CVE-2019-11540

In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4 and 8.3RX before 8.3R7.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2 and 5.4RX before 5.4R7.1, an unauthenticated, remote attacker can conduct a session hijacking attack.

Published: Apr 26, 2019
Updated: Apr 13, 2023
CVE: CVE-2019-11540
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
pulsesecure / pulse_policy_secure	5.4r1	5.4r1.x
pulsesecure / pulse_policy_secure	5.4r2	5.4r2.x
pulsesecure / pulse_policy_secure	5.4r2.1	5.4r2.1.x
pulsesecure / pulse_policy_secure	5.4r3	5.4r3.x
pulsesecure / pulse_policy_secure	5.4rx	5.4rx.x
pulsesecure / pulse_connect_secure	8.3rx	8.3rx.x
pulsesecure / pulse_policy_secure	5.4r4	5.4r4.x
pulsesecure / pulse_policy_secure	5.4r5	5.4r5.x
pulsesecure / pulse_policy_secure	5.4r5.2	5.4r5.2.x
pulsesecure / pulse_policy_secure	5.4r6	5.4r6.x
pulsesecure / pulse_policy_secure	5.4r6.1	5.4r6.1.x
pulsesecure / pulse_policy_secure	5.4r7	5.4r7.x
pulsesecure / pulse_policy_secure	9.0r1	9.0r1.x
pulsesecure / pulse_policy_secure	9.0r2	9.0r2.x
pulsesecure / pulse_policy_secure	9.0r2.1	9.0r2.1.x
pulsesecure / pulse_policy_secure	9.0r3	9.0r3.x
pulsesecure / pulse_policy_secure	9.0r3.1	9.0r3.1.x
pulsesecure / pulse_policy_secure	9.0rx	9.0rx.x
pulsesecure / pulse_connect_secure	9.0r1	9.0r1.x
pulsesecure / pulse_connect_secure	9.0r2	9.0r2.x
pulsesecure / pulse_connect_secure	9.0r2.1	9.0r2.1.x
pulsesecure / pulse_connect_secure	9.0r3	9.0r3.x
pulsesecure / pulse_connect_secure	9.0r3.1	9.0r3.1.x
pulsesecure / pulse_connect_secure	9.0r3.2	9.0r3.2.x
pulsesecure / pulse_connect_secure	9.0rx	9.0rx.x
ivanti / connect_secure	8.3	8.3.x

Vulnerability Database

289,784

CVE-2019-11540