CVE-2020-2017
published 2020-05-13CVE-2020-2017: A DOM-Based Cross Site Scripting Vulnerability exists in PAN-OS and Panorama Management Web Interfaces. A remote attacker able to convince an authenticated…
PriorityP428medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.83%
52.9th percentile
A DOM-Based Cross Site Scripting Vulnerability exists in PAN-OS and Panorama Management Web Interfaces. A remote attacker able to convince an authenticated administrator to click on a crafted link to PAN-OS and Panorama Web Interfaces could execute arbitrary JavaScript code in the administrator's browser and perform administrative actions. This issue affects: PAN-OS 7.1 versions earlier than 7.1.26; PAN-OS 8.1 versions earlier than 8.1.13; PAN-OS 9.0 versions earlier than 9.0.6; All versions of PAN-OS 8.0.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| palo_alto_networks | pan-os | — | — |
| palo_alto_networks | pan-os | >= 7.1 < 7.1.26 | 7.1.26 |
| palo_alto_networks | pan-os | >= 8.1 < 8.1.13 | 8.1.13 |
| palo_alto_networks | pan-os | >= 9.0 < 9.0.6 | 9.0.6 |
| paloalto | pan-os | — | — |
| paloaltonetworks | pan-os | >= 7.1.0 < 7.1.26 | 7.1.26 |
| paloaltonetworks | pan-os | 8.0.0 – 8.0.20 | — |
| paloaltonetworks | pan-os | >= 8.1.0 < 8.1.13 | 8.1.13 |
| paloaltonetworks | pan-os | >= 9.0.0 < 9.0.6 | 9.0.6 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv5.5MEDIUM
vendor_redhat8.8HIGH
vendor_oracle4.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
digikam vulnerabilities
osv·2025-02-13·CVSS 5.5
CVE-2017-0691 digikam vulnerabilities
digikam vulnerabilities
Zinuo Han and Ao Wang discovered that the Android DNG SDK, vendored in
digiKam, did not correctly parse certain files. An attacker could possibly
use this issue to execute arbitrary code. This issue only affected
Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2017-0691)
It was discovered that Platinum Upnp SDK, vendored in digiKam, was
vulnerable to a path traversal attack. An attacker could possibly use this
issue to leak sensitive information. This issue only affected
Ubuntu 20.04 LTS. (CVE-2020-19858)
It was discovered that LibRaw, vendored in digiKam, did not correctly
handle certain memory operations. If a user or automated system were
tricked into opening a specially crafted file, an attacker could possibly
use this issue to leak sensitive in
GHSA
GHSA-rh92-6783-v73r: A DOM-Based Cross Site Scripting Vulnerability exists in PAN-OS and Panorama Management Web Interfaces
ghsa_unreviewed·2022-05-24
CVE-2020-2017 [MEDIUM] GHSA-rh92-6783-v73r: A DOM-Based Cross Site Scripting Vulnerability exists in PAN-OS and Panorama Management Web Interfaces
A DOM-Based Cross Site Scripting Vulnerability exists in PAN-OS and Panorama Management Web Interfaces. A remote attacker able to convince an authenticated administrator to click on a crafted link to PAN-OS and Panorama Web Interfaces could execute arbitrary JavaScript code in the administrator's browser and perform administrative actions. This issue affects: PAN-OS 7.1 versions earlier than 7.1.26; PAN-OS 8.0 versions earlier than 8.0.21; PAN-OS 8.1 versions earlier than 8.1.13; PAN-OS 9.0 versions earlier than 9.0.6.
Palo Alto
PAN-OS: DOM-Based cross site scripting vulnerability in management web interface
vendor_paloalto·2020-05-13·CVSS 6.1
CVE-2020-2017 [MEDIUM] CWE-79 PAN-OS: DOM-Based cross site scripting vulnerability in management web interface
PAN-OS: DOM-Based cross site scripting vulnerability in management web interface
A DOM-Based Cross Site Scripting Vulnerability exists in PAN-OS and Panorama Management Web Interfaces.
A remote attacker able to convince an authenticated administrator to click on a crafted link to PAN-OS and Panorama Web Interfaces could execute arbitrary JavaScript code in the administrator's browser and perform administrative actions.
This issue affects:
PAN-OS 7.1 versions earlier than 7.1.26;
PAN-OS 8.1 versions earlier than 8.1.13;
PAN-OS 9.0 versions earlier than 9.0.6;
All versions of PAN-OS 8.0.
Affected products: PAN-OS
Solution: This issue is fixed in PAN-OS 7.1.26, PAN-OS 8.1.13, PAN-OS 9.0.6, PAN-OS 9.1.0, and all later PAN-OS versions.
PAN-OS 8.0 is now end-of-life as of October 31, 2019,
Oracle
Oracle Oracle Retail Applications Risk Matrix: Xstore Services (Apache Cordova) — CVE-2017-3160
vendor_oracle·2020-04-15·CVSS 4.2
CVE-2017-3160 [HIGH] Oracle Oracle Retail Applications Risk Matrix: Xstore Services (Apache Cordova) — CVE-2017-3160
Oracle Oracle Retail Applications Risk Matrix: Xstore Services (Apache Cordova) vulnerability
CVE: CVE-2017-3160
CVSS: 4.2
Protocol: None
Remote exploit: No
Affected versions: Local
Advisory: cpuapr2020 (APR 2020)
Red Hat
xen: bad continuation handling in GNTTABOP_copy (XSA-318)
vendor_redhat·2020-04-14·CVSS 8.8
CVE-2020-11742 [HIGH] CWE-393 xen: bad continuation handling in GNTTABOP_copy (XSA-318)
xen: bad continuation handling in GNTTABOP_copy (XSA-318)
An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a denial of service because of bad continuation handling in GNTTABOP_copy. Grant table operations are expected to return 0 for success, and a negative number for errors. The fix for CVE-2017-12135 introduced a path through grant copy handling where success may be returned to the caller without any action taken. In particular, the status fields of individual operations are left uninitialised, and may result in errant behaviour in the caller of GNTTABOP_copy. A buggy or malicious guest can construct its grant table in such a way that, when a backend domain tries to copy a grant, it hits the incorrect exit path. This returns success to the caller without d
No detection rules found.
No public exploits indexed.
Checkpoint
31st October – Threat Intelligence Report
blogs_checkpoint·2022-10-31
CVE-2022-3723 31st October – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 31st October – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 31st October, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
US-based communications company Twilio has disclosed a new data breach that occurred on June 2022 allegedly by the same threat actors behind the August hack. The hackers have used voice phishing to trick a Twilio employee into handling over their credentials, which the hackers then used to access customer information.
Cu
Checkpoint
10th October – Threat Intelligence Report
blogs_checkpoint·2022-10-10
CVE-2022-41352 10th October – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 10th October – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 10th October, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
CommonSpirit Health, the second-largest nonprofit hospital chain in the U.S with 140 hospitals and over 1,000 facilities in 21 states, suffered a cybersecurity incident that disrupted medical services across the country. Facilities in Iowa, Nebraska, Tennessee and Washington were among those affected. The nature of the at
Checkpoint
13th June – Threat Intelligence Report
blogs_checkpoint·2022-06-13
CVE-2022-30190 13th June – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 13th June – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 13th June, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
The Italian municipality of Palermo has been victim of a ransomware attack that caused a large-scale service outage affecting over a million people. The attack was claimed by the Vice Society ransomware group, which used the double extortion ransomware
Shields Health Care Group, Massachusetts-based medical services provider, h
Checkpoint
28th June – Threat Intelligence Report
blogs_checkpoint·2021-06-28
CVE-2021-21998 28th June – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 28th June – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 28th June, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Russian-based threat group Nobelium is using password spraying and brute force attacks to gain access to corporate networks. The group, which was behind the SolarWinds supply-chain attack, deployed an information-stealing Trojan on a Microsoft customer support agent’s computer to steal information. Over half of the targets were
2020-05-13
Published