CVE-2017-11193

HIGH

Pulse Connect Secure 8.3R1 - Cross-Site Request Forgery in diag.cgi

Title source: llm
STIX 2.1

Description

Pulse Connect Secure 8.3R1 has CSRF in diag.cgi. In the panel, the diag.cgi file is responsible for running commands such as ping, ping6, traceroute, traceroute6, nslookup, arp, and Portprobe. These functions do not have any protections against CSRF. That can allow an attacker to run these commands against any IP if they can get an admin to visit their malicious CSRF page.

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/99621
Third Party Advisory x_refsource_misc
https://twitter.com/sxcurity/status/884556905145937921

Scores

CVSS v3 8.8
EPSS 0.0056
EPSS Percentile 42.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-352
Status published
Products (1)
pulsesecure/pulse_connect_secure 8.3r1.0
Published Jul 12, 2017
Tracked Since Feb 18, 2026