Advisory CVE-2020-13773 – Ivanti Unified Endpoint Manager Reflected XSS

Software: Ivanti Endpoint Manager Affected Versions: <= 2020.1.1 Vendor page: www.ivanti.com CVE Reference: CVE-2020-13773 Published: 13/11/2020 CVSS 3.1 Score: 5.5 – AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L Attack Vector: Remote, authenticated Credits: Andrei Constantin Scutariu, Lenk Ratchakrit, Calvin Yau

Summary

Various web pages on Ivanti Unified Endpoint Manager web management console lack proper input validation on parameters passed in HTTP request, leaving the application vulnerable to client-side attacks. An attacker able to cause the victim to open a malicious URL would obtain javascript code execution on the victim’s browser and potentially be able to obtain sensitive information and execute actions on their behalf.

Mitigation

There is currently no fix for this issue. The vendor has yet to release a patch to address the vulnerability; it is advised to review the host configuration and monitor for suspicious activity.

Technical details

The following endpoints and parameter are vulnerable:

• /LDMS/frm_splitfrm.aspx “top” parameter
• /LDMS/frm_splitfrm.aspx “ttb” parameter
• /LDMS/frm_splitfrm.aspx “splittf” parameter
• /LDMS/licensecheck.aspx “doc” parameter
• /LDMS/frm_splitcollapse.aspx “bottom” parameter
• /LDMS/alert_log.aspx “sortdir” parameter
• /LDMS/alert_log.aspx “sortcol” parameter
• /LDMS/ServerList.aspx “sortdir” parameter
• /LDMS/frm_coremainfrm.aspx “bfn” parameter
• /LDMS/frm_findfrm.aspx “m” parameter
• /LDMS/frm_taskfrm.aspx any parameter
• /LDMS/query_browsecomp.aspx “t” parameter
• /LDMS/sm_actionfrm.asp “bfn” parameter
• /LDMS/sm_actionfrm.asp “d” parameter

Timeline

15/04/2020: Issue reported to the vendor 16/04/2020: Vendor acknowledged the issues 02/06/2020: CVE number assigned from MITRE 13/07/2020: 90 days notice period for disclosure given to the vendor 13/11/2020: Advisory published by JUMPSEC