CVE-2017-11193

Pulse Connect Secure 8.3R1 has CSRF in diag.cgi. In the panel, the diag.cgi file is responsible for running commands such as ping, ping6, traceroute, traceroute6, nslookup, arp, and Portprobe. These functions do not have any protections against CSRF. That can allow an attacker to run these commands against any IP if they can get an admin to visit their malicious CSRF page.
Configurations

Configuration 1 (hide)

cpe:2.3:a:pulsesecure:pulse_connect_secure:8.3r1.0:*:*:*:*:*:*:*

History

21 Nov 2024, 03:07

Type Values Removed Values Added
References () http://www.securityfocus.com/bid/99621 - () http://www.securityfocus.com/bid/99621 -
References () http://www.sxcurity.pro/Multiple%20XSS%20and%20CSRF%20in%20Pulse%20Connect%20Secure%20v8.3R1.pdf - Third Party Advisory () http://www.sxcurity.pro/Multiple%20XSS%20and%20CSRF%20in%20Pulse%20Connect%20Secure%20v8.3R1.pdf - Third Party Advisory
References () https://twitter.com/sxcurity/status/884556905145937921 - Third Party Advisory () https://twitter.com/sxcurity/status/884556905145937921 - Third Party Advisory

Information

Published : 2017-07-12 20:29

Updated : 2024-11-21 03:07


NVD link : CVE-2017-11193

Mitre link : CVE-2017-11193

CVE.ORG link : CVE-2017-11193


JSON object : View

Products Affected

pulsesecure

  • pulse_connect_secure
CWE
CWE-352

Cross-Site Request Forgery (CSRF)