Incorrect Behavior Order: Validate Before Canonicalize

CVE-2025-43716

Medium

5.8/10

Summary

A directory traversal vulnerability exists in Ivanti LANDesk Management Gateway through 4.2-1.9. By appending %3F.php to the URI of the /client/index.php endpoint, an attacker can bypass access controls and gain unauthorized access to various endpoints such as /client/index.php%3F.php/gsb/firewall.php within the management web panel, potentially exposing sensitive device information. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: CHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: LOW
Availability Impact: NONE

CWE-180 - Incorrect Behavior Order: Validate Before Canonicalize

The software validates input before it is canonicalized, which prevents the software from detecting data that becomes invalid after the canonicalization step.

References

Advisory Timeline

Published Apr 23, 2025

Incorrect Behavior Order: Validate Before Canonicalize

CVE-2025-43716

Summary

CWE-180 - Incorrect Behavior Order: Validate Before Canonicalize

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS