Reset Search



JSA10617 - 2014-03 Security Bulletin: Pulse Connect Secure: Cross site scripting issue (CVE-2014-2291)

« Go Back


Product AffectedThis issue can affect all: SA700, SA2000, SA2500, SA4000, FIPS SA4000, SA4500, FIPS SA4500, SA6000, FIPS SA6000, SA6500, FIPS SA6500, MAG2600, MAG4610, MAG6610, and MAG6611. The affected software releases includes PCS 7.1, 7.3, 7.4, and 8.0.
A cross site scripting issue has been found in the Pulse Connect Secure product. The problem is a result of incorrect user input validation on the web server. The issue exists within a file that pertains to the Pulse Collaboration (Secure Meeting) user pages that are only accessible by an authenticated session. This issue is only present when the Pulse Collaboration feature is enabled on a user's role.

Pulse Secure SIRT is not aware of any malicious exploitation of this vulnerability.

This issue has been assigned CVE-2014-2291.
The issue is fixed in PCS releases: 8.0r1, 7.4r8, 7.3r10, and 7.1r18, and all subsequent releases.
This issue can be avoided if the Pulse Collaboration (Secure Meeting) feature is disabled. If this feature is enabled an upgrade to a fixed version is required to resolve this issue.

To disable this feature, navigate the admin page to following page: Users --> User Roles --> (uncheck) "Meetings" --> Click " Save"
Related Links
CVSS Score4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Risk AssessmentSuccessful exploit of this vulnerability could allow an attacker to dynamically create arbitrary active content which could be rendered in the user's browser, leading to possible session theft, service disruption, or other information disclosure.
Alert Type 
Risk LevelLow
Attachment 1 
Attachment 2 
Legacy IDJSA10617



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255