CyberSec.Space Logo
返回 CVE 瀏覽器

CVE-2017-11463

HIGH
8.8
CVSS Severity Score
EPSS Score0.2000%
EPSS Percentile13.48th
Published2017年12月11日
Last Modified2026年5月13日

Vulnerability Description

In Ivanti Service Desk (formerly LANDESK Management Suite) versions between 2016.3 and 2017.3, an Unrestricted Direct Object Reference leads to referencing/updating objects belonging to other users. In other words, a normal user can send requests to a specific URI with the target user's username in an HTTP payload in order to retrieve a key/token and use it to access/update objects belonging to other users. Such objects could be user profiles, tickets, incidents, etc.

Affected Platforms (CPE)

📦
Ivanti

Endpoint Manager

= 2016.4
📦
Ivanti

Endpoint Manager

= 2017.1
📦
Ivanti

Endpoint Manager

= 2017.3

References & Advisories

🔗 https://community.ivanti.com/docs/DOC-66252
🔗 https://gist.github.com/lazyhack3r/439e92419c552b5dc82b2f5e832c8bfb
🔗 https://community.ivanti.com/docs/DOC-66252
🔗 https://gist.github.com/lazyhack3r/439e92419c552b5dc82b2f5e832c8bfb

相關漏洞威脅

CVE-2011-186710.0

Stack-based buffer overflow in iNodeMngChecker.exe in the User Access Manager (UAM) 5.0 before SP1 E0101P03 and Endpoint Admission...

CVE-2009-142910.0

The Intel LANDesk Common Base Agent (CBA) in Symantec Alert Management System 2 (AMS2), as used in Symantec System Center (SSS); S...

CVE-2021-138810.0

A vulnerability in an API endpoint of Cisco ACI Multi-Site Orchestrator (MSO) installed on the Application Services Engine could a...

CVE-2020-137749.9

An unrestricted file-upload issue in EditLaunchPadDialog.aspx in Ivanti Endpoint Manager 2019.1 and 2020.1 allows an authenticated...