CVE-2022-21826
N/A
N/A
Summary
Pulse Secure version 9.115 and below may be susceptible to client-side http request smuggling, When the application receives a POST request, it ignores the request's Content-Length header and leaves the POST body on the TCP/TLS socket. This body ends up prefixing the next HTTP request sent down that connection, this means when someone loads website attacker may be able to make browser issue a POST to the application, enabling XSS.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | Pulse Connect Secure VPN Server | 9.1R14 and below | affected |
Weaknesses
- CWE-444: HTTP Request Smuggling (CWE-444)
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.