CVE-2024-38653
CVE-2024-38653
In short
A flaw in Ivanti Avalanche 6.3.1 allows attackers to read any file on the server by sending specially crafted XML requests, without needing to log in. This can expose sensitive data like configuration files or credentials.
Technical detail
XXE (XML External Entity) injection vulnerability in SmartDeviceServer component allows unauthenticated remote attackers to read arbitrary files via malicious XML payloads. Exploitation requires network access to the affected endpoint and no authentication; successful exploitation results in information disclosure of sensitive server files.
Summary generated and translated by AI from the official description.
XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to read arbitrary files on the server.
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
Affected products
Ivanti · AvalancheWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →