Main Vulnerability Database SB2018090726

SB2018090726 - Multiple vulnerabilities in Pulse Connect Secure

Published: September 7, 2018 Updated: August 8, 2020

Security Bulletin ID SB2018090726

Severity

High

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Open redirect (CVE-ID: CVE-2018-14366)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

download.cgi in Pulse Secure Pulse Connect Secure 8.1RX before 8.1R13 and 8.3RX before 8.3R4 and Pulse Policy Secure through 5.2RX before 5.2R10 and 5.4RX before 5.4R4 have an Open Redirect Vulnerability.

2) Input validation error (CVE-ID: CVE-2018-6320)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

A vulnerability has been discovered in login.cgi in Pulse Secure Pulse Connect Secure (PCS) 8.1RX before 8.1R12 and 8.3RX before 8.3R2 and Pulse Policy Secure (PPS) 5.2RX before 5.2R9 and 5.4RX before 5.4R2 wherein an http(s) Host header received from the browser is trusted without validation.

Remediation

Install update from vendor's website.

References

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA43877