CVE-2020-2036
published 2020-09-09CVE-2020-2036: A reflected cross-site scripting (XSS) vulnerability exists in the PAN-OS management web interface. A remote attacker able to convince an administrator with an…
PriorityP261high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
23.89%
97.5th percentile
A reflected cross-site scripting (XSS) vulnerability exists in the PAN-OS management web interface. A remote attacker able to convince an administrator with an active authenticated session on the firewall management interface to click on a crafted link to that management web interface could potentially execute arbitrary JavaScript code in the administrator's browser and perform administrative actions. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.16; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| palo_alto_networks | pan-os | >= 8.1 < 8.1.16 | 8.1.16 |
| palo_alto_networks | pan-os | >= 9.0 < 9.0.9 | 9.0.9 |
| paloalto | pan-os | — | — |
| paloaltonetworks | pan-os | >= 8.1.0 < 8.1.16 | 8.1.16 |
| paloaltonetworks | pan-os | >= 9.0.0 < 9.0.9 | 9.0.9 |
Detection & IOCsextracted from sources · hover to see the quote
urlGET /_404_/%22%3E%3Csvg%2Fonload%3Dalert(document.domain)%3E
urlGET /unauth/php/change_password.php/%22%3E%3Csvg%2Fonload%3Dalert(document.domain)%3E
urlGET /php/change_password.php/%22%3E%3Csvg%2Fonload%3Dalert(document.domain)%3E
path/global-protect/login.esp
- →Probe /global-protect/login.esp first; only proceed with XSS payloads if the response body contains 'GlobalProtect' or 'gp_portal', confirming a PAN-OS GlobalProtect target.
- →XSS attack paths use URL-encoded SVG onload payloads (%22%3E%3Csvg%2Fonload%3Dalert(document.domain)%3E) appended to three specific endpoints: /_404_/, /unauth/php/change_password.php/, and /php/change_password.php/.
- →A successful probe returns HTTP 200 with Content-Type text/html and reflects the injected payload in the response body.
- →Palo Alto Networks Unique Threat ID 59968 can be enabled as a signature on traffic destined for the GlobalProtect portal, gateway, or VPN to block attacks against CVE-2020-2036. ↗
- →Use Shodan query http.favicon.hash:-631559155 or FOFA query icon_hash="-631559155" to identify exposed PAN-OS management/GlobalProtect interfaces on the internet.
- ·The vulnerability is only exploitable against the PAN-OS management web interface when an administrator has an active authenticated session; unauthenticated exploitation is not possible without social engineering. ↗
- ·Affected versions are PAN-OS 8.1 < 8.1.16 and PAN-OS 9.0 < 9.0.9; the Nuclei template flow gates on GlobalProtect portal presence, so it will not fire on non-GlobalProtect deployments even if PAN-OS is vulnerable. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Palo Alto
PAN-OS: Reflected Cross-Site Scripting (XSS) vulnerability in management web interface
vendor_paloalto·2020-09-09·CVSS 8.8
CVE-2020-2036 [HIGH] CWE-79 PAN-OS: Reflected Cross-Site Scripting (XSS) vulnerability in management web interface
PAN-OS: Reflected Cross-Site Scripting (XSS) vulnerability in management web interface
A reflected cross-site scripting (XSS) vulnerability exists in the PAN-OS management web interface. A remote attacker able to convince an administrator with an active authenticated session on the firewall management interface to click on a crafted link to that management web interface could potentially execute arbitrary JavaScript code in the administrator's browser and perform administrative actions.
Affected products: PAN-OS
Solution: This issue is fixed in PAN-OS 8.1.16, PAN-OS 9.0.9, and all later PAN-OS versions.
Workaround: Until PAN-OS software is upgraded to a fixed version, enabling signatures for Unique Threat ID 59968 on traffic destined for the GlobalProtect portal, gateway, or VPN will b
GHSA
GHSA-qc34-jwcm-8qfc: A reflected cross-site scripting (XSS) vulnerability exists in the PAN-OS management web interface
ghsa_unreviewed·2022-05-24
CVE-2020-2036 [MEDIUM] GHSA-qc34-jwcm-8qfc: A reflected cross-site scripting (XSS) vulnerability exists in the PAN-OS management web interface
A reflected cross-site scripting (XSS) vulnerability exists in the PAN-OS management web interface. A remote attacker able to convince an administrator with an active authenticated session on the firewall management interface to click on a crafted link to that management web interface could potentially execute arbitrary JavaScript code in the administrator's browser and perform administrative actions. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.16; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9.
No detection rules found.
Nuclei
Palo Alto Networks PAN-OS Web Interface - Cross Site-Scripting
nuclei·CVSS 8.8
CVE-2020-2036 [HIGH] Palo Alto Networks PAN-OS Web Interface - Cross Site-Scripting
Palo Alto Networks PAN-OS Web Interface - Cross Site-Scripting
PAN-OS management web interface is vulnerable to reflected cross-site scripting. A remote attacker able to convince an administrator with an active authenticated session on the firewall management interface to click on a crafted link to that management web interface could potentially execute arbitrary JavaScript code in the administrator's browser and perform administrative actions. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.16; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9.
Template:
id: CVE-2020-2036
info:
name: Palo Alto Networks PAN-OS Web Interface - Cross Site-Scripting
author: madrobot,j4vaovo
severity: high
description: |
PAN-OS management web interface is vulnerable to reflected cross-site scri
Qualys
PAN-OS Critical Buffer Overflow Vulnerability (CVE-2020-2040) – Automatically Discover, Prioritize and Remediate Using Qualys VMDR®
blogs_qualys·2020-09-22·CVSS 8.8
CVE-2020-2040 [HIGH] PAN-OS Critical Buffer Overflow Vulnerability (CVE-2020-2040) – Automatically Discover, Prioritize and Remediate Using Qualys VMDR®
## Table of Contents
DiscoverPAN-OS Buffer Overflow CVE-2020-2040 Vulnerability
On Sept 9, 2020, Palo Alto Networks published nine security bulletins addressing vulnerabilities in PAN-OS operating system versions 8.0 or later. One of the nine CVEs released, CVE-2020-2040 , received a critical severity rating score of 9.8 based on the CVSS v3 Scoring system.
PAN-OS devices are vulnerable to CVE-2020-2040, when a Captive Portal or multi-factor authentication interface is enabled. Once exploited, an unauthenticated user can gain root privileges by sending a malicious request to the PAN-OS device. This vulnerability is rated as critical mainly for two reasons. First, it doesn’t require any authentication; and second, it has the potential to disrupt system processes and execute arbitrary cod
Tenable
CVE-2020-2040: Critical Buffer Overflow Vulnerability in PAN-OS Devices Disclosed
blogs_tenable·2020-09-10·CVSS 9.8
[CRITICAL] CVE-2020-2040: Critical Buffer Overflow Vulnerability in PAN-OS Devices Disclosed
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
2020-09-09
Published