- 308/2024
- Critical
Ivanti has released security updates to fix several critical vulnerabilities across multiple Ivanti products
The addressed vulnerabilities could allow the remote attacker to perform denial of service attacks, escalate elevated privileges, conduct cross-site scripting attacks, data manipulation (view, modify, add, delete), bypass security restrictions, or execute arbitrary code and gain access to the affected systems.
Sample of the addressed vulnerabilities:
1. Ivanti Endpoint Manager Code Execution Vulnerability (CVE-2024-50330):
- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
2. Ivanti Connect Secure and Policy Secure Cross-Site Scripting Vulnerability(CVE-2024-11004):
- CVSS: 8.4
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: Required
- Consequences: Cross-Site Scripting
The affected products:
- Ivanti Connect Secure (ICS).
- Ivanti Policy Secure (IPS).
- Ivanti Secure Access Client (ISAC).
- Ivanti Avalanche.
- Ivanti Endpoint Manager (EPM).
Vulnerabilities
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.