CVE-2017-11194

Name of the Vulnerable Software and Affected Versions Pulse Connect Secure version 8.3R1

Description The issue concerns a Reflected XSS in the adminservercacertdetails.cgi page of the admin panel. Specifically, the certid parameter of "adminservercacertdetails.cgi" is reflected in the application's response without proper sanitization, allowing an attacker to inject tags. This could enable an attacker to craft payloads that make the system execute commands such as ping, ping6, traceroute, nslookup, arp, etc.

Recommendations For Pulse Connect Secure version 8.3R1, as a temporary workaround, consider restricting access to the "adminservercacertdetails.cgi" page or sanitizing the certid parameter to prevent XSS attacks. Avoid using the certid parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.