CVE-2016-9149XPath Injection in Paloaltonetworks Pan-os

CWE-194 documents4 sources
Severity
6.5MEDIUMNVD
EPSS
0.2%
top 51.75%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Paloaltonetworks Pan-osPaloalto Pan-os
Timeline
PublishedNov 19
Latest updateMay 13

Description

The Addresses Object parser in Palo Alto Networks PAN-OS before 5.0.20, 5.1.x before 5.1.13, 6.0.x before 6.0.15, 6.1.x before 6.1.15, 7.0.x before 7.0.11, and 7.1.x before 7.1.6 mishandles single quote characters, which allows remote authenticated users to conduct XPath injection attacks via a crafted string.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

NVDpaloaltonetworks/pan-os5.0.05.0.20+5
Palo Altopaloalto/pan-os

🔴Vulnerability Details

2
GHSA
GHSA-f22j-95w2-7rx5: The Addresses Object parser in Palo Alto Networks PAN-OS before 52022-05-13
CVEList
CVE-2016-9149: The Addresses Object parser in Palo Alto Networks PAN-OS before 52016-11-19

📋Vendor Advisories

1
Palo Alto
XPath Injection2016-11-17
CVE-2016-9149 — XPath Injection in Paloaltonetworks | cvebase