Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-37397

Summary
Assigner-hackerone
Assigner Org ID-36234546-b8fa-4601-9d6f-f4e334aa8ea1
Published At-12 Sep, 2024 | 01:09
Updated At-13 Sep, 2024 | 15:48
Rejected At-
Credits

An External XML Entity (XXE) vulnerability in the provisioning web service of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to leak API secrets.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:hackerone
Assigner Org ID:36234546-b8fa-4601-9d6f-f4e334aa8ea1
Published At:12 Sep, 2024 | 01:09
Updated At:13 Sep, 2024 | 15:48
Rejected At:
▼CVE Numbering Authority (CNA)

An External XML Entity (XXE) vulnerability in the provisioning web service of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to leak API secrets.

Affected Products
Vendor
Ivanti SoftwareIvanti
Product
EPM
Default Status
unaffected
Versions
Affected
  • From 2024 September Security Update before 2024 September Security Update (custom)
  • From 2022 SU6 before 2022 SU6 (custom)
Metrics
VersionBase scoreBase severityVector
3.08.2HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Version: 3.0
Base score: 8.2
Base severity: HIGH
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://forums.ivanti.com/s/article/Security-Advisory-EPM-September-2024-for-EPM-2024-and-EPM-2022
N/A
Hyperlink: https://forums.ivanti.com/s/article/Security-Advisory-EPM-September-2024-for-EPM-2024-and-EPM-2022
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Vendor
Ivanti Softwareivanti
Product
endpoint_manager
CPEs
  • cpe:2.3:a:ivanti:endpoint_manager:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 0 before 2022_su6 (custom)
  • From 0 before 2024_september_security_update (custom)
Problem Types
TypeCWE IDDescription
CWECWE-611CWE-611 Improper Restriction of XML External Entity Reference
Type: CWE
CWE ID: CWE-611
Description: CWE-611 Improper Restriction of XML External Entity Reference
Metrics
VersionBase scoreBase severityVector
3.18.2HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Version: 3.1
Base score: 8.2
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:support@hackerone.com
Published At:12 Sep, 2024 | 02:15
Updated At:10 Jul, 2025 | 21:23

An External XML Entity (XXE) vulnerability in the provisioning web service of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to leak API secrets.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.18.2HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Secondary3.08.2HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 8.2
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Type: Secondary
Version: 3.0
Base score: 8.2
Base severity: HIGH
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
CPE Matches
Ivanti Software
ivanti
>>endpoint_manager>>Versions before 2022(exclusive)
cpe:2.3:a:ivanti:endpoint_manager:*:*:*:*:*:*:*:*
Ivanti Software
ivanti
>>endpoint_manager>>2022
cpe:2.3:a:ivanti:endpoint_manager:2022:-:*:*:*:*:*:*
Ivanti Software
ivanti
>>endpoint_manager>>2022
cpe:2.3:a:ivanti:endpoint_manager:2022:su1:*:*:*:*:*:*
Ivanti Software
ivanti
>>endpoint_manager>>2022
cpe:2.3:a:ivanti:endpoint_manager:2022:su2:*:*:*:*:*:*
Ivanti Software
ivanti
>>endpoint_manager>>2022
cpe:2.3:a:ivanti:endpoint_manager:2022:su3:*:*:*:*:*:*
Ivanti Software
ivanti
>>endpoint_manager>>2022
cpe:2.3:a:ivanti:endpoint_manager:2022:su4:*:*:*:*:*:*
Ivanti Software
ivanti
>>endpoint_manager>>2022
cpe:2.3:a:ivanti:endpoint_manager:2022:su5:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-611Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-611
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://forums.ivanti.com/s/article/Security-Advisory-EPM-September-2024-for-EPM-2024-and-EPM-2022support@hackerone.com
Vendor Advisory
Hyperlink: https://forums.ivanti.com/s/article/Security-Advisory-EPM-September-2024-for-EPM-2024-and-EPM-2022
Source: support@hackerone.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

17Records found
CVE-2023-46805
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-8.2||HIGH
EPSS-94.40% / 99.97%
||
7 Day CHG~0.00%
Published-12 Jan, 2024 | 17:02
Updated-30 Jul, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2024-01-22||Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

Action-Not Available
Vendor-Ivanti Software
Product-policy_secureconnect_secureIPSICSConnect Secure and Policy Secure
CWE ID-CWE-287
Improper Authentication
CVE-2024-36132
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-8.2||HIGH
EPSS-0.94% / 75.24%
||
7 Day CHG-1.73%
Published-07 Aug, 2024 | 03:54
Updated-19 Mar, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Insufficient verification of authentication controls in EPMM prior to 12.1.0.1 allows a remote attacker to bypass authentication and access sensitive resources.

Action-Not Available
Vendor-Ivanti Software
Product-endpoint_manager_mobileEPMM
CWE ID-CWE-287
Improper Authentication
CVE-2024-21893
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-8.2||HIGH
EPSS-94.32% / 99.94%
||
7 Day CHG~0.00%
Published-31 Jan, 2024 | 17:51
Updated-30 Jul, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2024-02-02||Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.

Action-Not Available
Vendor-Ivanti Software
Product-neurons_for_zero-trust_accesspolicy_secureconnect_secureIPSICSpolicy_secureconnect_secureConnect Secure, Policy Secure, and Neurons
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2023-46265
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-6.5||MEDIUM
EPSS-1.70% / 81.51%
||
7 Day CHG~0.00%
Published-19 Dec, 2023 | 15:43
Updated-17 Sep, 2024 | 02:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An unauthenticated could abuse a XXE vulnerability in the Smart Device Server to leak data or perform a Server-Side Request Forgery (SSRF).

Action-Not Available
Vendor-Ivanti Software
Product-avalancheAvalanche
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-8256
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-4.9||MEDIUM
EPSS-2.71% / 85.31%
||
7 Day CHG~0.00%
Published-29 Sep, 2020 | 13:41
Updated-18 Nov, 2024 | 16:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could allow an authenticated attacker to gain arbitrary file reading access through Pulse Collaboration via XML External Entity (XXE) vulnerability.

Action-Not Available
Vendor-n/aIvanti SoftwarePulse Secure
Product-pulse_connect_secureconnect_securePulse Connect Secure
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-32567
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-6.5||MEDIUM
EPSS-0.37% / 57.86%
||
7 Day CHG~0.00%
Published-10 Aug, 2023 | 18:58
Updated-09 Oct, 2024 | 19:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Ivanti Avalanche decodeToMap XML External Entity Processing. Fixed in version 6.4.1.236

Action-Not Available
Vendor-Ivanti Software
Product-avalancheWavelink
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2024-22024
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-8.3||HIGH
EPSS-94.30% / 99.94%
||
7 Day CHG~0.00%
Published-13 Feb, 2024 | 04:07
Updated-09 May, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication.

Action-Not Available
Vendor-IvantIvanti Software
Product-policy_secureconnect_securezero_trust_accessICSIPS
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-15352
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-7.2||HIGH
EPSS-6.55% / 90.75%
||
7 Day CHG~0.00%
Published-27 Oct, 2020 | 04:10
Updated-04 Aug, 2024 | 13:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XML external entity (XXE) vulnerability in Pulse Connect Secure (PCS) before 9.1R9 and Pulse Policy Secure (PPS) before 9.1R9 allows remote authenticated admins to conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.

Action-Not Available
Vendor-n/aIvanti SoftwarePulse Secure
Product-pulse_policy_securepolicy_securepulse_connect_secureconnect_securen/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-38343
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.46% / 63.34%
||
7 Day CHG~0.00%
Published-21 Sep, 2023 | 00:00
Updated-24 Sep, 2024 | 16:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XXE (XML external entity injection) vulnerability exists in the CSEP component of Ivanti Endpoint Manager before 2022 SU4. External entity references are enabled in the XML parser configuration. Exploitation of this vulnerability can lead to file disclosure or Server Side Request Forgery.

Action-Not Available
Vendor-n/aIvanti Software
Product-endpoint_managern/aendpoint_manager
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2024-38653
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-8.2||HIGH
EPSS-86.26% / 99.36%
||
7 Day CHG~0.00%
Published-14 Aug, 2024 | 02:38
Updated-15 Aug, 2024 | 17:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to read arbitrary files on the server.

Action-Not Available
Vendor-Ivanti Software
Product-avalancheAvalancheavalanche
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2024-34711
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.3||CRITICAL
EPSS-0.05% / 15.84%
||
7 Day CHG+0.01%
Published-10 Jun, 2025 | 14:33
Updated-26 Aug, 2025 | 16:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GeoServer has improper ENTITY_RESOLUTION_ALLOWLIST URI validation in XML Processing (SSRF)

GeoServer is an open source server that allows users to share and edit geospatial data. An improper URI validation vulnerability exists that enables an unauthorized attacker to perform XML External Entities (XEE) attack, then send GET request to any HTTP server. By default, GeoServer use PreventLocalEntityResolver class from GeoTools to filter out malicious URIs in XML entities before resolving them. The URI must match the regex (?i)(jar:file|http|vfs)[^?#;]*\\.xsd. But the regex leaves a chance for attackers to request to any HTTP server or limited file. Attacker can abuse this to scan internal networks and gain information about them then exploit further. GeoServer 2.25.0 and greater default to the use of ENTITY_RESOLUTION_ALLOWLIST and does not require you to provide a system property.

Action-Not Available
Vendor-osgeogeoserver
Product-geoservergeoserver
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2023-28682
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-8.2||HIGH
EPSS-0.12% / 32.47%
||
7 Day CHG~0.00%
Published-23 Mar, 2023 | 11:26
Updated-25 Feb, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Performance Publisher Plugin 8.09 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

Action-Not Available
Vendor-Jenkins
Product-performance_publisherJenkins Performance Publisher Plugin
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-28681
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-8.2||HIGH
EPSS-0.12% / 32.47%
||
7 Day CHG~0.00%
Published-23 Mar, 2023 | 11:26
Updated-25 Feb, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Visual Studio Code Metrics Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

Action-Not Available
Vendor-Jenkins
Product-visual_studio_code_metricsJenkins Visual Studio Code Metrics Plugin
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2025-54445
Matching Score-4
Assigner-Samsung TV & Appliance
ShareView Details
Matching Score-4
Assigner-Samsung TV & Appliance
CVSS Score-8.2||HIGH
EPSS-0.04% / 11.13%
||
7 Day CHG~0.00%
Published-23 Jul, 2025 | 05:31
Updated-15 Aug, 2025 | 14:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper Restriction of XML External Entity Reference vulnerability in Samsung Electronics MagicINFO 9 Server allows Server Side Request Forgery.This issue affects MagicINFO 9 Server: less than 21.1080.0.

Action-Not Available
Vendor-SamsungSamsung Electronics
Product-magicinfo_9_serverMagicINFO 9 Server
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-28683
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-8.2||HIGH
EPSS-0.12% / 32.47%
||
7 Day CHG~0.00%
Published-23 Mar, 2023 | 11:26
Updated-21 Feb, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Phabricator Differential Plugin 2.1.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

Action-Not Available
Vendor-Jenkins
Product-phabricator_differentialJenkins Phabricator Differential Plugin
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2022-2458
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-8.2||HIGH
EPSS-0.11% / 29.32%
||
7 Day CHG~0.00%
Published-09 Aug, 2022 | 20:15
Updated-03 Aug, 2024 | 00:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

XML external entity injection(XXE) is a vulnerability that allows an attacker to interfere with an application's processing of XML data. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. Here, XML external entity injection lead to External Service interaction & Internal file read in Business Central and also Kie-Server APIs.

Action-Not Available
Vendor-n/aRed Hat, Inc.
Product-process_automation_managerRed Hat Process Automation Manager 7
CWE ID-CWE-91
XML Injection (aka Blind XPath Injection)
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2023-3113
Matching Score-4
Assigner-Lenovo Group Ltd.
ShareView Details
Matching Score-4
Assigner-Lenovo Group Ltd.
CVSS Score-8.2||HIGH
EPSS-0.10% / 29.16%
||
7 Day CHG~0.00%
Published-26 Jun, 2023 | 19:44
Updated-03 Dec, 2024 | 18:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An unauthenticated XML external entity injection (XXE) vulnerability exists in LXCA's Common Information Model (CIM) server that could result in read-only access to specific files.

Action-Not Available
Vendor-Lenovo Group Limited
Product-xclarity_administratorLenovo XClarity Administrator
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
Details not found