CVE-2024-10811

Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:ivanti:endpoint_manager:*:-:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2022:-:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2022:su1:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2022:su2:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2022:su3:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2022:su4:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2022:su5:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2024:-:*:*:*:*:*:*

History

17 Jun 2025, 21:07

Type Values Removed Values Added
CWE CWE-22
First Time Ivanti
Ivanti endpoint Manager
References () https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6 - () https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6 - Vendor Advisory
References () https://www.horizon3.ai/attack-research/attack-blogs/ivanti-endpoint-manager-multiple-credential-coercion-vulnerabilities/ - () https://www.horizon3.ai/attack-research/attack-blogs/ivanti-endpoint-manager-multiple-credential-coercion-vulnerabilities/ - Exploit, Third Party Advisory
CPE cpe:2.3:a:ivanti:endpoint_manager:2022:su1:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2022:su5:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2022:su4:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2022:su2:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2024:-:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2022:su3:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:*:-:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2022:-:*:*:*:*:*:*

21 Feb 2025, 15:15

Type Values Removed Values Added
References
  • () https://www.horizon3.ai/attack-research/attack-blogs/ivanti-endpoint-manager-multiple-credential-coercion-vulnerabilities/ -
Summary
  • (es) Absolute Path Traversal en Ivanti EPM antes de la actualización de seguridad de enero de 2024-2025 y la actualización de seguridad de enero de 2022 SU6 permite que un atacante remoto no autenticado filtre información confidencial.

14 Jan 2025, 17:15

Type Values Removed Values Added
New CVE

Information

Published : 2025-01-14 17:15

Updated : 2025-06-17 21:07


NVD link : CVE-2024-10811

Mitre link : CVE-2024-10811

CVE.ORG link : CVE-2024-10811


JSON object : View

Products Affected

ivanti

  • endpoint_manager
CWE
CWE-36

Absolute Path Traversal

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')