SA40771 - 2017-07 Security Bulletin: Pulse Connect Secure (PCS) / Pulse Policy Secure (PPS): Cross Site Scripting Issue

Multiple cross site scripting issues has been found in the Pulse Connect Secure / Pulse Policy Secure device. The cause of this issue is due to incorrect validation of user input sent to the web server.  This does require the user to be logged in as administrator and not applicable end user portal.

These issues have been assigned the following CVEs:

• CVE-2017-11194
• CVE-2017-11196
• CVE-2017-11195
• CVE-2017-11193

This issue is resolved in the following PCS/PPS releases:

• Pulse Connect Secure-8.3R2.1 Software (Build 58581) is now available for download on Pulse Secure Licensing and Download Center
• Pulse Connect Secure-8.2R8.2 Software (Build 58717) is now available for download on Pulse Secure Licensing and Download Center
• Pulse Connect Secure-8.1R12.1 Software (Build 58855) is now available for download on Pulse Secure Licensing and Download Center
• Pulse Connect Secure-8.0R17.0 Software (Build 58013) is now available for download on Pulse Secure Licensing and Download Center

 

• Pulse Policy Secure-5.4R2.1 Software (Build 45161) is now available for download on Pulse Secure Licensing and Download Center
• Pulse Policy Secure-5.3R8.2 Software (Build 45337) is now available for download on Pulse Secure Licensing and Download Center
• Pulse Policy Secure-5.2R9.1 Software (Build 45333) is now available for download on Pulse Secure Licensing and Download Center

July 12, 2017 - Initial document posted
August 3, 2017 - Fixed versions PCS 8.3R2.1, 8.2R8.2, 8.1R12.1 and 8.0R17 / PPS 5.4R2.1, 5.3R8.2 and 5.2R91 released

This vulnerability was discovered and responsibly reported to Pulse Secure by Corben Douglas (@sxcurity)