CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2017-11463

In Ivanti Service Desk (formerly LANDESK Management Suite) versions between 2016.3 and 2017.3, an Unrestricted Direct Object Reference leads to referencing/updating objects belonging to other users. In other words, a normal user can send requests to a specific URI with the target user's username in an HTTP payload in order to retrieve a key/token and use it to access/update objects belonging to other users. Such objects could be user profiles, tickets, incidents, etc.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.012

EPSS Ranking 78.1%

CVSS Severity

CVSS v3 Score 8.8

CVSS v2 Score 6.5

References

https://community.ivanti.com/docs/DOC-66252
https://gist.github.com/lazyhack3r/439e92419c552b5dc82b2f5e832c8bfb
https://community.ivanti.com/docs/DOC-66252
https://gist.github.com/lazyhack3r/439e92419c552b5dc82b2f5e832c8bfb

Products affected by CVE-2017-11463

Ivanti » Endpoint Manager » Version: 2016.4

cpe:2.3:a:ivanti:endpoint_manager:2016.4
Ivanti » Endpoint Manager » Version: 2017.1

cpe:2.3:a:ivanti:endpoint_manager:2017.1
Ivanti » Endpoint Manager » Version: 2017.3

cpe:2.3:a:ivanti:endpoint_manager:2017.3

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2017-11463

Products

Pricing

Contact Us