CVE-2017-11463

moderate-risk

Published 2017-12-11

In Ivanti Service Desk (formerly LANDESK Management Suite) versions between 2016.3 and 2017.3, an Unrestricted Direct Object Reference leads to referencing/updating objects belonging to other users. In other words, a normal user can send requests to a specific URI with the target user's username in an HTTP payload in order to retrieve a key/token and use it to access/update objects belonging to other users. Such objects could be user profiles, tickets, incidents, etc.

Do I need to act?

1.2% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.8/10 High

NETWORK / LOW complexity

Affected Products (3)

Endpoint Manager

Affected Vendors

Ivanti

References (4)

https://community.ivanti.com/docs/DOC-66252

Issue Tracking https://gist.github.com/lazyhack3r/439e92419c552b5dc82b2f5e832c8bfb

https://community.ivanti.com/docs/DOC-66252

Issue Tracking https://gist.github.com/lazyhack3r/439e92419c552b5dc82b2f5e832c8bfb

/ 100

moderate-risk

Severity 30/34 · Critical

Exploitability 3/34 · Minimal

Exposure 9/34 · Low