U.S. Cybersecurity and Infrastructure Security Agency issues fresh advisory on Pulse Secure VPN vulnerability. Known as CVE-2019-11510, the pre-authentication arbitrary file read vulnerability could allow remote unauthenticated attackers to compromise vulnerable VPN servers and gain access to all active users and their plain-text credentials, and execute arbitrary commands. The flaw stems from the fact that directory traversal is hard-coded to be allowed if a path contains “dana/html5/acc,” thus allowing an attacker to send specially crafted URLs to read sensitive files.
Source: https://thehackernews.com/2020/04/pulse-secure-vpn-vulnerability.html

