Vulnerability Details : CVE-2017-17947
A cross site scripting issue has been found in custompage.cgi in Pulse Secure Pulse Connect Secure (PCS) before 8.0R17.0, 8.1.x before 8.1R13, 8.2.x before 8.2R9, and 8.3.x before 8.3R3 and Pulse Policy Secure (PPS) before 5.2R10, 5.3.x before 5.3R9, and 5.4.x before 5.4R3 due to one of the URL parameters not being sanitized. Exploitation does require the user to be logged in as administrator; the issue is not applicable to the end user portal.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2017-17947
- cpe:2.3:a:pulsesecure:pulse_connect_secure:*:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_connect_secure:*:*:*:*:*:*:*:*
- Pulsesecure » Pulse Connect SecureVersions from including (>=) 8.2 and up to, including, (<=) 8.2r9cpe:2.3:a:pulsesecure:pulse_connect_secure:*:*:*:*:*:*:*:*
- cpe:2.3:a:pulsesecure:pulse_connect_secure:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-17947
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 21 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-17947
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:P/A:N |
6.8
|
2.9
|
NIST | |
4.8
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |
1.7
|
2.7
|
NIST |
CWE ids for CVE-2017-17947
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-17947
-
http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA43018
Pulse Security Advisory: SA43018 - 2018-01 Out-Of-Cycle Advisory: Pulse Connect Secure (PCS) / Pulse Policy Secure (PPS): Cross Site Scripting IssuePatch;Vendor Advisory
Jump to