authenticate VPN users during Windows Logon, can allow attackers to bypass Windows authentication and execute commands on the system with the privileges of Pulse Secure Client. The attacker must interrupt the…

  • CVE-2018-16261MedSep 6, 2018
    risk 0.44cvss 6.8epss 0.00

    In Pulse Secure Pulse Desktop Client 5.3RX before 5.3R5 and 9.0R1, there is a Privilege Escalation Vulnerability with Dynamic Certificate Trust.

  • CVE-2018-6374MedJan 31, 2018
    risk 0.42cvss 6.5epss 0.01

    The GUI component (aka PulseUI) in Pulse Secure Desktop Linux clients before PULSE5.2R9.2 and 5.3.x before PULSE5.3R4.2 does not perform strict SSL Certificate Validation. This can lead to the manipulation of the Pulse Connection set.

  • CVE-2016-3985MedApr 12, 2016
    risk 0.42cvss 6.5epss 0.01

    The Terminal Services Remote Desktop Protocol (RDP) client session restrictions feature in Pulse Connect Secure (aka PCS) 8.1R7 and 8.2R1 allow remote authenticated users to bypass intended access restrictions via unspecified vectors.

  • CVE-2018-14366MedSep 6, 2018
    risk 0.40cvss 6.1epss 0.01

    download.cgi in Pulse Secure Pulse Connect Secure 8.1RX before 8.1R13 and 8.3RX before 8.3R4 and Pulse Policy Secure through 5.2RX before 5.2R10 and 5.4RX before 5.4R4 have an Open Redirect Vulnerability.

  • CVE-2017-11195MedJul 12, 2017
    risk 0.40cvss 6.1epss 0.01

    Pulse Connect Secure 8.3R1 has Reflected XSS in launchHelp.cgi. The helpLaunchPage parameter is reflected in an IFRAME element, if the value contains two quotes. It properly sanitizes quotes and tags, so one cannot simply close the src with a quote and inject after that.…

  • CVE-2017-11194MedJul 12, 2017
    risk 0.40cvss 6.1epss 0.01

    Pulse Connect Secure 8.3R1 has Reflected XSS in adminservercacertdetails.cgi. In the admin panel, the certid parameter of adminservercacertdetails.cgi is reflected in the application's response and is not properly sanitized, allowing an attacker to inject tags. An attacker could…

  • CVE-2016-4789MedMay 26, 2016
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in the system configuration section in the administrative user interface in Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r2, 8.0 before 8.0r9, and 7.4 before 7.4r13.4 allows remote attackers to inject arbitrary web script or…

  • CVE-2016-4788MedMay 26, 2016
    risk 0.38cvss 5.8epss 0.02

    Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r2, 8.0 before 8.0r10, and 7.4 before 7.4r13.4 allow remote attackers to read an unspecified system file via unknown vectors.

  • CVE-2018-15749MedSep 6, 2018
    risk 0.36cvss 5.5epss 0.00

    The Pulse Secure Desktop (macOS) 5.3RX before 5.3R5 and 9.0R1 has a Format String Vulnerability.

  • CVE-2018-9849MedMay 10, 2018
    risk 0.36cvss 5.5epss 0.01

    Pulse Secure Pulse Connect Secure 8.1.x before 8.1R14, 8.2.x before 8.2R11, and 8.3.x before 8.3R5 do not properly process nested XML entities, which allows remote attackers to cause a denial of service (memory consumption and memory errors) via a crafted XML document.

  • CVE-2016-4790MedMay 26, 2016
    risk 0.36cvss 5.5epss 0.01

    Cross-site scripting (XSS) vulnerability in the administrative user interface in Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r2, 8.0 before 8.0r9, and 7.4 before 7.4r13.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2016-4792MedMay 26, 2016
    risk 0.35cvss 5.3epss 0.02

    Pulse Connect Secure (PCS) 8.2 before 8.2r1 allows remote attackers to disclose sign in pages via unspecified vectors.

  • CVE-2018-15726MedSep 6, 2018
    risk 0.34cvss 5.3epss 0.00

    The Pulse Secure Desktop (macOS) 5.3RX before 5.3R5 and 9.0R1 has a Privilege Escalation Vulnerability.

  • CVE-2017-17947MedJan 16, 2018
    risk 0.31cvss 4.8epss 0.01

    A cross site scripting issue has been found in custompage.cgi in Pulse Secure Pulse Connect Secure (PCS) before 8.0R17.0, 8.1.x before 8.1R13, 8.2.x before 8.2R9, and 8.3.x before 8.3R3 and Pulse Policy Secure (PPS) before 5.2R10, 5.3.x before 5.3R9, and 5.4.x before 5.4R3 due…

  • CVE-2019-11510KEVMay 8, 2019
    risk 0.29cvss epss 1.00

    In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability .

  • CVE-2019-11539KEVApr 26, 2019
    risk 0.29cvss epss 0.99

    In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before…

  • CVE-2021-22893KEVApr 23, 2021
    risk 0.25cvss epss 0.49

    Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code…

  • CVE-2020-8260KEVOct 28, 2020
    risk 0.21cvss epss 0.96

    A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction.

  • CVE-2020-8218KEVJul 30, 2020
    risk 0.19cvss epss 0.33

    A code injection vulnerability exists in Pulse Connect Secure <9.1R8 that allows an attacker to crafted a URI to perform an arbitrary code execution via the admin web interface.

  • CVE-2021-22894KEVMay 27, 2021
    risk 0.15cvss epss 0.41

    A buffer overflow vulnerability exists in Pulse Connect Secure before 9.1R11.4 allows a remote authenticated attacker to execute arbitrary code as the root user via maliciously crafted meeting room.

  • CVE-2021-22899KEVMay 27, 2021
    risk 0.14cvss epss 0.22

    A command injection vulnerability exists in Pulse Connect Secure before 9.1R11.4 allows a remote authenticated attacker to perform remote code execution via Windows Resource Profiles Feature

  • CVE-2020-8243KEVSep 29, 2020
    risk 0.14cvss epss 0.91

    A vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could allow an authenticated attacker to upload custom template to perform an arbitrary code execution.

  • CVE-2026-4387LowMay 29, 2026
    risk 0.13cvss epss 0.00

    StrongDM Desktop Application before 23.74.0 (Desktop Client before 53.77.0) on Microsoft Windows stores authentication state, including a JSON Web Token and asymmetric key material, in cleartext in a per-user state file located at C:\Users\\.sdm\state.kv. The file is…

  • CVE-2021-22900KEVMay 27, 2021
    risk 0.12cvss epss 0.14

    A vulnerability allowed multiple unrestricted uploads in Pulse Connect Secure before 9.1R11.4 that could lead to an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface.

  • CVE-2020-8956Oct 27, 2020
    risk 0.04cvss epss 0.01

    Pulse Secure Desktop Client 9.0Rx before 9.0R5 and 9.1Rx before 9.1R4 on Windows reveals users' passwords if Save Settings is enabled.

  • CVE-2020-11581Apr 6, 2020
    risk 0.03cvss epss 0.10

    An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) through 2020-04-06. The applet in tncc.jar, executed on macOS, Linux, and Solaris clients when a Host Checker policy is enforced, allows a man-in-the-middle attacker to perform OS command injection attacks…

  • CVE-2019-11542Apr 26, 2019
    risk 0.03cvss epss 0.67

    In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before…

  • CVE-2022-35258Dec 5, 2022
    risk 0.01cvss epss 0.03

    An unauthenticated attacker can cause a denial-of-service to the following products: Ivanti Connect Secure (ICS) in versions prior to 9.1R14.3, 9.1R15.2, 9.1R16.2, and 22.2R4, Ivanti Policy Secure (IPS) in versions prior to 9.1R17 and 22.3R1, and Ivanti Neurons for Zero-Trust…

  • CVE-2021-22965Nov 19, 2021
    risk 0.01cvss epss 0.02

    A vulnerability in Pulse Connect Secure before 9.1R12.1 could allow an unauthenticated administrator to causes a denial of service when a malformed request is sent to the device.

  • CVE-2021-22937Aug 16, 2021
    risk 0.01cvss epss 0.08

    A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform a file write via a maliciously crafted archive uploaded in the administrator web interface.

  • CVE-2021-22933Aug 16, 2021
    risk 0.01cvss epss 0.01

    A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform an arbitrary file delete via a maliciously crafted web request.

  • CVE-2020-8255Oct 28, 2020
    risk 0.01cvss epss 0.02

    A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary file reading vulnerability is fixed using encrypted URL blacklisting that prevents these messages.

  • CVE-2020-15352Oct 27, 2020
    risk 0.01cvss epss 0.03

    An XML external entity (XXE) vulnerability in Pulse Connect Secure (PCS) before 9.1R9 and Pulse Policy Secure (PPS) before 9.1R9 allows remote authenticated admins to conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.

  • CVE-2019-11540Apr 26, 2019
    risk 0.01cvss epss 0.08

    In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4 and 8.3RX before 8.3R7.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2 and 5.4RX before 5.4R7.1, an unauthenticated, remote attacker can conduct a session hijacking attack.

  • CVE-2024-52510Nov 15, 2024
    risk 0.00cvss epss 0.01

    The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. The Desktop client did not stop with an error but allowed by-passing the signature validation, if a manipulated server sends an empty initial signature. It is recommended that…

  • CVE-2024-46958Sep 16, 2024
    risk 0.00cvss epss 0.01

    In Nextcloud Desktop Client 3.13.1 through 3.13.3 on Linux, synchronized files (between the server and client) may become world writable or world readable. This is fixed in 3.13.4.

Page 1 of 3