SB2024091108 - Multiple vulnerabilities in Ivanti Endpoint Manager
Published: September 11, 2024 Updated: December 17, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 16 secuirty vulnerabilities.
1) SQL injection (CVE-ID: CVE-2024-34783)
The vulnerability allows a remote user to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote privileged user can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
2) SQL injection (CVE-ID: CVE-2024-34785)
The vulnerability allows a remote user to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote privileged user can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
3) SQL injection (CVE-ID: CVE-2024-34779)
The vulnerability allows a remote user to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote privileged user can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
4) XML External Entity injection (CVE-ID: CVE-2024-37397)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied XML input in the provisioning web service. A remote attacker can pass a specially crafted XML code to the affected application and view contents of arbitrary files on the system or initiate requests to external systems.
Successful exploitation of the vulnerability may allow an attacker to view contents of arbitrary file on the server or perform network scanning of internal and external infrastructure.
5) SQL injection (CVE-ID: CVE-2024-32848)
The vulnerability allows a remote user to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote privileged user can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
6) SQL injection (CVE-ID: CVE-2024-32846)
The vulnerability allows a remote user to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote privileged user can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
7) SQL injection (CVE-ID: CVE-2024-32845)
The vulnerability allows a remote user to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote privileged user can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
8) SQL injection (CVE-ID: CVE-2024-32843)
The vulnerability allows a remote user to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote privileged user can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
9) SQL injection (CVE-ID: CVE-2024-32842)
The vulnerability allows a remote user to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote privileged user can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
10) SQL injection (CVE-ID: CVE-2024-32840)
The vulnerability allows a remote user to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote privileged user can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
11) SQL injection (CVE-ID: CVE-2024-8191)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the management console. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
12) Improper Authentication (CVE-ID: CVE-2024-8320)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to missing authentication in Network Isolation service. A remote non-authenticated attacker can poof Network Isolation status of managed devices.
13) Improper Authentication (CVE-ID: CVE-2024-8321)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to missing authentication in Network Isolation service. A remote non-authenticated attacker can isolate managed devices from the network.
14) Improper access control (CVE-ID: CVE-2024-8322)
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in Patch Management. A remote user can bypass implemented security restrictions and gain unauthorized access to the application.
15) Deserialization of Untrusted Data (CVE-ID: CVE-2024-29847)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data in the agent portal. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
16) Untrusted search path (CVE-ID: CVE-2024-8441)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to usage of an untrusted search path. A local user can place a malicious binary into a specific location on the system and execute arbitrary code with escalated privileges.
Remediation
Install update from vendor's website.
References
- https://forums.ivanti.com/s/article/Security-Advisory-EPM-September-2024-for-EPM-2024-and-EPM-2022?language=en_US
- https://www.zerodayinitiative.com/advisories/ZDI-24-1220/
- https://www.zerodayinitiative.com/advisories/ZDI-24-1221/
- https://www.zerodayinitiative.com/advisories/ZDI-24-1219/
- https://www.zerodayinitiative.com/advisories/ZDI-24-1212/
- https://www.zerodayinitiative.com/advisories/ZDI-24-1218/
- https://www.zerodayinitiative.com/advisories/ZDI-24-1217/
- https://www.zerodayinitiative.com/advisories/ZDI-24-1216/
- https://www.zerodayinitiative.com/advisories/ZDI-24-1215/
- https://www.zerodayinitiative.com/advisories/ZDI-24-1214/
- https://www.zerodayinitiative.com/advisories/ZDI-24-1213/
- https://www.zerodayinitiative.com/advisories/ZDI-24-1211/
- https://www.zerodayinitiative.com/advisories/ZDI-24-1223/