CWE
444 79
Advisory Published
Updated

CVE-2022-21826: XSS

First published: Fri Sep 30 2022(Updated: )

Pulse Secure version 9.115 and below may be susceptible to client-side http request smuggling, When the application receives a POST request, it ignores the request's Content-Length header and leaves the POST body on the TCP/TLS socket. This body ends up prefixing the next HTTP request sent down that connection, this means when someone loads website attacker may be able to make browser issue a POST to the application, enabling XSS.

Credit: support@hackerone.com support@hackerone.com

Affected SoftwareAffected VersionHow to fix
Pulsesecure Pulse Connect Secure<9.1
Pulsesecure Pulse Connect Secure=9.1
Pulsesecure Pulse Connect Secure=9.1-r1
Pulsesecure Pulse Connect Secure=9.1-r1.0
Pulsesecure Pulse Connect Secure=9.1-r10.0
Pulsesecure Pulse Connect Secure=9.1-r10.2
Pulsesecure Pulse Connect Secure=9.1-r11.0
Pulsesecure Pulse Connect Secure=9.1-r11.1
Pulsesecure Pulse Connect Secure=9.1-r11.3
Pulsesecure Pulse Connect Secure=9.1-r11.4
Pulsesecure Pulse Connect Secure=9.1-r12
Pulsesecure Pulse Connect Secure=9.1-r12.1
Pulsesecure Pulse Connect Secure=9.1-r12.2
Pulsesecure Pulse Connect Secure=9.1-r13
Pulsesecure Pulse Connect Secure=9.1-r15
Pulsesecure Pulse Connect Secure=9.1-r2
Pulsesecure Pulse Connect Secure=9.1-r2.0
Pulsesecure Pulse Connect Secure=9.1-r3
Pulsesecure Pulse Connect Secure=9.1-r3.0
Pulsesecure Pulse Connect Secure=9.1-r4
Pulsesecure Pulse Connect Secure=9.1-r4.0
Pulsesecure Pulse Connect Secure=9.1-r4.1
Pulsesecure Pulse Connect Secure=9.1-r4.2
Pulsesecure Pulse Connect Secure=9.1-r4.3
Pulsesecure Pulse Connect Secure=9.1-r5
Pulsesecure Pulse Connect Secure=9.1-r5.0
Pulsesecure Pulse Connect Secure=9.1-r6
Pulsesecure Pulse Connect Secure=9.1-r6.0
Pulsesecure Pulse Connect Secure=9.1-r7
Pulsesecure Pulse Connect Secure=9.1-r7.0
Pulsesecure Pulse Connect Secure=9.1-r8
Pulsesecure Pulse Connect Secure=9.1-r8.0
Pulsesecure Pulse Connect Secure=9.1-r8.1
Pulsesecure Pulse Connect Secure=9.1-r8.2
Pulsesecure Pulse Connect Secure=9.1-r8.4
Pulsesecure Pulse Connect Secure=9.1-r9
Pulsesecure Pulse Connect Secure=9.1-r9.0
Pulsesecure Pulse Connect Secure=9.1-r9.1
Pulsesecure Pulse Connect Secure=9.1-r9.2
Ivanti Connect Secure=9.1
Ivanti Connect Secure=9.1-r1
Ivanti Connect Secure=9.1-r1.0
Ivanti Connect Secure=9.1-r10.0
Ivanti Connect Secure=9.1-r10.2
Ivanti Connect Secure=9.1-r11.0
Ivanti Connect Secure=9.1-r11.1
Ivanti Connect Secure=9.1-r11.3
Ivanti Connect Secure=9.1-r11.4
Ivanti Connect Secure=9.1-r12
Ivanti Connect Secure=9.1-r12.1
Ivanti Connect Secure=9.1-r12.2
Ivanti Connect Secure=9.1-r13
Ivanti Connect Secure=9.1-r15
Ivanti Connect Secure=9.1-r2
Ivanti Connect Secure=9.1-r2.0
Ivanti Connect Secure=9.1-r3
Ivanti Connect Secure=9.1-r3.0
Ivanti Connect Secure=9.1-r4
Ivanti Connect Secure=9.1-r4.0
Ivanti Connect Secure=9.1-r4.1
Ivanti Connect Secure=9.1-r4.2
Ivanti Connect Secure=9.1-r4.3
Ivanti Connect Secure=9.1-r5
Ivanti Connect Secure=9.1-r5.0
Ivanti Connect Secure=9.1-r6
Ivanti Connect Secure=9.1-r6.0
Ivanti Connect Secure=9.1-r7
Ivanti Connect Secure=9.1-r7.0
Ivanti Connect Secure=9.1-r8
Ivanti Connect Secure=9.1-r8.0
Ivanti Connect Secure=9.1-r8.1
Ivanti Connect Secure=9.1-r8.2
Ivanti Connect Secure=9.1-r8.4
Ivanti Connect Secure=9.1-r9
Ivanti Connect Secure=9.1-r9.0
Ivanti Connect Secure=9.1-r9.1
Ivanti Connect Secure=9.1-r9.2

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Frequently Asked Questions

  • What is CVE-2022-21826?

    CVE-2022-21826 is a vulnerability in Pulse Secure version 9.115 and below that enables client-side HTTP request smuggling.

  • How does CVE-2022-21826 affect Pulse Secure?

    CVE-2022-21826 affects Pulse Secure version 9.115 and below by allowing an attacker to perform client-side HTTP request smuggling.

  • What is the severity of CVE-2022-21826?

    CVE-2022-21826 has a severity rating of medium with a CVSS score of 5.4.

  • How can I fix CVE-2022-21826 in Pulse Secure?

    To fix CVE-2022-21826 in Pulse Secure, you should update to a version higher than 9.115.

  • Where can I find more information about CVE-2022-21826?

    You can find more information about CVE-2022-21826 at the following link: [Pulse Security Advisories](https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/Client-Side-Desync-Attack/)

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203