CVE-2020-13773: 
Ivanti Endpoint Manager vulnerability analysis and mitigation

Ivanti Endpoint Manager through version 2020.1.1 is affected by multiple Cross-Site Scripting (XSS) vulnerabilities. The vulnerability allows attackers to inject malicious scripts via various parameters in multiple LDMS endpoints including /LDMS/frmsplitfrm.aspx, /LDMS/licensecheck.aspx, /LDMS/frmsplitcollapse.aspx, /LDMS/alertlog.aspx, /LDMS/ServerList.aspx, /LDMS/frmcoremainfrm.aspx, /LDMS/frmfindfrm.aspx, /LDMS/frmtaskfrm.aspx, and /LDMS/query_browsecomp.aspx. The vulnerability was discovered in April 2020 and assigned CVE-2020-13773 (MITRE CVE, JUMPSEC Labs).

The vulnerability stems from improper input validation on parameters passed in HTTP requests to the web management console. Multiple endpoints are affected with various vulnerable parameters, including 'top', 'ttb', 'splittf', 'doc', 'bottom', 'sortdir', 'sortcol', 'bfn', 'm', and 't'. The vulnerability has been assigned a CVSS 3.1 score of 5.5 (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L), indicating a medium severity with network attack vector requiring low complexity and user interaction (JUMPSEC Labs).

A successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the victim's browser context. This could potentially lead to the theft of sensitive information and the ability to perform actions on behalf of the victim within the application (JUMPSEC Labs).

As of the initial disclosure, no official patch was available from the vendor. Organizations are advised to review their host configurations and monitor for suspicious activity until a fix is released (JUMPSEC Labs).