Vulnerability Details CVE-2017-11196
Pulse Connect Secure 8.3R1 has CSRF in logout.cgi. The logout function of the admin panel is not protected by any CSRF tokens, thus allowing an attacker to logout a user by making them visit a malicious web page.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 36.7%
CVSS Severity
CVSS v3 Score 8.8
CVSS v2 Score 6.8
References
- http://www.securityfocus.com/bid/99613
- http://www.sxcurity.pro/Multiple%20XSS%20and%20CSRF%20in%20Pulse%20Connect%20Secure%20v8.3R1.pdf
- https://twitter.com/sxcurity/status/884556905145937921
- http://www.securityfocus.com/bid/99613
- http://www.sxcurity.pro/Multiple%20XSS%20and%20CSRF%20in%20Pulse%20Connect%20Secure%20v8.3R1.pdf
- https://twitter.com/sxcurity/status/884556905145937921
Products affected by CVE-2017-11196
-
cpe:2.3:a:pulsesecure:pulse_connect_secure:8.3r1.0