A command injection vulnerability in Ivanti Sentry prior to 9.19.0 allows unauthenticated threat actor to execute arbitrary commands on the underlying operating system of the appliance within the same physical or logical network.
Source: HackerOne
Max CVSS
9.6
EPSS Score
0.05%
Published
2024-03-31
Updated
2024-04-01
MobileIron Mobile@Work through 2021-03-22 allows attackers to distinguish among valid, disabled, and nonexistent user accounts by observing the number of failed login attempts needed to produce a Lockout error message
Source: MITRE
Max CVSS
5.3
EPSS Score
0.08%
Published
2021-03-29
Updated
2021-04-06
The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded encryption key, used to encrypt the submission of username/password details during the authentication process, as demonstrated by Mobile@Work (aka com.mobileiron). The key is in the com/mobileiron/common/utils/C4928m.java file. NOTE: It has been asserted that there is no causality or connection between credential encryption and the MiTM attack
Source: MITRE
Max CVSS
9.8
EPSS Score
0.46%
Published
2021-03-29
Updated
2024-05-17
The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded API key, used to communicate with the MobileIron SaaS discovery API, as demonstrated by Mobile@Work (aka com.mobileiron). The key is in com/mobileiron/registration/RegisterActivity.java and can be used for api/v1/gateway/customers/servers requests. NOTE: Vendor states that this is an opt-in feature to the product - it is not enabled by default and customers cannot enable it without an explicit email to support. At this time, they do not plan change to make any changes to this feature.
Source: MITRE
Max CVSS
7.5
EPSS Score
0.22%
Published
2021-03-29
Updated
2024-05-17
An arbitrary file reading vulnerability in MobileIron Core versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0 that allows remote attackers to read files on the system via unspecified vectors.
Source: MITRE
Max CVSS
7.5
EPSS Score
0.53%
Published
2020-07-07
Updated
2021-07-21
An authentication bypass vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0 that allows remote attackers to bypass authentication mechanisms via unspecified vectors.
Source: MITRE
Max CVSS
9.8
EPSS Score
0.99%
Published
2020-07-07
Updated
2021-07-21

CVE-2020-15505

Known exploited
Public exploit
A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0; and Sentry versions 9.7.2 and earlier, and 9.8.0; and Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier that allows remote attackers to execute arbitrary code via unspecified vectors.
Source: MITRE
Max CVSS
9.8
EPSS Score
97.53%
Published
2020-07-07
Updated
2023-01-27
CISA KEV Added
2021-11-03
The Mobile@Work (aka com.mobileiron) application 6.0.0.1.12R for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
Source: CERT/CC
Max CVSS
5.4
EPSS Score
0.05%
Published
2014-09-15
Updated
2014-09-23
MobileIron VSP versions prior to 5.9.1 and Sentry versions prior to 5.0 have an authentication bypass vulnerability due to an XML file with obfuscated passwords
Source: MITRE
Max CVSS
9.1
EPSS Score
19.40%
Published
2020-01-08
Updated
2020-01-10
MobileIron VSP < 5.9.1 and Sentry < 5.0 has an insecure encryption scheme.
Source: MITRE
Max CVSS
10.0
EPSS Score
0.64%
Published
2020-02-13
Updated
2020-02-21
10 vulnerabilities found
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!