Dynamic Application Security TestingCVE-2023-35078 MobileIron Core Unauthenticated API Access Vulnerability
Description
CVE-2023-35078 is a vulnerability discovered in Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. This vulnerability impacts all supported versions 11.10, 11.9 and 11.8. Older versions/releases are also at risk. If exploited, this vulnerability enables an unauthorized, remote (internet-facing) actor to potentially access users’ personally identifiable information and make limited changes to the server.
Outbreak Alert
Ivanti Endpoint Manager Mobile (EPMM, formerly MobileIron Core) contains an authentication bypass vulnerability (CVE-2023-35078) that allows unauthenticated access to specific API paths and a path traversal vulnerability (CVE-2023-35081). An attacker with access to these API paths can access personally identifiable information (PII) such as names, phone numbers, and other mobile device details for users on a vulnerable system. An attacker can also make other configuration changes including installing software and modifying security profiles on registered devices.
References
Version Updates
| Date | Version | Status | Detail |
|---|---|---|---|
| 2024-10-17 | 24.10000 |
New
|
Information disclosure and limited changes to server vulnerability in Ivanti Endpoint Manager Mobile. |
| ID | 71 |
| CVE ID | |
| Category | web |
| Sub Category | ivanti |
| Date | Sep 18, 2024 |
| Risk |
|
| Tags | Ivanti EPMM Authentication Bypass Threat Signal |
| Alias | misconfigured access control allow origin header |
| Type | OWASP broken access control |
| CVSS | 9.8 |
| Author |
Rajeev Diwakar |