CVE-2020-2017 — Cross-site Scripting in Palo Alto Networks Pan-os

CWE-79 — Cross-site Scripting CWE-393 — Return of Wrong Status Code CWE-444 — HTTP Request Smuggling CWE-269 — Improper Privilege Management30 documents15 sources

Severity

6.1MEDIUMNVD

CNA8.8GHSA6.5

EPSS

0.5%

top 34.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Palo Alto Networks Pan-os Paloaltonetworks Pan-os Paloalto Pan-os

Timeline

PublishedMay 13

Latest updateFeb 13

Description

A DOM-Based Cross Site Scripting Vulnerability exists in PAN-OS and Panorama Management Web Interfaces. A remote attacker able to convince an authenticated administrator to click on a crafted link to PAN-OS and Panorama Web Interfaces could execute arbitrary JavaScript code in the administrator's browser and perform administrative actions. This issue affects: PAN-OS 7.1 versions earlier than 7.1.26; PAN-OS 8.1 versions earlier than 8.1.13; PAN-OS 9.0 versions earlier than 9.0.6; All versions of …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶NVDpaloaltonetworks/pan-os7.1.0 — 7.1.26+3

▶CVEListV5palo_alto_networks/pan-os7.1 — 7.1.26+3

▶Palo Altopaloalto/pan-os

🔴Vulnerability Details

OSV

digikam vulnerabilities↗2025-02-13

▶

OSV

nova vulnerabilities↗2023-02-13

▶

GHSA

markdown-it-decorate vulnerable to cross-site scripting (XSS)↗2022-07-19

▶

OSV

zabbix vulnerabilities↗2022-06-15

▶

GHSA

GHSA-rh92-6783-v73r: A DOM-Based Cross Site Scripting Vulnerability exists in PAN-OS and Panorama Management Web Interfaces↗2022-05-24

▶

📋Vendor Advisories

Red Hat

undertow: Possible regression in fix for CVE-2020-10687↗2021-02-04

▶

Oracle

Oracle Oracle Communications Applications Risk Matrix: Cartridge Management (Log4j) — CVE-2017-5645↗2020-07-15

▶

Microsoft

systemd through v245 mishandles numerical usernames such as ones composed of decimal digits or 0x followed by hex digits as demonstrated by use of root privileges when privileges of the 0x0 user accou↗2020-06-09

▶

Palo Alto

PAN-OS: DOM-Based cross site scripting vulnerability in management web interface↗2020-05-13

▶

Oracle

Oracle Oracle Retail Applications Risk Matrix: Xstore Services (Apache Cordova) — CVE-2017-3160↗2020-04-15

▶

💬Community

Bugzilla

CVE-2020-13753 webkitgtk: Improper access management to CLONE_NEWUSER and the TIOCSTI ioctl↗2020-09-16

▶

Bugzilla

CVE-2017-9105 adns: pointer corruption when a nameserver speaks first because of a wrong number of pointer dereferences↗2020-06-22

▶

Bugzilla

CVE-2017-0393 libvpx: Denial of service in mediaserver↗2019-11-07

▶

Bugzilla

CVE-2017-18252 ImageMagick: assertion failure in MogrifyImageList function in MagickWand/mogrify.c↗2018-03-28

▶

Bugzilla

CVE-2017-7465 JBoss: JAXP in EAP 7.0 allows RCE via XSL↗2017-04-07

▶