CVE-2024-0010
published 2024-02-14CVE-2024-0010: A reflected cross-site scripting (XSS) vulnerability in the GlobalProtect portal feature of Palo Alto Networks PAN-OS software enables execution of malicious…
PriorityP425medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.51%
39.6th percentile
A reflected cross-site scripting (XSS) vulnerability in the GlobalProtect portal feature of Palo Alto Networks PAN-OS software enables execution of malicious JavaScript (in the context of a user’s browser) if a user clicks on a malicious link, allowing phishing attacks that could lead to credential theft.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| palo_alto_networks | pan-os | >= 10.1 < 10.1.11-h1 | 10.1.11-h1 |
| palo_alto_networks | pan-os | >= 10.1 < 10.1.12 | 10.1.12 |
| palo_alto_networks | pan-os | >= 9.0 < 9.0.17-h4 | 9.0.17-h4 |
| palo_alto_networks | pan-os | >= 9.1 < 9.1.17 | 9.1.17 |
| paloalto | cloud_ngfw | — | — |
| paloalto | pan-os | — | — |
| paloalto | prisma_access | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | >= 10.1.0 < 10.1.11 | 10.1.11 |
| paloaltonetworks | pan-os | >= 9.0.0 < 9.0.17 | 9.0.17 |
| paloaltonetworks | pan-os | >= 9.1.0 < 9.1.17 | 9.1.17 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7268-248f-7vgg: A reflected cross-site scripting (XSS) vulnerability in the GlobalProtect portal feature of Palo Alto Networks PAN-OS software enables execution of ma
ghsa_unreviewed·2024-02-14
CVE-2024-0010 [MEDIUM] CWE-79 GHSA-7268-248f-7vgg: A reflected cross-site scripting (XSS) vulnerability in the GlobalProtect portal feature of Palo Alto Networks PAN-OS software enables execution of ma
A reflected cross-site scripting (XSS) vulnerability in the GlobalProtect portal feature of Palo Alto Networks PAN-OS software enables execution of malicious JavaScript (in the context of a user’s browser) if a user clicks on a malicious link, allowing phishing attacks that could lead to credential theft.
Red Hat
kernel: wifi: mt76: disable napi on driver removal
vendor_redhat·2025-06-18·CVSS 5.5
CVE-2025-38009 [MEDIUM] CWE-20 kernel: wifi: mt76: disable napi on driver removal
kernel: wifi: mt76: disable napi on driver removal
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: disable napi on driver removal
A warning on driver removal started occurring after commit 9dd05df8403b
("net: warn if NAPI instance wasn't shut down"). Disable tx napi before
deleting it in mt76_dma_cleanup().
WARNING: CPU: 4 PID: 18828 at net/core/dev.c:7288 __netif_napi_del_locked+0xf0/0x100
CPU: 4 UID: 0 PID: 18828 Comm: modprobe Not tainted 6.15.0-rc4 #4 PREEMPT(lazy)
Hardware name: ASUS System Product Name/PRIME X670E-PRO WIFI, BIOS 3035 09/05/2024
RIP: 0010:__netif_napi_del_locked+0xf0/0x100
Call Trace:
mt76_dma_cleanup+0x54/0x2f0 [mt76]
mt7921_pci_remove+0xd5/0x190 [mt7921e]
pci_device_remove+0x47/0xc0
device_release_driver_internal+0x19e/0x200
driver_
Red Hat
kernel: memcg: fix soft lockup in the OOM process
vendor_redhat·2025-02-27·CVSS 5.5
CVE-2024-57977 [MEDIUM] CWE-667 kernel: memcg: fix soft lockup in the OOM process
kernel: memcg: fix soft lockup in the OOM process
In the Linux kernel, the following vulnerability has been resolved:
memcg: fix soft lockup in the OOM process
A soft lockup issue was found in the product with about 56,000 tasks were
in the OOM cgroup, it was traversing them when the soft lockup was
triggered.
watchdog: BUG: soft lockup - CPU#2 stuck for 23s! [VM Thread:1503066]
CPU: 2 PID: 1503066 Comm: VM Thread Kdump: loaded Tainted: G
Hardware name: Huawei Cloud OpenStack Nova, BIOS
RIP: 0010:console_unlock+0x343/0x540
RSP: 0000:ffffb751447db9a0 EFLAGS: 00000247 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000001 RBX: 0000000000000000 RCX: 00000000ffffffff
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000247
RBP: ffffffffafc71f90 R08: 0000000000000000 R09: 0000000000000040
R
Red Hat
kernel: f2fs: fix to do sanity check on node blkaddr in truncate_node()
vendor_redhat·2024-12-28·CVSS 5.5
CVE-2024-56692 [MEDIUM] CWE-754 kernel: f2fs: fix to do sanity check on node blkaddr in truncate_node()
kernel: f2fs: fix to do sanity check on node blkaddr in truncate_node()
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to do sanity check on node blkaddr in truncate_node()
syzbot reports a f2fs bug as below:
------------[ cut here ]------------
kernel BUG at fs/f2fs/segment.c:2534!
RIP: 0010:f2fs_invalidate_blocks+0x35f/0x370 fs/f2fs/segment.c:2534
Call Trace:
truncate_node+0x1ae/0x8c0 fs/f2fs/node.c:909
f2fs_remove_inode_page+0x5c2/0x870 fs/f2fs/node.c:1288
f2fs_evict_inode+0x879/0x15c0 fs/f2fs/inode.c:856
evict+0x4e8/0x9b0 fs/inode.c:723
f2fs_handle_failed_inode+0x271/0x2e0 fs/f2fs/inode.c:986
f2fs_create+0x357/0x530 fs/f2fs/namei.c:394
lookup_open fs/namei.c:3595 [inline]
open_last_lookups fs/namei.c:3694 [inline]
path_openat+0x1c03/0x3590 fs/namei.c:393
Red Hat
kernel: mm/gup: handle NULL pages in unpin_user_pages()
vendor_redhat·2024-12-27·CVSS 5.5
CVE-2024-56612 [MEDIUM] CWE-476 kernel: mm/gup: handle NULL pages in unpin_user_pages()
kernel: mm/gup: handle NULL pages in unpin_user_pages()
In the Linux kernel, the following vulnerability has been resolved:
mm/gup: handle NULL pages in unpin_user_pages()
The recent addition of "pofs" (pages or folios) handling to gup has a
flaw: it assumes that unpin_user_pages() handles NULL pages in the pages**
array. That's not the case, as I discovered when I ran on a new
configuration on my test machine.
Fix this by skipping NULL pages in unpin_user_pages(), just like
unpin_folios() already does.
Details: when booting on x86 with "numa=fake=2 movablecore=4G" on Linux
6.12, and running this:
tools/testing/selftests/mm/gup_longterm
...I get the following crash:
BUG: kernel NULL pointer dereference, address: 0000000000000008
RIP: 0010:sanity_check_pinned_pages+0x3a/0x2d0
...
Call Trac
Red Hat
kernel: net/mlx5e: CT: Fix null-ptr-deref in add rule err flow
vendor_redhat·2024-12-02·CVSS 5.5
CVE-2024-53120 [MEDIUM] CWE-476 kernel: net/mlx5e: CT: Fix null-ptr-deref in add rule err flow
kernel: net/mlx5e: CT: Fix null-ptr-deref in add rule err flow
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: CT: Fix null-ptr-deref in add rule err flow
In error flow of mlx5_tc_ct_entry_add_rule(), in case ct_rule_add()
callback returns error, zone_rule->attr is used uninitiated. Fix it to
use attr which has the needed pointer value.
Kernel log:
BUG: kernel NULL pointer dereference, address: 0000000000000110
RIP: 0010:mlx5_tc_ct_entry_add_rule+0x2b1/0x2f0 [mlx5_core]
…
Call Trace:
? __die+0x20/0x70
? page_fault_oops+0x150/0x3e0
? exc_page_fault+0x74/0x140
? asm_exc_page_fault+0x22/0x30
? mlx5_tc_ct_entry_add_rule+0x2b1/0x2f0 [mlx5_core]
? mlx5_tc_ct_entry_add_rule+0x1d5/0x2f0 [mlx5_core]
mlx5_tc_ct_block_flow_offload+0xc6a/0xf90 [mlx5_core]
? nf_flow_off
Red Hat
kernel: sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start
vendor_redhat·2024-10-21·CVSS 5.5
CVE-2024-49944 [MEDIUM] kernel: sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start
kernel: sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start
In the Linux kernel, the following vulnerability has been resolved:
sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start
In sctp_listen_start() invoked by sctp_inet_listen(), it should set the
sk_state back to CLOSED if sctp_autobind() fails due to whatever reason.
Otherwise, next time when calling sctp_inet_listen(), if sctp_sk(sk)->reuse
is already set via setsockopt(SCTP_REUSE_PORT), sctp_sk(sk)->bind_hash will
be dereferenced as sk_state is LISTENING, which causes a crash as bind_hash
is NULL.
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:sctp_inet_listen+0x7f0/0xa20 net/sctp/socket.c:8617
Call Trace:
__sys_listen_socket net/socket.c:1883 [inline]
__
Red Hat
kernel: tracing/timerlat: Fix a race during cpuhp processing
vendor_redhat·2024-10-21·CVSS 4.7
CVE-2024-49866 [MEDIUM] CWE-362 kernel: tracing/timerlat: Fix a race during cpuhp processing
kernel: tracing/timerlat: Fix a race during cpuhp processing
In the Linux kernel, the following vulnerability has been resolved:
tracing/timerlat: Fix a race during cpuhp processing
There is another found exception that the "timerlat/1" thread was
scheduled on CPU0, and lead to timer corruption finally:
```
ODEBUG: init active (active state 0) object: ffff888237c2e108 object type: hrtimer hint: timerlat_irq+0x0/0x220
WARNING: CPU: 0 PID: 426 at lib/debugobjects.c:518 debug_print_object+0x7d/0xb0
Modules linked in:
CPU: 0 UID: 0 PID: 426 Comm: timerlat/1 Not tainted 6.11.0-rc7+ #45
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:debug_print_object+0x7d/0xb0
...
Call Trace:
? __warn+0x7c/0x110
? debug_print_object+0x7d/0xb0
? report_bug+0x
Red Hat
kernel: drm/amd/display: fix double free issue during amdgpu module unload
vendor_redhat·2024-10-21·CVSS 7.8
CVE-2024-49989 [HIGH] CWE-415 kernel: drm/amd/display: fix double free issue during amdgpu module unload
kernel: drm/amd/display: fix double free issue during amdgpu module unload
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: fix double free issue during amdgpu module unload
Flexible endpoints use DIGs from available inflexible endpoints,
so only the encoders of inflexible links need to be freed.
Otherwise, a double free issue may occur when unloading the
amdgpu module.
[ 279.190523] RIP: 0010:__slab_free+0x152/0x2f0
[ 279.190577] Call Trace:
[ 279.190580]
[ 279.190582] ? show_regs+0x69/0x80
[ 279.190590] ? die+0x3b/0x90
[ 279.190595] ? do_trap+0xc8/0xe0
[ 279.190601] ? do_error_trap+0x73/0xa0
[ 279.190605] ? __slab_free+0x152/0x2f0
[ 279.190609] ? exc_invalid_op+0x56/0x70
[ 279.190616] ? __slab_free+0x152/0x2f0
[ 279.190642] ? asm_exc_invalid_op+0x1f/0
Red Hat
kernel: rcu-tasks: Fix access non-existent percpu rtpcp variable in rcu_tasks_need_gpcb()
vendor_redhat·2024-10-21·CVSS 5.5
CVE-2024-49926 [MEDIUM] CWE-119 kernel: rcu-tasks: Fix access non-existent percpu rtpcp variable in rcu_tasks_need_gpcb()
kernel: rcu-tasks: Fix access non-existent percpu rtpcp variable in rcu_tasks_need_gpcb()
In the Linux kernel, the following vulnerability has been resolved:
rcu-tasks: Fix access non-existent percpu rtpcp variable in rcu_tasks_need_gpcb()
For kernels built with CONFIG_FORCE_NR_CPUS=y, the nr_cpu_ids is
defined as NR_CPUS instead of the number of possible cpus, this
will cause the following system panic:
smpboot: Allowing 4 CPUs, 0 hotplug CPUs
...
setup_percpu: NR_CPUS:512 nr_cpumask_bits:512 nr_cpu_ids:512 nr_node_ids:1
...
BUG: unable to handle page fault for address: ffffffff9911c8c8
Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 0 PID: 15 Comm: rcu_tasks_trace Tainted: G W
6.6.21 #1 5dc7acf91a5e8e9ac9dcfc35bee0245691283ea6
RIP: 0010:rcu_tasks_need_gpcb+0x25d/0x2c0
RSP: 0018:ffffa371c00a3e60 EF
Red Hat
kernel: fs/netfs/fscache_cookie: add missing "n_accesses" check
vendor_redhat·2024-09-04·CVSS 5.5
CVE-2024-45000 [MEDIUM] CWE-476 kernel: fs/netfs/fscache_cookie: add missing "n_accesses" check
kernel: fs/netfs/fscache_cookie: add missing "n_accesses" check
In the Linux kernel, the following vulnerability has been resolved:
fs/netfs/fscache_cookie: add missing "n_accesses" check
This fixes a NULL pointer dereference bug due to a data race which
looks like this:
BUG: kernel NULL pointer dereference, address: 0000000000000008
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] SMP PTI
CPU: 33 PID: 16573 Comm: kworker/u97:799 Not tainted 6.8.7-cm4all1-hp+ #43
Hardware name: HP ProLiant DL380 Gen9/ProLiant DL380 Gen9, BIOS P89 10/17/2018
Workqueue: events_unbound netfs_rreq_write_to_cache_work
RIP: 0010:cachefiles_prepare_write+0x30/0xa0
Code: 57 41 56 45 89 ce 41 55 49 89 cd 41 54 49 89 d4 55 53 48 89 fb 48 83 ec 08 48 8
Red Hat
kernel: scsi: qedi: Fix crash while reading debugfs attribute
vendor_redhat·2024-07-12·CVSS 7.1
CVE-2024-40978 [HIGH] CWE-822 kernel: scsi: qedi: Fix crash while reading debugfs attribute
kernel: scsi: qedi: Fix crash while reading debugfs attribute
In the Linux kernel, the following vulnerability has been resolved:
scsi: qedi: Fix crash while reading debugfs attribute
The qedi_dbg_do_not_recover_cmd_read() function invokes sprintf() directly
on a __user pointer, which results into the crash.
To fix this issue, use a small local stack buffer for sprintf() and then
call simple_read_from_buffer(), which in turns make the copy_to_user()
call.
BUG: unable to handle page fault for address: 00007f4801111000
PGD 8000000864df6067 P4D 8000000864df6067 PUD 864df7067 PMD 846028067 PTE 0
Oops: 0002 [#1] PREEMPT SMP PTI
Hardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 06/15/2023
RIP: 0010:memcpy_orig+0xcd/0x130
RSP: 0018:ffffb7a18c3ffc40 EFLAGS: 00010202
RAX: 0000
Red Hat
kernel: net: relax socket state check at accept time.
vendor_redhat·2024-06-21·CVSS 5.5
CVE-2024-36484 [MEDIUM] CWE-99 kernel: net: relax socket state check at accept time.
kernel: net: relax socket state check at accept time.
In the Linux kernel, the following vulnerability has been resolved:
net: relax socket state check at accept time.
Christoph reported the following splat:
WARNING: CPU: 1 PID: 772 at net/ipv4/af_inet.c:761 __inet_accept+0x1f4/0x4a0
Modules linked in:
CPU: 1 PID: 772 Comm: syz-executor510 Not tainted 6.9.0-rc7-g7da7119fe22b #56
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
RIP: 0010:__inet_accept+0x1f4/0x4a0 net/ipv4/af_inet.c:759
Code: 04 38 84 c0 0f 85 87 00 00 00 41 c7 04 24 03 00 00 00 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 ec b7 da fd 0b e9 7f fe ff ff e8 e0 b7 da fd 0f 0b e9 fe fe ff ff 89 d9 80
RSP: 0018:ffffc90000c2fc58 EFLAGS: 00010293
RAX: ffffffff836bdd14 RBX: 00000000
Red Hat
kernel: mptcp: ensure snd_nxt is properly initialized on connect
vendor_redhat·2024-05-30·CVSS 5.5
CVE-2024-36889 [MEDIUM] CWE-665 kernel: mptcp: ensure snd_nxt is properly initialized on connect
kernel: mptcp: ensure snd_nxt is properly initialized on connect
In the Linux kernel, the following vulnerability has been resolved:
mptcp: ensure snd_nxt is properly initialized on connect
Christoph reported a splat hinting at a corrupted snd_una:
WARNING: CPU: 1 PID: 38 at net/mptcp/protocol.c:1005 __mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005
Modules linked in:
CPU: 1 PID: 38 Comm: kworker/1:1 Not tainted 6.9.0-rc1-gbbeac67456c9 #59
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
Workqueue: events mptcp_worker
RIP: 0010:__mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005
Code: be 06 01 00 00 bf 06 01 00 00 e8 a8 12 e7 fe e9 00 fe ff ff e8
8e 1a e7 fe 0f b7 ab 3e 02 00 00 e9 d3 fd ff ff e8 7d 1a e7 fe
0b 4c 8b bb e0 05 00 00 e9 74 fc ff
Red Hat
kernel: drm/dp: Fix divide-by-zero regression on DP MST unplug with nouveau
vendor_redhat·2024-05-01·CVSS 5.5
CVE-2024-26941 [MEDIUM] kernel: drm/dp: Fix divide-by-zero regression on DP MST unplug with nouveau
kernel: drm/dp: Fix divide-by-zero regression on DP MST unplug with nouveau
In the Linux kernel, the following vulnerability has been resolved:
drm/dp: Fix divide-by-zero regression on DP MST unplug with nouveau
Fix a regression when using nouveau and unplugging a StarTech MSTDP122DP
DisplayPort 1.2 MST hub (the same regression does not appear when using
a Cable Matters DisplayPort 1.4 MST hub). Trace:
divide error: 0000 [#1] PREEMPT SMP PTI
CPU: 7 PID: 2962 Comm: Xorg Not tainted 6.8.0-rc3+ #744
Hardware name: Razer Blade/DANA_MB, BIOS 01.01 08/31/2018
RIP: 0010:drm_dp_bw_overhead+0xb4/0x110 [drm_display_helper]
Code: c6 b8 01 00 00 00 75 61 01 c6 41 0f af f3 41 0f af f1 c1 e1 04 48 63 c7 31 d2 89 ff 48 8b 5d f8 c9 48 0f af f1 48 8d 44 06 ff f7 f7 31 d2 31 c9 31 f6 31 ff 45 31 c0 45 31 c
Palo Alto
PAN-OS: Reflected Cross-Site Scripting (XSS) Vulnerability in GlobalProtect Portal
vendor_paloalto·2024-02-14·CVSS 6.1
CVE-2024-0010 [MEDIUM] CWE-79 PAN-OS: Reflected Cross-Site Scripting (XSS) Vulnerability in GlobalProtect Portal
PAN-OS: Reflected Cross-Site Scripting (XSS) Vulnerability in GlobalProtect Portal
A reflected cross-site scripting (XSS) vulnerability in the GlobalProtect portal feature of Palo Alto Networks PAN-OS software enables execution of malicious JavaScript in the context of a user’s browser if that user clicks on a malicious link, allowing phishing attacks that could lead to credential theft.
Affected products: Cloud NGFW, PAN-OS, Prisma Access
Solution: This issue is fixed in PAN-OS 9.0.17-h4, PAN-OS 9.1.17, PAN-OS 10.1.11-h1, PAN-OS 10.1.12, and all later PAN-OS versions.
Workaround: Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 94972 (Applications and Threats content update 8810).
No detection rules found.
No public exploits indexed.
2024-02-14
Published