Vulnerability Description
An XML external entity (XXE) vulnerability in Pulse Connect Secure (PCS) before 9.1R9 and Pulse Policy Secure (PPS) before 9.1R9 allows remote authenticated admins to conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ivanti | Connect Secure | 9.1 |
| Pulsesecure | Pulse Connect Secure | <= 9.0 |
| Ivanti | Policy Secure | 9.1 |
| Pulsesecure | Pulse Policy Secure | <= 9.0 |
Related Weaknesses (CWE)
References
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601Vendor Advisory
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601Vendor Advisory
FAQ
What is CVE-2020-15352?
CVE-2020-15352 is a vulnerability with a CVSS score of 7.2 (HIGH). An XML external entity (XXE) vulnerability in Pulse Connect Secure (PCS) before 9.1R9 and Pulse Policy Secure (PPS) before 9.1R9 allows remote authenticated admins to conduct server-side request forge...
How severe is CVE-2020-15352?
CVE-2020-15352 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-15352?
Check the references section above for vendor advisories and patch information. Affected products include: Ivanti Connect Secure, Pulsesecure Pulse Connect Secure, Ivanti Policy Secure, Pulsesecure Pulse Policy Secure.