CVE-2020-2003
published 2020-05-13CVE-2020-2003: An external control of filename vulnerability in the command processing of PAN-OS allows an authenticated administrator to delete arbitrary system files…
PriorityP336medium6.5CVSS 3.1
AVNACLPRHUINSUCNIHAH
EPSS
0.94%
56.4th percentile
An external control of filename vulnerability in the command processing of PAN-OS allows an authenticated administrator to delete arbitrary system files affecting the integrity of the system or causing denial of service to all PAN-OS services. This issue affects: All versions of PAN-OS 7.1 and 8.0; PAN-OS 8.1 versions before 8.1.14; PAN-OS 9.0 versions before 9.0.7; PAN-OS 9.1 versions before 9.1.1.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| palo_alto_networks | pan-os | — | — |
| palo_alto_networks | pan-os | — | — |
| palo_alto_networks | pan-os | >= 8.1 < 8.1.14 | 8.1.14 |
| palo_alto_networks | pan-os | >= 9.0 < 9.0.7 | 9.0.7 |
| palo_alto_networks | pan-os | >= 9.1 < 9.1.1 | 9.1.1 |
| paloalto | pan-os | — | — |
| paloaltonetworks | pan-os | 7.1.0 – 7.1.26 | — |
| paloaltonetworks | pan-os | 8.0.0 – 8.0.20 | — |
| paloaltonetworks | pan-os | 8.1.0 – 8.1.13 | — |
| paloaltonetworks | pan-os | 9.0.0 – 9.0.6 | — |
| paloaltonetworks | pan-os | >= 9.1.0 < 9.1.1 | 9.1.1 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
nvdv2.08.5HIGHAV:N/AC:L/Au:S/C:N/I:C/A:C
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4387-mfcp-5cpf: An external control of filename vulnerability in the command processing of PAN-OS allows an authenticated administrator to delete arbitrary system fil
ghsa_unreviewed·2022-05-24
CVE-2020-2003 [HIGH] GHSA-4387-mfcp-5cpf: An external control of filename vulnerability in the command processing of PAN-OS allows an authenticated administrator to delete arbitrary system fil
An external control of filename vulnerability in the command processing of PAN-OS allows an authenticated administrator to delete arbitrary system files affecting the integrity of the system or causing denial of service to all PAN-OS services. This issue affects: All versions of PAN-OS 7.1; PAN-OS 8.1 versions before 8.1.14; PAN-OS 9.0 versions before 9.0.7; PAN-OS 9.1 versions before 9.1.1.
Palo Alto
PAN-OS: Authenticated administrator can delete arbitrary system file
vendor_paloalto·2020-05-13·CVSS 6.5
CVE-2020-2003 [MEDIUM] CWE-73 PAN-OS: Authenticated administrator can delete arbitrary system file
PAN-OS: Authenticated administrator can delete arbitrary system file
An external control of filename vulnerability in the command processing of PAN-OS allows an authenticated administrator to delete arbitrary system files affecting the integrity of the system or causing denial of service to all PAN-OS services.
This issue affects:
All versions of PAN-OS 7.1 and 8.0;
PAN-OS 8.1 versions before 8.1.14;
PAN-OS 9.0 versions before 9.0.7;
PAN-OS 9.1 versions before 9.1.1.
Affected products: PAN-OS
Solution: This issue is fixed in PAN-OS 8.1.14, PAN-OS 9.0.7, PAN-OS 9.1.1, and all later PAN-OS versions.
PAN-OS 8.0 is now end-of-life as of October 31, 2019, and is no longer covered by our Product Security Assurance policies.
PAN-OS 7.1 is on extended support until June 30, 2020, and is only
Suricata
ET EXPLOIT .NET Framework Remote Code Execution Injection (CVE-2020-0646)
suricata·2021-11-18·CVSS 9.8
CVE-2020-0646 [CRITICAL] ET EXPLOIT .NET Framework Remote Code Execution Injection (CVE-2020-0646)
ET EXPLOIT .NET Framework Remote Code Execution Injection (CVE-2020-0646)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT .NET Framework Remote Code Execution Injection (CVE-2020-0646)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"_vti_bin"; content:"/webpartpages.asmx"; endswith; http.request_body; content:"<?xml"; content:"System.Diagnostics.Process.Start"; fast_pattern; reference:url,dl.packetstormsecurity.net/2003-exploits/sharepoint_workflows_xoml.rb.txt; reference:cve,2020-0646; classtype:attempted-admin; sid:2034509; rev:1; metadata:created_at 2021_11_18, cve CVE_2020_0646, confidence Medium, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_11_18, mitre_tactic_id TA0001, mitre
Exploit-DB
GUnet OpenEclass 1.7.3 E-learning platform - 'month' SQL Injection
exploitdb·2020-03-03
GUnet OpenEclass 1.7.3 E-learning platform - 'month' SQL Injection
GUnet OpenEclass 1.7.3 E-learning platform - 'month' SQL Injection
---
# Exploit Title: GUnet OpenEclass 1.7.3 E-learning platform - 'month' SQL Injection
# Google Dork: intext:"© GUnet 2003-2007"
# Date: 2020-03-02
# Exploit Author: emaragkos
# Vendor Homepage: https://www.openeclass.org/
# Software Link: http://download.openeclass.org/files/1.7/eclass-1.7.3.tar.gz
# Version: 1.7.3 (2007)
# Tested on: Ubuntu 12 (Apache 2.2.22, PHP 5.3.10, MySQL 5.5.38)
# CVE : -
Older versions are also vulnerable.
Source code:
http://download.openeclass.org/files/1.7/eclass-1.7.3.zip
http://download.openeclass.org/files/1.7/eclass-1.7.3.tar.gz
Setup instructions:
http://download.openeclass.org/files/docs/1.7/Install.pdf
Changelog:
https://download.openeclass.org/files/docs/1.7/CHANGES.txt
Manual:
h
Exploit-DB
HP Operations Agent - Opcode 'coda.exe' 0x8c Buffer Overflow (Metasploit)
exploitdb·2012-10-29
CVE-2012-2020 HP Operations Agent - Opcode 'coda.exe' 0x8c Buffer Overflow (Metasploit)
HP Operations Agent - Opcode 'coda.exe' 0x8c Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'HP Operations Agent Opcode coda.exe 0x8c Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow vulnerability in HP Operations Agent for
Windows. The vulnerability exists in the HP Software Performance Core Program
component (coda.exe) when parsing requests for the 0x8c opcode. This module has
been tested successfully on HP Operations Agent 11.00 over Windows XP SP3 and
Windows 2003 SP2 (DEP bypass).
The coda.exe com
HackerOne
IP-in-IP protocol routes arbitrary traffic by default - CVE-2020-10136
hackerone·2021-08-15·CVSS 5.3
CVE-2020-10136 [MEDIUM] IP-in-IP protocol routes arbitrary traffic by default - CVE-2020-10136
IP-in-IP protocol routes arbitrary traffic by default - CVE-2020-10136
Many machines (150K-180K) on the internet accept and route IP over IP by default.
IP-in-IP encapsulation is a tunneling protocol specified in RFC 2003 that allows for IP packets to be encapsulated inside another IP packets. This is very similar to IPSEC VPNs in tunnel mode, except in the case of IP-in-IP, the traffic is unencrypted. As specified, the protocol unwraps the inner IP packet and forwards this packet through IP routing tables, potentially providing unexpected access to network paths available to the vulnerable device. An IP-in-IP device is considered to be vulnerable if it accepts IP-in-IP packets from any source to any destination without explicit configuration between the specified source and destination
Bugzilla
CVE-2015-9541 qt: XML entity expansion vulnerability
bugzilla·2020-02-10·CVSS 6.5
CVE-2015-9541 [MEDIUM] CVE-2015-9541 qt: XML entity expansion vulnerability
CVE-2015-9541 qt: XML entity expansion vulnerability
Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.
References:
https://bugreports.qt.io/browse/QTBUG-47417
Discussion:
Created qt5 tracking bugs for this issue:
Affects: fedora-all [bug 1801370]
---
Upstream fix:
https://code.qt.io/cgit/qt/qtbase.git/commit/?id=f432c08882ffebe5074ea28de871559a98a4d094
---
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2015-9541
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2020:4690 https://access.redhat.com/errata/RHSA-2020:4690
2020-05-13
Published