CVE-2019-12374

Name of the Vulnerable Software and Affected Versions Ivanti LANDESK Management Suite (LDMS, aka Endpoint Manager) version 10.0.1.168 Service Update 5

Description A SQL Injection issue exists due to improper sanitization of the username in the Basic Authentication implementation. This issue is specifically found in the ProvisioningSecure.asmx file within the Provisioning.Secure.dll of the core/provisioning.secure module.

Recommendations For Ivanti LANDESK Management Suite (LDMS, aka Endpoint Manager) version 10.0.1.168 Service Update 5, consider disabling the Basic Authentication implementation in the Provisioning.Secure.dll until a patch is available. Restrict access to the Provisioning.Secure.dll module to minimize the risk of exploitation. Avoid using the username variable in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.