Reset Search



JSA10412 - VU#261869 - Clientless PCS products break web browser's domain-based security models

« Go Back


Product AffectedIVE: SA_6500, SA_4500, SA_2500, SA_6000_SP, SA_6000, SA_5000, SA_4000, SA_3000, SA_2000, SA_1000, SA_700
Clientless PCS products from multiple vendors operate in a way that breaks fundamental browser security mechanisms. An attacker could use these devices to bypass authentication or conduct other web-based attacks.

Please see VU#261869 at for further details.
KB15799 - Pulse Secure recommendations for mitigating VU#261869 provide steps to mitigate the issue using Pulse Secure PCS product features. At the moment there is no solution available, however Pulse Secure continues to explore the best path forward to address all possible exploit paths.
Related Links
CVSS Score
Risk AssessmentThis issue may be limited by constraining the web servers for which the PCS device rewrites content.
Pulse Secure would like to acknowledge the following customers for bringing this to our attention:
FishNet Security, Inc.
Logica Nederland BV
Alert TypePSN - Product Support Notification
Risk LevelMedium
Attachment 1 
Attachment 2 
Legacy IDPSN-2009-11-580, JSA10412



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255