Lenk Ratchakrit

**Name of the Vulnerable Software and Affected Versions** Ivanti Endpoint Manager versions through 2020.1 **Description** The issue allows SQL Injection via a "/remotecontrolauth/api/device" request. This affects the LDMS/alert log.aspx component in Ivanti Endpoint Manager. **Recommendations** For versions through 2020.1, update to a version later than 2020.1 to resolve the issue. As a temporary workaround, consider restricting access to the "/remotecontrolauth/api/device" endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Ivanti Endpoint Manager versions through 2020.1.1 **Description** The issue allows an attacker to disclose information about the server operating system, local pathnames, and environment variables with no authentication required. This is possible through the /ldclient/ldprov.cgi endpoint. **Recommendations** For Ivanti Endpoint Manager versions through 2020.1.1, consider restricting access to the /ldclient/ldprov.cgi endpoint until a patch is available. As a temporary workaround, limit the information disclosed by the server to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ivanti Endpoint Manager versions through 2020.1.1 **Description** The issue allows for cross-site scripting (XSS) attacks via several API endpoints, including `/LDMS/frm splitfrm.aspx`, `/LDMS/licensecheck.aspx`, `/LDMS/frm splitcollapse.aspx`, `/LDMS/alert log.aspx`, `/LDMS/ServerList.aspx`, `/LDMS/frm coremainfrm.aspx`, `/LDMS/frm findfrm.aspx`, `/LDMS/frm taskfrm.aspx`, and `/LDMS/query browsecomp.aspx`. **Recommendations** For Ivanti Endpoint Manager versions through 2020.1.1, consider disabling access to the vulnerable API endpoints until a patch is available. Restrict access to the `/LDMS/` directory to minimize the risk of exploitation. Avoid using the affected pages until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ivanti Endpoint Manager versions prior to 2020.1.2 **Description** The issue allows privilege escalation from a local standard or service account with SeImpersonatePrivilege, such as `NT AUTHORITYNETWORK SERVICE`, to `NT AUTHORITYSYSTEM` due to several services accessing named pipes with default or overly permissive security attributes. **Recommendations** For Ivanti Endpoint Manager versions prior to 2020.1.2, update to version 2020.1.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Ivanti Endpoint Manager versions prior to 2020.1.1 **Description** The issue allows for code execution and elevation of privileges to the level of privilege held by the vulnerable component, such as NT AUTHORITYSYSTEM, via DLL hijacking under certain conditions. This is due to various components relying on Windows search order when loading a nonexistent library file. The affected components include ldiscn32.exe, IpmiRedirectionService.exe, LDAPWhoAmI.exe, and ldprofile.exe. **Recommendations** For Ivanti Endpoint Manager versions prior to 2020.1.1, update to version 2020.1.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Ivanti Endpoint Manager versions 2019.1 through 2020.1 **Description** The issue is caused by an unrestricted file-upload problem in the EditLaunchPadDialog.aspx file, allowing an authenticated attacker to achieve remote code execution by uploading a malicious aspx file. This is due to insufficient file extension validation and insecure file operations on the uploaded image. If the upload fails, the temporarily created files are left in an accessible location on the server. **Recommendations** For Ivanti Endpoint Manager versions 2019.1 through 2020.1, consider restricting access to the EditLaunchPadDialog.aspx file until a patch is available, and ensure proper file extension validation and secure file operations are in place to prevent malicious file uploads.