What is CVE-2019-11581?
Atlassian Jira Server and Data Center Server-Side Template Injection Vulnerability
In Jira Server and Data Center, there was a server-side template injection vulnerability in the contact administrators and send bulk mail actions.
At least one of the following requirements must be met for this vulnerability to be exploitable: Either Jira has been configured with an SMTP server and the Contact Administrators Form has been enabled; or In Jira, an SMTP server has been established and an attacker has access to "JIRA Administrators". Attackers can exploit this flaw without authentication. In the second situation, attackers with access to "JIRA Administrators" can use the flaw. In either scenario, successfully exploiting this vulnerability allows an attacker to execute code remotely on systems running a vulnerable version of Jira Server or Data Center.
| CVE ID | CVE-2019-11581 |
| Vulnerability Name | Atlassian Jira Server and Data Center Server-Side Template Injection Vulnerability |
| Vendor | Atlassian |
| Product | Jira Server and Data Center |
| Date added to the catalog | 2022-03-07 |
| Description | A server-side template injection vulnerability in Atlassian Jira Server and Data Center allows for remote code execution. |
| Severity (out of 10) | 9.8 |
| Impact | All the Jira Server version and data center versions from 4.4.0 to 7.6.14, from 7.7.0 to 7.13.5, from 8.0.0 to 8.0.3, from 8.1.0 to 8.2.0 are impacted by the vulnerability. |
| Remediation | Jira has released fixes for versions 7.6.14, 7.13.5, 8.0.3, 8.1.2 and 8.2.3. These fixes are available at the Jira site. |
What is CVE-2020-8218?
Pulse Connect Secure Code Injection Vulnerability
This vulnerability allows an unauthenticated user to execute remote arbitrary code (RCE). Pulse Connect Secure 9.1R8 has a code injection vulnerability that allows an attacker to create a URI and execute arbitrary code via the admin web interface. Although the exploit requires admin access authentication, the admin may activate it by merely clicking on a malicious link.
The admin portal's downloadlicenses.cgi file contains a command injection vulnerability.
Though successful vulnerability exploitation necessitates administrator privileges, the quickest way to scam administrative rights is to send an email containing a link to a malicious URL and entice the recipient to click on it.
VPNs have become increasingly crucial and relevant during the shutdown, allowing enterprises to secure corporate communications and verify users. Although the authentication was accomplished through a phishing link, the CVE-2020-8218 vulnerability should not be overlooked.
| CVE ID | CVE-2020-8218 |
| Vulnerability Name | Pulse Connect Secure Code Injection Vulnerability |
| Vendor | Pulse Secure |
| Product | Pulse Connect Secure |
| Date added to the catalog | 2022-03-07 |
| Description | Pulse Connect Secure has a code injection vulnerability that allows an attacker to create a URI and execute arbitrary code via the admin web interface. |
| Severity (out of 10) | 7.2 (High) |
| Impact | This vulnerability affects Pulse Connect Secure and Pulse Policy secure. |
| Remediation | This vulnerability can be patched by updating Pulse Connect Secure (PCS) 9.1R8 or Pulse Policy Secure (PPS) 9.1R8. |
Explore the Recently Discovered Critical Vulnerabilities and their Remediations
