Avalanche

Incomplete restriction of configuration in Ivanti Avalanche before version 6.4.8.8008 allows a remote authenticated attacker with admin privileges to achieve remote code execution

Published: 2025-08-12T14:37:23.954Z
Updated: 2026-02-26T17:49:41.972Z

SQL injection in Ivanti Avalanche before version 6.4.8.8008 allows a remote authenticated attacker with admin privileges to execute arbitrary SQL queries. In certain conditions, this can also lead to remote code execution

Published: 2025-08-12T14:33:47.566Z
Updated: 2026-02-26T17:49:42.379Z

An out-of-bounds read vulnerability in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to leak sensitive information in memory.

Published: 2024-11-12T15:34:00.342Z
Updated: 2024-11-12T18:48:08.968Z

An out-of-bounds read vulnerability in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to leak sensitive information in memory.

Published: 2024-11-12T15:34:00.342Z
Updated: 2024-11-12T18:48:08.968Z

An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.

Published: 2024-11-12T15:33:32.796Z
Updated: 2024-11-12T18:49:52.819Z

An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.

Published: 2024-11-12T15:33:32.796Z
Updated: 2024-11-12T18:49:52.819Z

An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.

Published: 2024-11-12T15:32:52.112Z
Updated: 2024-11-12T18:57:00.316Z

An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.

Published: 2024-11-12T15:32:52.112Z
Updated: 2024-11-12T18:57:00.316Z

An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.

Published: 2024-11-12T15:32:20.257Z
Updated: 2024-11-13T15:43:27.844Z

A null pointer dereference in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.

Published: 2024-11-12T15:30:35.740Z
Updated: 2024-11-12T15:53:11.671Z

A null pointer dereference in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.

Published: 2024-11-12T15:30:35.740Z
Updated: 2024-11-12T15:53:11.671Z

A null pointer dereference in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.

Published: 2024-11-12T15:29:58.447Z
Updated: 2024-11-12T15:54:12.790Z

A null pointer dereference in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.

Published: 2024-11-12T15:29:58.447Z
Updated: 2024-11-12T15:54:12.790Z

Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to leak sensitive information

Published: 2024-10-08T16:30:25.388Z
Updated: 2024-10-08T17:39:16.171Z

Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to leak sensitive information

Published: 2024-10-08T16:30:25.388Z
Updated: 2024-10-08T17:39:16.171Z

Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to bypass authentication.

Published: 2024-10-08T16:29:57.222Z
Updated: 2024-10-08T17:39:47.159Z

Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to bypass authentication.

Published: 2024-10-08T16:29:57.222Z
Updated: 2024-10-08T17:39:47.159Z

Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to bypass authentication.

Published: 2024-10-08T16:28:53.641Z
Updated: 2024-10-08T17:40:31.429Z

Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to bypass authentication.

Published: 2024-10-08T16:28:53.641Z
Updated: 2024-10-08T17:40:31.429Z

Server-side request forgery in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to leak sensitive information.

Published: 2024-10-08T16:28:14.887Z
Updated: 2024-10-08T18:45:02.588Z

Server-side request forgery in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to leak sensitive information.

Published: 2024-10-08T16:28:14.887Z
Updated: 2024-10-08T18:45:02.588Z

A NULL pointer dereference in WLAvalancheService.exe of Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to cause a denial of service.

Published: 2024-10-08T16:27:46.696Z
Updated: 2024-10-08T18:46:21.255Z

A NULL pointer dereference in WLAvalancheService.exe of Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to cause a denial of service.

Published: 2024-10-08T16:27:46.696Z
Updated: 2024-10-08T18:46:21.255Z

XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to read arbitrary files on the server.

Published: 2024-08-14T02:38:00.149Z
Updated: 2024-08-14T13:47:52.793Z

Path traversal in the skin management component of Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to achieve denial of service via arbitrary file deletion.

Published: 2024-08-14T02:38:00.686Z
Updated: 2024-08-14T13:28:51.173Z

A NULL pointer dereference in WLAvalancheService in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to crash the service, resulting in a DoS.

Published: 2024-08-14T02:38:00.168Z
Updated: 2024-08-14T13:46:39.793Z

Improper input validation in the Central Filestore in Ivanti Avalanche 6.3.1 allows a remote authenticated attacker with admin rights to achieve RCE.

Published: 2024-08-14T02:38:00.225Z
Updated: 2024-08-16T04:01:47.192Z

An off-by-one error in WLInfoRailService in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to crash the service, resulting in a DoS.

Published: 2024-08-14T02:38:00.141Z
Updated: 2024-08-14T13:57:53.500Z

An unrestricted file upload vulnerability in web component of Ivanti Avalanche before 6.4.x allows an authenticated, privileged user to execute arbitrary commands as SYSTEM.

Published: 2024-05-31T17:38:31.376Z
Updated: 2024-09-19T05:08:34.779Z

A Heap Overflow vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands

Published: 2024-04-19T01:10:11.799Z
Updated: 2025-12-16T18:13:23.406Z

A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to delete specific type of files and/or cause denial of service.

Published: 2024-04-19T01:10:11.772Z
Updated: 2024-08-02T00:41:55.988Z

A Null Pointer Dereference vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows an authenticated remote attacker to perform denial of service attacks.

Published: 2024-04-19T01:10:11.863Z
Updated: 2024-08-02T00:41:56.001Z

A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to delete arbitrary files, thereby leading to Denial-of-Service.

Published: 2024-04-19T01:10:11.971Z
Updated: 2024-08-02T00:41:55.951Z

A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.

Published: 2024-04-19T01:10:11.814Z
Updated: 2025-12-16T18:13:22.212Z

An Use-after-free vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.

Published: 2024-04-19T01:10:11.777Z
Updated: 2025-12-16T18:13:22.068Z

A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.

Published: 2024-04-19T01:10:12.506Z
Updated: 2025-12-16T18:13:17.251Z

A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.

Published: 2024-04-19T01:10:11.874Z
Updated: 2025-12-16T18:13:19.788Z

A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.

Published: 2024-04-19T01:10:11.897Z
Updated: 2024-08-01T23:36:21.396Z

A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.

Published: 2024-04-19T01:10:11.872Z
Updated: 2025-12-16T18:13:19.590Z

A Heap overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows an unauthenticated remote attacker to execute arbitrary commands.

Published: 2024-04-19T01:10:11.852Z
Updated: 2025-03-24T21:08:25.157Z

A Race Condition (TOCTOU) vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.

Published: 2024-04-19T01:10:11.896Z
Updated: 2025-12-16T18:13:19.399Z

A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.

Published: 2024-04-19T01:10:11.856Z
Updated: 2024-08-01T23:36:21.246Z

A Race Condition (TOCTOU) vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.

Published: 2024-04-19T01:10:11.886Z
Updated: 2024-08-01T23:36:21.233Z

A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.

Published: 2024-04-19T01:10:11.959Z
Updated: 2025-01-07T00:40:56.985Z

A Null Pointer Dereference vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows an authenticated remote attacker to perform denial of service attacks.

Published: 2024-04-19T01:10:11.872Z
Updated: 2024-08-01T23:36:20.586Z

A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.

Published: 2024-04-19T01:10:11.917Z
Updated: 2025-12-16T18:13:20.561Z

An Unrestricted File-upload vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.

Published: 2024-04-19T01:10:11.834Z
Updated: 2025-12-16T18:13:20.417Z

An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an authenticated remote attacker to read sensitive information in memory.

Published: 2024-04-19T01:10:11.827Z
Updated: 2024-08-01T23:06:25.130Z

An out-of-bounds Read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows an authenticated remote attacker to perform denial of service attacks. In certain conditions this could also lead to remote code execution.

Published: 2024-04-19T01:10:11.922Z
Updated: 2024-08-01T23:06:25.255Z

An Integer Overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows an unauthenticated remote attacker to perform denial of service attacks. In certain rare conditions this could also lead to reading content from memory.

Published: 2024-04-19T01:10:11.825Z
Updated: 2024-08-01T23:06:25.127Z

An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an unauthenticated remote attacker to read sensitive information in memory.

Published: 2024-04-19T01:10:11.824Z
Updated: 2024-08-01T23:06:24.718Z

An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an unauthenticated remote attacker to read sensitive information in memory.

Published: 2024-04-19T01:10:13.141Z
Updated: 2024-08-01T23:06:24.967Z

An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an unauthenticated remote attacker to read sensitive information in memory.

Published: 2024-04-19T01:10:13.138Z
Updated: 2024-08-01T23:06:25.298Z

An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an unauthenticated remote attacker to read sensitive information in memory.

Published: 2024-04-24T23:12:51.975Z
Updated: 2025-03-24T19:55:29.993Z

An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an unauthenticated remote attacker to read sensitive information in memory.

Published: 2024-04-19T01:10:31.066Z
Updated: 2024-08-01T23:06:25.188Z

A Heap Overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands

Published: 2024-04-19T01:10:30.635Z
Updated: 2024-08-01T22:35:34.718Z

Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication. This CVE addresses incomplete fixes from CVE-2024-47010.

Published: 2025-01-14T16:53:36.325Z
Updated: 2025-01-16T19:06:15.676Z

Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication. This CVE addresses incomplete fixes from CVE-2024-47010.

Published: 2025-01-14T16:53:36.325Z
Updated: 2025-01-16T19:06:15.676Z

Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to leak sensitive information. This CVE addresses incomplete fixes from CVE-2024-47011.

Published: 2025-01-14T16:52:41.501Z
Updated: 2025-01-16T19:01:55.047Z

Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to leak sensitive information. This CVE addresses incomplete fixes from CVE-2024-47011.

Published: 2025-01-14T16:52:41.501Z
Updated: 2025-01-16T19:01:55.047Z

Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication.

Published: 2025-01-14T16:51:57.334Z
Updated: 2025-01-16T16:53:23.111Z

Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication.

Published: 2025-01-14T16:51:57.334Z
Updated: 2025-01-16T16:53:23.111Z

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS).

Published: 2023-12-19T15:43:26.303Z
Updated: 2024-08-02T20:53:21.877Z

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS).

Published: 2023-12-19T15:43:26.341Z
Updated: 2024-08-02T20:53:21.704Z

An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack.

Published: 2023-12-19T15:43:26.348Z
Updated: 2024-08-02T20:37:40.234Z

An unauthenticated could abuse a XXE vulnerability in the Smart Device Server to leak data or perform a Server-Side Request Forgery (SSRF).

Published: 2023-12-19T15:43:26.312Z
Updated: 2024-09-16T18:34:33.258Z

An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker to achieve a remove code execution.

Published: 2023-12-19T15:43:26.340Z
Updated: 2024-09-04T19:43:27.139Z

An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker to achieve a remote code execution.

Published: 2023-12-19T15:43:26.291Z
Updated: 2024-08-02T20:37:40.211Z

An unauthenticated attacked could send a specifically crafted web request causing a Server-Side Request Forgery (SSRF) in Ivanti Avalanche Remote Control server.

Published: 2023-12-19T15:43:26.338Z
Updated: 2024-08-02T20:37:40.231Z

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

Published: 2023-12-19T15:43:26.352Z
Updated: 2024-08-02T20:37:40.182Z

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

Published: 2023-12-19T15:43:26.348Z
Updated: 2024-11-27T15:13:51.763Z

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

Published: 2023-12-19T15:43:26.279Z
Updated: 2024-08-02T20:37:40.250Z

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

Published: 2023-12-19T15:43:26.342Z
Updated: 2024-08-02T20:37:40.140Z

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

Published: 2023-12-19T15:43:26.308Z
Updated: 2025-05-06T18:54:15.799Z

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

Published: 2023-12-19T15:43:26.285Z
Updated: 2024-08-02T20:37:40.139Z

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

Published: 2023-12-19T15:43:26.338Z
Updated: 2024-09-16T18:31:43.409Z

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

Published: 2023-12-19T15:43:26.253Z
Updated: 2024-08-02T20:37:40.182Z

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

Published: 2023-12-19T15:43:26.329Z
Updated: 2024-08-02T20:37:40.176Z

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

Published: 2023-12-19T15:43:26.331Z
Updated: 2024-08-02T20:37:40.137Z

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

Published: 2023-12-19T15:43:26.358Z
Updated: 2024-08-02T20:37:40.128Z

Ivanti Avalanche Incorrect Default Permissions allows Local Privilege Escalation Vulnerability

Published: 2023-11-03T18:13:19.997Z
Updated: 2024-09-06T18:25:28.360Z

Ivanti Avalanche EnterpriseServer Service Unrestricted File Upload Local Privilege Escalation Vulnerability

Published: 2023-11-03T18:13:19.979Z
Updated: 2024-09-05T14:55:18.991Z

A security vulnerability within Ivanti Avalanche Manager before version 6.4.1 may allow an unauthenticated attacker to create a buffer overflow that could result in service disruption or arbitrary code execution.

Published: 2025-07-12T03:30:40.265Z
Updated: 2026-02-26T17:50:43.005Z

Ivanti Avalanche decodeToMap XML External Entity Processing. Fixed in version 6.4.1.236

Published: 2023-08-10T18:58:24.647Z
Updated: 2024-10-09T19:34:58.135Z

An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack. Fixed in version 6.4.1.

Published: 2023-08-10T18:58:36.194Z
Updated: 2024-10-04T13:07:17.804Z

An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack. Fixed in version 6.4.1.

Published: 2023-08-10T18:58:36.194Z
Updated: 2024-10-04T13:07:17.804Z

An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack. Fixed in version 6.4.1.

Published: 2023-08-10T19:03:46.116Z
Updated: 2024-10-04T13:07:00.263Z

An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack. Fixed in version 6.4.1.

Published: 2023-08-10T19:03:46.116Z
Updated: 2024-10-04T13:07:00.263Z

An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker to achieve a remove code execution.

Published: 2023-08-10T19:04:43.054Z
Updated: 2024-10-09T19:33:58.502Z

An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker to achieve a remove code execution.

Published: 2023-08-10T19:04:43.054Z
Updated: 2024-10-09T19:33:58.502Z

An unauthenticated attacker could achieve the code execution through a RemoteControl server.

Published: 2023-08-10T19:04:48.128Z
Updated: 2025-02-13T16:54:49.972Z

An unauthenticated attacker could achieve the code execution through a RemoteControl server.

Published: 2023-08-10T19:04:48.128Z
Updated: 2025-02-13T16:54:49.972Z

An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to achieve a remove code execution. Fixed in version 6.4.1.

Published: 2023-08-10T19:04:54.388Z
Updated: 2025-03-06T15:47:54.922Z

An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to achieve a remove code execution. Fixed in version 6.4.1.

Published: 2023-08-10T19:04:54.388Z
Updated: 2025-03-06T15:47:54.922Z

A previously generated artifact by an administrator could be accessed by an attacker. The contents of this artifact could lead to authentication bypass. Fixed in version 6.4.1.

Published: 2023-08-10T19:07:32.960Z
Updated: 2025-03-06T15:47:28.746Z

A previously generated artifact by an administrator could be accessed by an attacker. The contents of this artifact could lead to authentication bypass. Fixed in version 6.4.1.

Published: 2023-08-10T19:07:32.960Z
Updated: 2025-03-06T15:47:28.746Z

An attacker can send a specially crafted message to the Wavelink Avalanche Manager, which could result in service disruption or arbitrary code execution. Thanks to a Researcher at Tenable for finding and reporting. Fixed in version 6.4.1.

Published: 2023-08-10T19:07:38.628Z
Updated: 2025-03-06T15:46:27.791Z

An attacker can send a specially crafted message to the Wavelink Avalanche Manager, which could result in service disruption or arbitrary code execution. Thanks to a Researcher at Tenable for finding and reporting. Fixed in version 6.4.1.

Published: 2023-08-10T19:07:38.628Z
Updated: 2025-03-06T15:46:27.791Z

An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to achieve a remove code execution.

Published: 2023-05-09T00:00:00.000Z
Updated: 2025-01-28T20:46:12.382Z

A path traversal vulnerability exists in Avalanche version 6.3.x and below that when exploited could result in possible information disclosure.

Published: 2023-05-09T00:00:00.000Z
Updated: 2025-01-28T21:07:56.659Z

An improper authentication vulnerability exists in Avalanche version 6.3.x and below allows unauthenticated attacker to modify properties on specific port.

Published: 2023-03-10T00:00:00.000Z
Updated: 2025-02-28T17:07:14.895Z

Ivanti Avalanche Printer Device Service Missing Authentication Local Privilege Escalation Vulnerability

Published: 2023-11-03T18:13:19.919Z
Updated: 2024-09-04T20:01:58.689Z

Ivanti Avalanche Smart Device Service Missing Authentication Local Privilege Escalation Vulnerability

Published: 2023-11-03T18:13:19.970Z
Updated: 2024-09-05T19:16:03.381Z

Ivanti Avalanche Smart Device Service Missing Authentication Local Privilege Escalation Vulnerability

Published: 2023-11-03T18:13:19.970Z
Updated: 2024-09-05T19:16:03.381Z

This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetSettings class. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15919.

Published: 2023-03-29T00:00:00.000Z
Updated: 2025-02-18T19:52:33.811Z

This vulnerability allows remote attackers to read arbitrary files on affected installations of Ivanti Avalanche 6.3.3.101. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the AgentTaskHandler class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose stored session cookies, leading to further compromise. Was ZDI-CAN-15967.

Published: 2023-03-29T00:00:00.000Z
Updated: 2025-02-18T19:52:06.136Z

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.3.101. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the DeviceLogResource class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-15966.

Published: 2023-03-29T00:00:00.000Z
Updated: 2025-02-18T19:51:38.772Z

This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the EnterpriseServer service. The issue results from the lack of proper locking when performing operations during authentication. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15528.

Published: 2023-03-29T00:00:00.000Z
Updated: 2025-02-18T19:50:52.328Z

This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the AvalancheDaoSupport class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15493.

Published: 2023-03-29T00:00:00.000Z
Updated: 2025-02-18T19:50:07.700Z

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the Notification Server service. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-15448.

Published: 2023-03-29T00:00:00.000Z
Updated: 2025-02-18T19:49:38.376Z

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the Certificate Management Server service. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-15449.

Published: 2023-03-29T00:00:00.000Z
Updated: 2025-02-18T19:49:09.270Z

This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the GroupDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15333.

Published: 2023-03-29T00:00:00.000Z
Updated: 2025-02-18T19:48:16.675Z

This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15332.

Published: 2023-03-29T00:00:00.000Z
Updated: 2025-02-18T19:47:21.078Z

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the Web File Server service. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-15330.

Published: 2023-03-29T00:00:00.000Z
Updated: 2025-02-18T19:46:49.297Z

This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15329.

Published: 2023-03-29T00:00:00.000Z
Updated: 2025-02-18T19:46:16.070Z

This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15328.

Published: 2023-03-29T00:00:00.000Z
Updated: 2025-02-18T19:45:41.570Z

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the JwtTokenUtility class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-15301.

Published: 2023-03-29T00:00:00.000Z
Updated: 2025-02-18T19:41:04.286Z

An exposed dangerous function vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform an arbitrary file write.

Published: 2021-12-07T13:13:35.000Z
Updated: 2024-08-04T03:30:37.497Z

A command Injection vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform arbitrary command execution.

Published: 2021-12-07T13:13:29.000Z
Updated: 2024-08-04T03:30:36.359Z

A SQL Injection vulnerability exists in Ivanti Avalance before 6.3.3 allows an attacker with access to the Inforail Service to perform privilege escalation.

Published: 2021-12-07T13:13:24.000Z
Updated: 2024-08-04T03:30:37.469Z

A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform arbitrary code execution.

Published: 2021-12-07T13:13:19.000Z
Updated: 2024-08-04T03:30:37.294Z

A command injection vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform arbitrary command execution.

Published: 2021-12-07T13:13:14.000Z
Updated: 2024-08-04T03:30:38.162Z

An exposed dangerous function vulnerability exists in Ivanti Avalanche before 6.3.3 using inforail Service allows Privilege Escalation via Enterprise Server Service.

Published: 2021-12-07T13:13:10.000Z
Updated: 2024-08-04T03:30:36.382Z

A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 using Inforail Service allows arbitrary code execution via Data Repository Service.

Published: 2021-12-07T13:13:01.000Z
Updated: 2024-08-04T03:30:37.722Z

An improper authorization control vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform privilege escalation.

Published: 2021-12-07T13:12:56.000Z
Updated: 2024-08-04T03:30:37.432Z

An unrestricted file upload vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to write dangerous files.

Published: 2021-12-07T13:12:49.000Z
Updated: 2024-08-04T03:30:36.382Z

An improper access control vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform a session takeover.

Published: 2021-12-07T13:12:44.000Z
Updated: 2024-08-04T03:30:37.573Z

An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack.

Published: 2023-12-19T15:43:26.251Z
Updated: 2024-08-03T18:58:26.311Z

An issue was discovered in Ivanti Avalanche for all versions between 5.3 and 6.2. The impacted products used a single shared key encryption model to encrypt data. A user with access to system databases can use the discovered key to access potentially confidential stored data, which may include Wi-Fi passwords. This discovered key can be used for all instances of the product.

Published: 2018-06-29T15:00:00.000Z
Updated: 2024-08-05T07:10:46.652Z

An issue was discovered in Ivanti Avalanche for all versions between 5.3 and 6.2. A local user with database access privileges can read the encrypted passwords for users who authenticate via LDAP to Avalanche services. These passwords are stored in the Avalanche databases. This issue only affects customers who have enabled LDAP authentication in their configuration.

Published: 2018-06-29T15:00:00.000Z
Updated: 2024-08-05T07:10:46.654Z