RSS   Vulnerabilities for 'Avalanche'   RSS

2022-04-06
 
CVE-2021-30497

CWE-22
 

 
Ivanti Avalanche (Premise) 6.3.2 allows remote unauthenticated users to read arbitrary files via Absolute Path Traversal. The imageFilePath parameter processed by the /AvalancheWeb/image endpoint is not verified to be within the scope of the image folder, e.g., the attacker can obtain sensitive information via the C:/Windows/system32/config/system.sav value.

 
2021-12-07
 
CVE-2021-42124

CWE-863
 

 
An improper access control vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform a session takeover.

 
 
CVE-2021-42125

CWE-434
 

 
An unrestricted file upload vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to write dangerous files.

 
 
CVE-2021-42126

CWE-863
 

 
An improper authorization control vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform privilege escalation.

 
 
CVE-2021-42127

CWE-502
 

 
A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 using Inforail Service allows arbitrary code execution via Data Repository Service.

 
 
CVE-2021-42128

CWE-269
 

 
An exposed dangerous function vulnerability exists in Ivanti Avalanche before 6.3.3 using inforail Service allows Privilege Escalation via Enterprise Server Service.

 
 
CVE-2021-42129

CWE-77
 

 
A command injection vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform arbitrary command execution.

 
 
CVE-2021-42130

CWE-502
 

 
A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform arbitrary code execution.

 
 
CVE-2021-42131

CWE-89
 

 
A SQL Injection vulnerability exists in Ivanti Avalance before 6.3.3 allows an attacker with access to the Inforail Service to perform privilege escalation.

 
 
CVE-2021-42132

CWE-77
 

 
A command Injection vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform arbitrary command execution.

 


Copyright 2022, cxsecurity.com

 

Back to Top