CVE-2017-11455

HIGH

Pulse Connect Secure 8.1R1-8.1R10, 8.2R1-8.2R5 & Pulse Policy Secure 5.1R1-5.3R5 - CSRF via diag.cgi

Title source: llm

Description

diag.cgi in Pulse Connect Secure 8.2R1 through 8.2R5, 8.1R1 through 8.1R10 and Pulse Policy Secure 5.3R1 through 5.3R5, 5.2R1 through 5.2R8, and 5.1R1 through 5.1R10 allow remote attackers to hijack the authentication of administrators for requests to start tcpdump, related to the lack of anti-CSRF tokens.

References (3)

Core 3

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1039242

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/100530

Vendor Advisory x_refsource_confirm

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40793

Scores

CVSS v3 8.8

EPSS 0.0056

EPSS Percentile 68.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-352

Status published

Products (47)

ivanti/connect_secure 8.1

pulsesecure/pulse_connect_secure 8.1r1.0

pulsesecure/pulse_connect_secure 8.2r1.0

pulsesecure/pulse_connect_secure 8.2r1.1

pulsesecure/pulse_connect_secure 8.2r2.0

pulsesecure/pulse_connect_secure 8.2r3.0

pulsesecure/pulse_connect_secure 8.2r3.1

pulsesecure/pulse_connect_secure 8.2r4.0

pulsesecure/pulse_connect_secure 8.2r4.1

pulsesecure/pulse_connect_secure 8.2r5.0

... and 37 more

Published Aug 29, 2017

Tracked Since Feb 18, 2026