Ivanti, which last week had to move on a vulnerability in its Endpoint Manager Mobile (EMM) product, has disclosed a new bug in the product.
As detailed by Rapid7, CVE-2023-35082 acts as a bypass for a patch in the previously-released CVE-2023-35078.
Both are vulnerabilities in access to the EMM (formerly Mobileiron Core) API, allowing unauthorised, remote attackers to access users’ personal information and “make limited changes to the server”, Ivanti’s notice states.
The latest vulnerability has a CVSS score of 10, the maximum possible.
Since the affected versions, Mobileiron 11.2 and prior, are out of support, Ivanti recommends affected users upgrade to the latest version of EMM.
Rapid7 said the vulnerability arises because a web application on the appliance had “permissive” entries in its security filter chain.
The vulnerability lets an attacker access the API endpoints on an exposed management server, Rapid7 said.
“An attacker can use these API endpoints to perform a multitude of operations as outlined in the official API documents, including the ability to disclose personally identifiable information (PII) and perform modifications to the platform.”
A previously-patched bug, CVE-2023-35081, has a lower CVSS score of 7.2 – but it allows an authenticated attacker to write malicious files to the appliance.
Rapid7 explained: “CVE-2023-35081 could be chained with CVE-2023-35082 to allow an attacker to write malicious webshell files to the appliance, which may then be executed by the attacker.”