Pulse Secure released an out-of-cycle advisory along with software patches for the various affected products on April 24,2019. This addressed a number of vulnerabilities including a Remote Code Execution(RCE)vulnerability with pre-authentication access. This vulnerability has no viable workarounds except for applying the patches provided by the vendor and performing required system updates. The CVE-2019-11510 has a CVSS score of 10. The CVEs listed in the advisory are: CVE-2019-11510 - Unauthenticated remote attacker with network access via HTTPS can send a specially crafted URI to perform an arbitrary file reading vulnerability. CVE-2019-11509 - Authenticated attacker via the admin web interface can exploit this issue to execute arbitrary code on the Pulse Secure appliance. CVE-2019-11508 - A vulnerability in the Network File Share(NFS)of Pulse Connect Secure allows an authenticated end-user attacker to upload a malicious file to write arbitrary files to the local system. CVE-2019-11507 - A XSS issue has been found in Pulse Secure Application Launcher page. Pulse Connect Secure(PCS)8.3.x before 8.3R7.1,and 9.0.x before 9.0R3. CVE-2019-11543 - A XSS issue found the admin web console. Pulse Secure Pulse Connect Secure(PCS)9.0RX before 9.0R3.4,8.3RX before 8.3R7.1,and 8.1RX before 8.1R15.1 and Pulse Policy Secure 9.0RX before 9.0R3.2,5.4RX before 5.4R7.1,and 5.2RX before 5.2R12.1. CVE-2019-11542 - Authenticated attacker via the admin web interface can send a specially crafted message resulting in a stack buffer overflow. CVE-2019-11541 - Users using SAML authentication with Reuse Existing NC(Pulse)Session option may see authentication leaks CVE-2019-11540 - A vulnerability in the Pulse Secure could allow an unauthenticated,remote attacker to conduct a(end user)session hijacking attack. CVE-2019-11539 - Authenticated attacker via the admin web interface allow attacker to inject and execute command injection CVE-2019-11538 - A ..
Support the originator by clicking the read the rest link below.
