Reset Search



JSA10589 - 2013-09 Security Bulletin: Pulse Connect Secure (PCS): Multiple cross site scripting issues

« Go Back


Product AffectedSA700, SA2500, FIPS SA4000, SA4500, FIPS SA4500, FIPS SA6000, SA6500, FIPS SA6500, MAG2600, MAG4610, MAG6610, and MAG6611
Multiple cross site scripting issues have been found in the Pulse Connect Secure (PCS) product. The issues are the result of incorrect validation of user input sent to the PCS web server. These issues exist within files that pertains to login pages, as well as a support related page that is only accessible by an authenticated session.

Note: The specific cross site scripting issues contained in this advisory do not affect Pulse Policy Secure (PPS) OS.

Pulse Secure SIRT is not aware of any malicious exploitation of these vulnerabilities.
The issues are fixed in PCS releases 7.4R3, 7.3R6, 7.2R11, 7.1R15, and all subsequent releases.

There are no viable workarounds for these issues. The affected pages are needed for normal operation and cannot be disabled.
Related Links
CVSS Score4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Risk AssessmentSuccessful exploit of this vulnerability could allow an attacker to dynamically create arbitrary active content which could be rendered in the user's browser, leading to possible session theft, service disruption, or other information disclosure.
Pulse Secure would like to thank Sandro Gauci of EnableSecurity for responsibly reporting one of the issues included in this advisory.
Alert Type 
Risk LevelMedium
Attachment 1 
Attachment 2 
Legacy IDJSA10589



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255