CVE-2020-8240

A vulnerability in the Pulse Secure Desktop Client < 9.1R9 allows a restricted user on an endpoint machine can use system-level privileges if the Embedded Browser is configured with Credential Provider. This vulnerability only affects Windows PDC if the Embedded Browser is configured with the Credential Provider.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
hackeroneCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 13%
VendorProductVersion
pulsesecurepulse_secure_desktop_client
𝑥
< 9.1
pulsesecurepulse_secure_desktop_client
9.1:r1
pulsesecurepulse_secure_desktop_client
9.1:r2
pulsesecurepulse_secure_desktop_client
9.1:r3
pulsesecurepulse_secure_desktop_client
9.1:r3.1
pulsesecurepulse_secure_desktop_client
9.1:r4
pulsesecurepulse_secure_desktop_client
9.1:r4.1
pulsesecurepulse_secure_desktop_client
9.1:r4.2
pulsesecurepulse_secure_desktop_client
9.1:r5
pulsesecurepulse_secure_desktop_client
9.1:r6
pulsesecurepulse_secure_desktop_client
9.1:r7
pulsesecurepulse_secure_desktop_client
9.1:r7.1
pulsesecurepulse_secure_desktop_client
9.1:r8
pulsesecurepulse_secure_desktop_client
9.1:r8.2
𝑥
= Vulnerable software versions
References
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601