CVE-2019-11543 : Security Advisory and Response

A Cross-Site Scripting (XSS) vulnerability in Pulse Secure Pulse Connect Secure and Pulse Policy Secure versions.

Understanding CVE-2019-11543

What is CVE-2019-11543?

The admin web console in Pulse Secure Pulse Connect Secure (PCS) versions 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, and 8.1RX before 8.1R15.1, as well as Pulse Policy Secure versions 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, and 5.2RX before 5.2R12.1, is vulnerable to Cross-Site Scripting (XSS).

The Impact of CVE-2019-11543

This vulnerability has a CVSS base score of 8.3 (High severity) with a significant impact on confidentiality, integrity, and availability of the affected systems.

Technical Details of CVE-2019-11543

Vulnerability Description

The XSS vulnerability allows attackers to inject malicious scripts into web pages viewed by users, potentially leading to unauthorized access or data theft.

Affected Systems and Versions

Pulse Connect Secure (PCS) versions 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, and 8.1RX before 8.1R15.1
Pulse Policy Secure versions 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, and 5.2RX before 5.2R12.1

Exploitation Mechanism

Attack Complexity: High
Attack Vector: Network
Privileges Required: None
User Interaction: Required
Scope: Changed

Mitigation and Prevention

Immediate Steps to Take

Apply security patches provided by Pulse Secure to fix the XSS vulnerability.
Monitor web console activities for any suspicious behavior.

Long-Term Security Practices

Regularly update and patch all software and systems to prevent future vulnerabilities.
Educate users about the risks of clicking on unknown links or visiting untrusted websites.

Patching and Updates

Keep Pulse Secure products up to date with the latest security patches to mitigate the XSS risk.