CVE-2022-21826

Name of the Vulnerable Software and Affected Versions Pulse Secure versions 9.115 and below

Description The issue allows for client-side HTTP request smuggling. When the application receives a POST request, it ignores the request's Content-Length header and leaves the POST body on the TCP/TLS socket. This body ends up prefixing the next HTTP request sent down that connection. As a result, when someone loads a website, an attacker may be able to make the browser issue a POST to the application, enabling Cross-Site Scripting (XSS).

Recommendations For Pulse Secure versions 9.115 and below, consider disabling the HTTP POST request handling until a patch is available. Restrict access to the application to minimize the risk of exploitation. Avoid using the application for sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.