CVE-2017-11196 Information

Description

Pulse Connect Secure 8.3R1 has CSRF in logout.cgi. The logout function of the admin panel is not protected by any CSRF tokens thus allowing an attacker to logout a user by making them visit a malicious web page.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Reference

http://www.securityfocus.com/bid/99613 http://www.sxcurity.pro/Multiple20XSS20and20CSRF20in20Pulse20Connect20Secure20v8.3R1.pdf https://twitter.com/sxcurity/status/884556905145937921

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.8