Home

Description

SQL injection in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.

PUBLISHED Reserved 2024-09-30 | Published 2024-10-08 | Updated 2025-10-21 | Assigner ivanti




MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

CISA Known Exploited Vulnerability

Date added 2024-10-09 | Due date 2024-10-30

As Ivanti CSA 4.6.x has reached End-of-Life status, users are urged to remove CSA 4.6.x from service or upgrade to the 5.0.x line, or later, of supported solution.

Problem types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status
affected

5.0.2 (custom)
unaffected

References

forums.ivanti.com/...E-2024-9379-CVE-2024-9380-CVE-2024-9381

cve.org (CVE-2024-9379)

nvd.nist.gov (CVE-2024-9379)

Download JSON