CVE-2023-38551: CRLF Injection in Ivanti Connect Secure Enables XSS
CVE-2023-38551 Published on May 31, 2024
A CRLF Injection vulnerability in Ivanti Connect Secure (9.x, 22.x) allows an authenticated high-privileged user to inject malicious code on a victims browser, thereby leading to cross-site scripting attack.
Weakness Type
What is a CRLF Injection Vulnerability?
The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
CVE-2023-38551 has been classified to as a CRLF Injection vulnerability or weakness.
Products Associated with CVE-2023-38551
Want to know whenever a new CVE is published for Ivanti Connect Secure? stack.watch will email you.
Affected Versions
Ivanti Connect Secure:- Version 22.7R2 and below 22.7R2 is affected.
- Version 22.5R2.2 and below 22.5R2.2 is affected.
- Version 9.1R18.6 and below 9.1R18.6 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.