In Pulse Secure Pulse Connect Secure (PCS) before 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an authenticated attacker (via the admin web interface) can exploit Directory Traversal to execute arbitrary code on the appliance.
https://www.kb.cert.org/vuls/id/927237
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/