CVE-2017-11196

HIGH

Pulse Connect Secure 8.3R1 - Cross-Site Request Forgery in Admin Logout Function

Title source: llm
STIX 2.1

Description

Pulse Connect Secure 8.3R1 has CSRF in logout.cgi. The logout function of the admin panel is not protected by any CSRF tokens, thus allowing an attacker to logout a user by making them visit a malicious web page.

References (3)

Core 3
Core References
Third Party Advisory x_refsource_misc
https://twitter.com/sxcurity/status/884556905145937921
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/99613

Scores

CVSS v3 8.8
EPSS 0.0056
EPSS Percentile 42.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-352
Status published
Products (1)
pulsesecure/pulse_connect_secure 8.3r1.0
Published Jul 12, 2017
Tracked Since Feb 18, 2026