CVE-2018-20807
MEDIUMIvanti Connect Secure 8.1.x < 8.1R12, 8.2.x < 8.2R9, 8.3.x < 8.3R3 - Cross-Site Scripting via welcome.cgi URL Parameter
Title source: llmDescription
An XSS issue has been found in welcome.cgi in Pulse Secure Pulse Connect Secure (PCS) 8.1.x before 8.1R12, 8.2.x before 8.2R9, and 8.3.x before 8.3R3 due to one of the URL parameters not being sanitized properly.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA43730/
Scores
CVSS v3
6.1
EPSS
0.0012
EPSS Percentile
30.3%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (3)
ivanti/connect_secure
8.1 r1.0 (19 CPE variants)
ivanti/connect_secure
8.2 r1 (17 CPE variants)
ivanti/connect_secure
8.3 r1 (3 CPE variants)
Published
Jun 28, 2019
Tracked Since
Feb 18, 2026