PT-2022-12211 · Ivanti · Ivanti Pulse Secure Pulse Connect Secure
Joel Garcia Santisima Trinidad
·
Published
2022-08-11
·
Updated
2024-02-27
·
CVE-2021-44720
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Ivanti Pulse Secure Pulse Connect Secure (PCS) versions prior to 9.1R12
Description
The administrator password is stored in the HTML source code of the "Maintenance > Push Configuration > Targets > Target Name" targets.cgi screen, allowing a read-only administrative user to escalate to a read-write administrative role.
Recommendations
For versions prior to 9.1R12, update to version 9.1R12 or later to resolve the issue.
Fix
Using Hardcoded Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ivanti Pulse Secure Pulse Connect Secure