cbcvebase.
CVE-2020-2036
published 2020-09-09

CVE-2020-2036: A reflected cross-site scripting (XSS) vulnerability exists in the PAN-OS management web interface. A remote attacker able to convince an administrator with an…

PriorityP261high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
23.89%
97.5th percentile
A reflected cross-site scripting (XSS) vulnerability exists in the PAN-OS management web interface. A remote attacker able to convince an administrator with an active authenticated session on the firewall management interface to click on a crafted link to that management web interface could potentially execute arbitrary JavaScript code in the administrator's browser and perform administrative actions. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.16; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9.

Affected

5 ranges
VendorProductVersion rangeFixed in
palo_alto_networkspan-os>= 8.1 < 8.1.168.1.16
palo_alto_networkspan-os>= 9.0 < 9.0.99.0.9
paloaltopan-os
paloaltonetworkspan-os>= 8.1.0 < 8.1.168.1.16
paloaltonetworkspan-os>= 9.0.0 < 9.0.99.0.9

Detection & IOCsextracted from sources · hover to see the quote

urlGET /_404_/%22%3E%3Csvg%2Fonload%3Dalert(document.domain)%3E
urlGET /unauth/php/change_password.php/%22%3E%3Csvg%2Fonload%3Dalert(document.domain)%3E
urlGET /php/change_password.php/%22%3E%3Csvg%2Fonload%3Dalert(document.domain)%3E
path/global-protect/login.esp
  • Probe /global-protect/login.esp first; only proceed with XSS payloads if the response body contains 'GlobalProtect' or 'gp_portal', confirming a PAN-OS GlobalProtect target.
  • XSS attack paths use URL-encoded SVG onload payloads (%22%3E%3Csvg%2Fonload%3Dalert(document.domain)%3E) appended to three specific endpoints: /_404_/, /unauth/php/change_password.php/, and /php/change_password.php/.
  • A successful probe returns HTTP 200 with Content-Type text/html and reflects the injected payload in the response body.
  • Palo Alto Networks Unique Threat ID 59968 can be enabled as a signature on traffic destined for the GlobalProtect portal, gateway, or VPN to block attacks against CVE-2020-2036.
  • Use Shodan query http.favicon.hash:-631559155 or FOFA query icon_hash="-631559155" to identify exposed PAN-OS management/GlobalProtect interfaces on the internet.
  • ·The vulnerability is only exploitable against the PAN-OS management web interface when an administrator has an active authenticated session; unauthenticated exploitation is not possible without social engineering.
  • ·Affected versions are PAN-OS 8.1 < 8.1.16 and PAN-OS 9.0 < 9.0.9; the Nuclei template flow gates on GlobalProtect portal presence, so it will not fire on non-GlobalProtect deployments even if PAN-OS is vulnerable.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.