CVE-2020-2005 — Cross-site Scripting in Palo Alto Networks Pan-os

CWE-79 — Cross-site Scripting8 documents7 sources

Severity

6.1MEDIUMNVD

CNA7.1

EPSS

0.5%

top 33.79%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Palo Alto Networks Pan-os Paloaltonetworks Pan-os Paloalto Pan-os

Timeline

PublishedMay 13

Latest updateMay 24

Description

A cross-site scripting (XSS) vulnerability exists when visiting malicious websites with the Palo Alto Networks GlobalProtect Clientless VPN that can compromise the user's active session. This issue affects: PAN-OS 7.1 versions earlier than 7.1.26; PAN-OS 8.1 versions earlier than 8.1.13; PAN-OS 9.0 versions earlier than 9.0.7; All versions of PAN-OS 8.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶NVDpaloaltonetworks/pan-os7.1.0 — 7.1.26+3

▶CVEListV5palo_alto_networks/pan-os7.1 — 7.1.26+3

▶Palo Altopaloalto/pan-os

🔴Vulnerability Details

GHSA

GHSA-ww7c-jvvf-833h: A cross-site scripting (XSS) vulnerability exists when visiting malicious websites with the Palo Alto Networks GlobalProtect Clientless VPN that can c↗2022-05-24

▶

OSV

netqmail vulnerabilities↗2020-09-29

▶

CVEList

PAN-OS: GlobalProtect Clientless VPN session hijacking↗2020-05-13

▶

📋Vendor Advisories

Palo Alto

PAN-OS: GlobalProtect Clientless VPN session hijacking↗2020-05-13

▶

💬Community

Bugzilla

CVE-2005-3388 PHP phpinfo() XSS attack↗2005-11-01

▶