Vulnerabilities (CVE)

  1. OpenCVE
  2. Vulnerabilities (CVE)
Filtered by vendor Pulsesecure Subscribe

CVSS v3 Filter

ALL
NONE (0.0) LOW (0.1 - 3.9) MEDIUM (4.0 - 6.9) HIGH (7.0 - 8.9) CRITICAL (9.0 - 10.0)

Search

Total 41 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2016-0800 2 Openssl, Pulsesecure 3 Openssl, Client, Steel Belted Radius 2022-01-25 4.3 MEDIUM 5.9 MEDIUM
The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a "DROWN" attack.
CVE-2020-8216 1 Pulsesecure 2 Pulse Connect Secure, Pulse Policy Secure 2021-09-23 4.0 MEDIUM 4.3 MEDIUM
An information disclosure vulnerability in meeting of Pulse Connect Secure <9.1R8 allowed an authenticated end-users to find meeting details, if they know the Meeting ID.
CVE-2021-22933 1 Pulsesecure 1 Pulse Connect Secure 2021-08-24 5.5 MEDIUM 6.5 MEDIUM
A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform an arbitrary file delete via a maliciously crafted web request.
CVE-2021-22936 1 Pulsesecure 1 Pulse Connect Secure 2021-08-24 4.3 MEDIUM 6.1 MEDIUM
A vulnerability in Pulse Connect Secure before 9.1R12 could allow a threat actor to perform a cross-site script attack against an authenticated administrator via an unsanitized web parameter.
CVE-2020-8263 1 Pulsesecure 1 Pulse Secure Desktop Client 2021-08-17 3.5 LOW 5.4 MEDIUM
A vulnerability in the authenticated user web interface of Pulse Connect Secure < 9.1R9 could allow attackers to conduct Cross-Site Scripting (XSS) through the CGI file.
CVE-2020-8255 1 Pulsesecure 1 Pulse Secure Desktop Client 2021-08-17 4.0 MEDIUM 4.9 MEDIUM
A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary file reading vulnerability is fixed using encrypted URL blacklisting that prevents these messages.
CVE-2020-12880 1 Pulsesecure 2 Pulse Connect Secure, Pulse Policy Secure 2021-07-21 2.1 LOW 5.5 MEDIUM
An issue was discovered in Pulse Policy Secure (PPS) and Pulse Connect Secure (PCS) Virtual Appliance before 9.1R8. By manipulating a certain kernel boot parameter, it can be tricked into dropping into a root shell in a pre-install phase where the entire source code of the appliance is available and can be retrieved. (The source code is otherwise inaccessible because the appliance has its hard disks encrypted, and no root shell is available during normal operation.)
CVE-2020-15408 1 Pulsesecure 2 Pulse Connect Secure, Pulse Secure Desktop Client 2021-07-21 5.8 MEDIUM 4.6 MEDIUM
An issue was discovered in Pulse Secure Pulse Connect Secure before 9.1R8. An authenticated attacker can access the admin page console via the end-user web interface because of a rewrite.
CVE-2020-8262 1 Pulsesecure 2 Pulse Connect Secure, Pulse Policy Secure 2020-11-03 4.3 MEDIUM 6.1 MEDIUM
A vulnerability in the Pulse Connect Secure / Pulse Policy Secure below 9.1R9 could allow attackers to conduct Cross-Site Scripting (XSS) and Open Redirection for authenticated user web interface.
CVE-2020-8261 1 Pulsesecure 2 Pulse Connect Secure, Pulse Policy Secure 2020-11-03 4.3 MEDIUM 4.3 MEDIUM
A vulnerability in the Pulse Connect Secure / Pulse Policy Secure < 9.1R9 is vulnerable to arbitrary cookie injection.
CVE-2020-8256 1 Pulsesecure 1 Pulse Connect Secure 2020-10-08 4.0 MEDIUM 4.9 MEDIUM
A vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could allow an authenticated attacker to gain arbitrary file reading access through Pulse Collaboration via XML External Entity (XXE) vulnerability.
CVE-2020-8238 1 Pulsesecure 2 Pulse Connect Secure, Pulse Policy Secure 2020-10-08 4.3 MEDIUM 6.1 MEDIUM
A vulnerability in the authenticated user web interface of Pulse Connect Secure and Pulse Policy Secure < 9.1R8.2 could allow attackers to conduct Cross-Site Scripting (XSS).
CVE-2018-11002 1 Pulsesecure 1 Pulse Secure Desktop Client 2020-08-24 5.8 MEDIUM 5.5 MEDIUM
Pulse Secure Desktop Client 5.3 up to and including R6.0 build 1769 on Windows has Insecure Permissions.
CVE-2020-8222 1 Pulsesecure 2 Pulse Connect Secure, Pulse Policy Secure 2020-08-04 4.0 MEDIUM 6.8 MEDIUM
A path traversal vulnerability exists in Pulse Connect Secure <9.1R8 that allowed an authenticated attacker via the administrator web interface to perform an arbitrary file reading vulnerability through Meeting.
CVE-2020-8221 1 Pulsesecure 2 Pulse Connect Secure, Pulse Policy Secure 2020-08-04 4.0 MEDIUM 4.9 MEDIUM
A path traversal vulnerability exists in Pulse Connect Secure <9.1R8 which allows an authenticated attacker to read arbitrary files via the administrator web interface.
CVE-2020-8220 1 Pulsesecure 2 Pulse Connect Secure, Pulse Policy Secure 2020-08-04 5.5 MEDIUM 6.5 MEDIUM
A denial of service vulnerability exists in Pulse Connect Secure <9.1R8 that allows an authenticated attacker to perform command injection via the administrator web which can cause DOS.
CVE-2020-8204 1 Pulsesecure 2 Pulse Connect Secure, Pulse Policy Secure 2020-07-31 4.3 MEDIUM 6.1 MEDIUM
A cross site scripting (XSS) vulnerability exists in Pulse Connect Secure <9.1R5 on the PSAL Page.
CVE-2020-8217 1 Pulsesecure 2 Pulse Connect Secure, Pulse Policy Secure 2020-07-31 3.5 LOW 5.4 MEDIUM
A cross site scripting (XSS) vulnerability in Pulse Connect Secure <9.1R8 allowed attackers to exploit in the URL used for Citrix ICA.
CVE-2019-11507 1 Pulsesecure 1 Pulse Connect Secure 2020-07-27 4.3 MEDIUM 6.1 MEDIUM
In Pulse Secure Pulse Connect Secure (PCS) 8.3.x before 8.3R7.1 and 9.0.x before 9.0R3, an XSS issue has been found on the Application Launcher page.
CVE-2018-20307 1 Pulsesecure 1 Virtual Traffic Manager 2020-07-14 4.0 MEDIUM 4.3 MEDIUM
Pulse Secure Virtual Traffic Manager 9.9 versions prior to 9.9r2 and 10.4r1 allow a remote authenticated user to obtain sensitive historical activity information by leveraging incorrect permission validation.
CVE-2018-15749 1 Pulsesecure 1 Pulse Secure Desktop Client 2020-05-11 2.1 LOW 5.5 MEDIUM
The Pulse Secure Desktop (macOS) 5.3RX before 5.3R5 and 9.0R1 has a Format String Vulnerability.
CVE-2018-15726 1 Pulsesecure 1 Pulse Secure Desktop Client 2020-05-11 4.6 MEDIUM 5.3 MEDIUM
The Pulse Secure Desktop (macOS) 5.3RX before 5.3R5 and 9.0R1 has a Privilege Escalation Vulnerability.
CVE-2016-4788 1 Pulsesecure 1 Pulse Connect Secure 2020-04-29 5.0 MEDIUM 5.8 MEDIUM
Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r2, 8.0 before 8.0r10, and 7.4 before 7.4r13.4 allow remote attackers to read an unspecified system file via unknown vectors.
CVE-2016-4790 1 Pulsesecure 1 Pulse Connect Secure 2020-04-29 3.5 LOW 5.5 MEDIUM
Cross-site scripting (XSS) vulnerability in the administrative user interface in Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r2, 8.0 before 8.0r9, and 7.4 before 7.4r13.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2016-4789 1 Pulsesecure 1 Pulse Connect Secure 2020-04-29 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in the system configuration section in the administrative user interface in Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r2, 8.0 before 8.0r9, and 7.4 before 7.4r13.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2019-11543 1 Pulsesecure 2 Pulse Connect Secure, Pulse Policy Secure 2020-04-29 4.3 MEDIUM 6.1 MEDIUM
XSS exists in the admin web console in Pulse Secure Pulse Connect Secure (PCS) 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, and 5.2RX before 5.2R12.1.
CVE-2018-14366 1 Pulsesecure 2 Pulse Connect Secure, Pulse Policy Secure 2020-04-29 5.8 MEDIUM 6.1 MEDIUM
download.cgi in Pulse Secure Pulse Connect Secure 8.1RX before 8.1R13 and 8.3RX before 8.3R4 and Pulse Policy Secure through 5.2RX before 5.2R10 and 5.4RX before 5.4R4 have an Open Redirect Vulnerability.
CVE-2018-9849 1 Pulsesecure 1 Pulse Connect Secure 2019-10-03 4.3 MEDIUM 5.5 MEDIUM
Pulse Secure Pulse Connect Secure 8.1.x before 8.1R14, 8.2.x before 8.2R11, and 8.3.x before 8.3R5 do not properly process nested XML entities, which allows remote attackers to cause a denial of service (memory consumption and memory errors) via a crafted XML document.
CVE-2018-16261 1 Pulsesecure 1 Pulse Secure Desktop Client 2019-10-03 4.6 MEDIUM 6.8 MEDIUM
In Pulse Secure Pulse Desktop Client 5.3RX before 5.3R5 and 9.0R1, there is a Privilege Escalation Vulnerability with Dynamic Certificate Trust.
CVE-2018-20807 1 Pulsesecure 1 Pulse Connect Secure 2019-07-08 4.3 MEDIUM 6.1 MEDIUM
An XSS issue has been found in welcome.cgi in Pulse Secure Pulse Connect Secure (PCS) 8.1.x before 8.1R12, 8.2.x before 8.2R9, and 8.3.x before 8.3R3 due to one of the URL parameters not being sanitized properly.
CVE-2018-20814 1 Pulsesecure 2 Pulse Connect Secure, Pulse Policy Secure 2019-07-04 4.3 MEDIUM 6.1 MEDIUM
An XSS issue was found with Psaldownload.cgi in Pulse Secure Pulse Connect Secure (PCS) 8.3R2 before 8.3R2 and Pulse Policy Secure (PPS) 5.4RX before 5.4R2. This is not applicable to PCS 8.1RX or PPS 5.2RX.
CVE-2018-20811 1 Pulsesecure 1 Pulse Connect Secure 2019-07-03 5.0 MEDIUM 5.3 MEDIUM
A hidden RPC service issue was found with Pulse Secure Pulse Connect Secure 8.3RX before 8.3R2 and 8.1RX before 8.1R12.
CVE-2018-20808 1 Pulsesecure 1 Pulse Connect Secure 2019-07-03 4.3 MEDIUM 6.1 MEDIUM
An XSS issue has been found with rd.cgi in Pulse Secure Pulse Connect Secure 8.3RX before 8.3R3 due to improper header sanitization. This is not applicable to 8.1RX.
CVE-2018-20306 1 Pulsesecure 1 Virtual Traffic Manager 2019-01-08 3.5 LOW 5.4 MEDIUM
A stored cross-site scripting (XSS) vulnerability in the web administration user interface of Pulse Secure Virtual Traffic Manager may allow a remote authenticated attacker to inject web script or HTML via a crafted website and steal sensitive data and credentials. Affected releases are Pulse Secure Virtual Traffic Manager 9.9 versions prior to 9.9r2 and 10.4r1.
CVE-2018-7572 1 Pulsesecure 1 Pulse Secure Desktop 2018-11-27 7.2 HIGH 6.8 MEDIUM
Pulse Secure Client 9.0R1 and 5.3RX before 5.3R5, when configured to authenticate VPN users during Windows Logon, can allow attackers to bypass Windows authentication and execute commands on the system with the privileges of Pulse Secure Client. The attacker must interrupt the client's network connectivity, and trigger a connection to a crafted proxy server with an invalid SSL certificate that allows certification-manager access, leading to the ability to browse local files and execute local programs.
CVE-2018-6374 1 Pulsesecure 1 Desktop Linux Client 2018-02-24 6.4 MEDIUM 6.5 MEDIUM
The GUI component (aka PulseUI) in Pulse Secure Desktop Linux clients before PULSE5.2R9.2 and 5.3.x before PULSE5.3R4.2 does not perform strict SSL Certificate Validation. This can lead to the manipulation of the Pulse Connection set.
CVE-2017-17947 1 Pulsesecure 1 Pulse Connect Secure 2018-02-06 3.5 LOW 4.8 MEDIUM
A cross site scripting issue has been found in custompage.cgi in Pulse Secure Pulse Connect Secure (PCS) before 8.0R17.0, 8.1.x before 8.1R13, 8.2.x before 8.2R9, and 8.3.x before 8.3R3 and Pulse Policy Secure (PPS) before 5.2R10, 5.3.x before 5.3R9, and 5.4.x before 5.4R3 due to one of the URL parameters not being sanitized. Exploitation does require the user to be logged in as administrator; the issue is not applicable to the end user portal.
CVE-2017-11195 1 Pulsesecure 1 Pulse Connect Secure 2017-07-19 4.3 MEDIUM 6.1 MEDIUM
Pulse Connect Secure 8.3R1 has Reflected XSS in launchHelp.cgi. The helpLaunchPage parameter is reflected in an IFRAME element, if the value contains two quotes. It properly sanitizes quotes and tags, so one cannot simply close the src with a quote and inject after that. However, an attacker can use javascript: or data: to abuse this.
CVE-2017-11194 1 Pulsesecure 1 Pulse Connect Secure 2017-07-17 4.3 MEDIUM 6.1 MEDIUM
Pulse Connect Secure 8.3R1 has Reflected XSS in adminservercacertdetails.cgi. In the admin panel, the certid parameter of adminservercacertdetails.cgi is reflected in the application's response and is not properly sanitized, allowing an attacker to inject tags. An attacker could come up with clever payloads to make the system run commands such as ping, ping6, traceroute, nslookup, arp, etc.
CVE-2016-4792 1 Pulsesecure 1 Pulse Connect Secure 2016-05-26 5.0 MEDIUM 5.3 MEDIUM
Pulse Connect Secure (PCS) 8.2 before 8.2r1 allows remote attackers to disclose sign in pages via unspecified vectors.
CVE-2016-3985 1 Pulsesecure 1 Pulse Connect Secure 2016-04-18 3.3 LOW 6.5 MEDIUM
The Terminal Services Remote Desktop Protocol (RDP) client session restrictions feature in Pulse Connect Secure (aka PCS) 8.1R7 and 8.2R1 allow remote authenticated users to bypass intended access restrictions via unspecified vectors.