PT-2017-11815 · Pulse · Pulse Connect Secure

Published

2017-07-12

Updated

2017-07-19

CVE-2017-11196

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Pulse Connect Secure version 8.3R1

Description The issue concerns the logout function of the admin panel, which is not protected by any CSRF tokens. This allows an attacker to logout a user by making them visit a malicious web page, exploiting the lack of protection in the logout.cgi endpoint.

Recommendations For Pulse Connect Secure version 8.3R1, consider implementing CSRF tokens to protect the logout function of the admin panel as a permanent fix. As a temporary workaround, restrict access to the logout.cgi endpoint to minimize the risk of exploitation.

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

CVE-2017-11196

Affected Products

Pulse Connect Secure

PT-2017-11815 · Pulse · Pulse Connect Secure

CVE-2017-11196

Weakness Enumeration

Related Identifiers

Affected Products

References · 5