Pulse Secure version 9.115 and below may be susceptible to client-side http request smuggling, When the application receives a POST request, it ignores the request's Content-Length header and leaves the POST body on the TCP/TLS socket. This body ends up prefixing the next HTTP request sent down that connection, this means when someone loads website attacker may be able to make browser issue a POST to the application, enabling XSS.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2022-09-30T16:24:25

Updated: 2024-08-03T02:53:36.293Z

Reserved: 2021-12-10T00:00:00

Link: CVE-2022-21826

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2022-09-30T17:15:12.183

Modified: 2024-11-21T06:45:30.770

Link: CVE-2022-21826

cve-icon Redhat

No data.