Paloalto PAN-OS vulnerabilities

CVE-2019-1565 [MEDIUM] CWE-79 Cross-Site Scripting (XSS) in PAN-OS External Dynamic Lists Cross-Site Scripting (XSS) in PAN-OS External Dynamic Lists A Cross-Site Scripting (XSS) vulnerability exists in the PAN-OS External Dynamic Lists. (Ref. # PAN-106776; CVE-2019-1565) Successful exploitation of this issue may allow an attacker that is authenticated in Next Generation Firewall with write privileges to External Dynamic List configuration to inject arbitrary JavaScript or HTML. This issue affe

CVE-2019-1566 [MEDIUM] CWE-79 Cross-Site Scripting (XSS) in PAN-OS Management Web Interface Cross-Site Scripting (XSS) in PAN-OS Management Web Interface A Cross-Site Scripting (XSS) vulnerability exists in the PAN-OS Management Web Interface. (Ref. # PAN-107262; CVE-2019-1566) Successful exploitation of this issue may allow an unauthenticated attacker to inject arbitrary JavaScript or HTML. This issue affects PAN-OS 7.1.21 and earlier, PAN-OS 8.0.14 and earlier, and PAN-OS 8.1.5 and earlier.

CVE-2018-0732 [HIGH] CWE-320 PAN-SA-2018-0015 OpenSSL Vulnerabilities in PAN-OS PAN-SA-2018-0015 OpenSSL Vulnerabilities in PAN-OS The OpenSSL library has been found to contain vulnerabilities CVE-2018-0732, CVE-2018-0737, and CVE-2018-0739. Palo Alto Networks software makes use of the vulnerable library and is CVEs: CVE-2018-0732, CVE-2018-0737, CVE-2018-0739 Affected products: PAN-OS

CVE-2018-10141 [MEDIUM] CWE-79 Cross-Site Scripting (XSS) in GlobalProtect Portal Login Page Cross-Site Scripting (XSS) in GlobalProtect Portal Login Page A Cross-Site Scripting (XSS) vulnerability exists in the PAN-OS GlobalProtect Portal Login page. (Ref. # PAN-99830; CVE-2018-10141) Successful exploitation of this issue may allow an unauthenticated attacker to inject arbitrary JavaScript or HTML. This issue affects PAN-OS 8.1.3 and earlier. PAN-OS 8.0, PAN-OS 7.1 and PAN-OS 6.1 are NOT affec

CVE-2018-5391 [HIGH] CWE-20 Information about FragmentSmack findings Information about FragmentSmack findings Palo Alto Networks is aware of recent vulnerability disclosure, known as FragmentSmack, that affects Linux kernel 3.9 and later. At this time, our findings show that some Palo Alto Networks devices running specific versions of PAN-OS are vulnerable to this disclosure. (CVE-2018-5391). This security advisory will be updated as more information becomes available or if there are changes in

CVE-2018-5390 [HIGH] CWE-20 Information about SegmentSmack findings Information about SegmentSmack findings Palo Alto Networks is aware of recent vulnerability disclousre, known as SegmentSmack, that affects Linux kernel 4.9 and later. At this time, our findings show that Palo Alto Networks PAN-OS devices are not vulnerable to this disclosure (CVE-2018-5390). PAN-OS/Panorama platforms are not impacted by this vulnerability. Affected products: PAN-OS Solution: N/A Workaround: Our NGFW users c

CVE-2018-3615 [MEDIUM] CWE-200 PAN-SA-2018-0011 Information about L1 Terminal Fault findings PAN-SA-2018-0011 Information about L1 Terminal Fault findings Palo Alto Networks is aware of recent vulnerability disclosures, known as L1 Terminal Fault, that affect modern CPU architectures. At this time, our findings show that these vulnerabilities pose no increased risk to Palo Alto Networks PAN-OS devices. (CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646). This security advisory will be updated as

CVE-2018-10140 [MEDIUM] CWE-20 Denial of Service in PAN-OS Management Web Interface Denial of Service in PAN-OS Management Web Interface A Denial of Service exists in PAN-OS Management Web Interface that allows an authenticated user to shut down all management sessions, resulting in all logged in users to be redirected to the login page. (Ref # PAN-100189, CVE-2018-10140) This vulnerability can be triggered by an authenticated user sending malformed searching parameters through the Filter bar o

CVE-2018-10139 [MEDIUM] CWE-79 Cross-Site Scripting (XSS) in GlobalProtect Gateway Cross-Site Scripting (XSS) in GlobalProtect Gateway A Cross-Site Scripting (XSS) vulnerability exists in a PAN-OS response for GlobalProtect Gateway. (Ref. # PAN-84836; CVE-2018-10139) Successful exploitation of this issue may allow an unauthenticated attacker to inject arbitrary JavaScript or HTML. This issue affects PAN-OS 6.1.21 and earlier, PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11 and earlier. PAN-OS 8.1.0 is

CVE-2018-8715 [HIGH] CWE-287 Denial of Service in PAN-OS Management Web Interface Denial of Service in PAN-OS Management Web Interface Palo Alto Networks makes use of a 3rd-party component impacted by CVE-2018-8715. This issue has been confirmed to present a risk for denial of service to the PAN-OS Management Web Interface. (Ref # PAN-93089, CVE-2018-8715) A specially crafted HTTP POST request with an invalid “If-modified" header field may cause a NULL dereference and cause a denial of service

CVE-2018-9335 [MEDIUM] CWE-79 Cross-Site Scripting (XSS) in PAN-OS Management Web Interface Cross-Site Scripting (XSS) in PAN-OS Management Web Interface A Cross-Site Scripting (XSS) vulnerability exists in the PAN-OS session browser. (Ref. # PAN-93244; CVE-2018-9335) Successful exploitation of this issue may allow an attacker to inject arbitrary JavaScript or HTML. An attacker would need to successfully authenticate prior to exploiting this issue. This issue affects PAN-OS 6.1.20 and earlier,

CVE-2018-9337 [MEDIUM] CWE-79 Cross-Site Scripting (XSS) in PAN-OS Management Web Interface Cross-Site Scripting (XSS) in PAN-OS Management Web Interface A Cross-Site Scripting (XSS) vulnerability exists in a PAN-OS web interface administration page. (Ref. # PAN-93242; CVE-2018-9337) Successful exploitation of this issue may allow an attacker to inject arbitrary JavaScript or HTML An attacker would need to successfully authenticate prior to exploiting this issue. This issue affects PAN-OS 6.1.2

CVE-2018-9242 [MEDIUM] CWE-20 Local Privilege Escalation in Management Web Interface Local Privilege Escalation in Management Web Interface A vulnerability exists in the Management web interface that could allow local privilege escalation. The Management web interface does not properly validate specific request parameters, which can potentially allow deletion of files in the system. (Ref. # PAN-90954; CVE-2018-9242) Successful exploitation of this issue requires the attacker to be authenticated

CVE-2018-9334 [MEDIUM] CWE-269 Information Disclosure in the PAN-OS Management Web Interface Information Disclosure in the PAN-OS Management Web Interface A local privilege escalation vulnerability exists in the PAN-OS management web interface that allows the administrator to access the password hashes of local users by manipulating the HTML markup. (Ref. # PAN-91564; CVE-2018-9334) Successful exploitation of this issue requires the attacker to be authenticated. This issue affects PAN-OS 6.1.20

CVE-2018-7636 [MEDIUM] CWE-79 Cross Site Scripting in PAN-OS Cross Site Scripting in PAN-OS A Cross-Site Scripting (XSS) vulnerability exists in the PAN-OS URL filtering “continue page” (Ref # PAN-OS 90835, CVE-2018-7636). PAN-OS software does not properly validate specific request parameters. Successful exploitation of this issue may allow an attacker to inject arbitrary JavaScript or HTML in specially crafted URLs that link to a URL filtering “continue page” hosted by the firewall. This issue

CVE-2017-5715 [MEDIUM] CWE-200 PAN-SA-2018-0001 Information about Meltdown and Spectre findings PAN-SA-2018-0001 Information about Meltdown and Spectre findings Palo Alto Networks is aware of recent vulnerability disclosures, known as Meltdown and Spectre, that affect modern CPU architectures. At this time, our findings show that these vulnerabilities pose no increased risk to Palo Alto Networks PAN-OS devices. (CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754). This security advisory will be up

CVE-2017-15941 [MEDIUM] CWE-79 Cross Site Scripting Vulnerability in PAN-OS GlobalProtect Cross Site Scripting Vulnerability in PAN-OS GlobalProtect A vulnerability exists in PAN-OS GlobalProtect when either the gateway or the portal are configured. This issue could allow for a cross-site scripting (XSS) attack. (Ref # PAN-81586 / CVE-2017-15941) Successful exploitation of this issue may allow an attacker to inject arbitrary javascript or HTML. This issue affects PAN-OS 6.1.18 and earlier, PAN-

CVE-2017-17841 [MEDIUM] ROBOT attack against PAN-OS ROBOT attack against PAN-OS ROBOT is an attack that affects the TLS RSA key exchange and could lead to decryption of captured sessions if the TLS server originally serving said captured session is still alive, vulnerable and using the same private key. (PAN-89936 / CVE-2017-17841) While SSL Decryption and GlobalProtect are susceptible to this issue, PAN-OS can be protected with use of content update 757, and further mitigated through the confi

CVE-2017-16878 [MEDIUM] CWE-79 Cross Site Scripting in PAN-OS Captive Portal Cross Site Scripting in PAN-OS Captive Portal A vulnerability exists in PAN-OS Captive Portal that could allow for a cross-site scripting (XSS) attack to be performed against clients viewing the captive portal page when configured in a certain way. (Ref # PAN-85238 / CVE-2017-16878) Successful exploitation of this issue may allow an attacker to inject arbitrary javascript or HTML. This issue affects PAN-OS 8.0.6-h3 and

CVE-2017-15944 [CRITICAL] Vulnerability in PAN-OS and Panorama on Management Interface Vulnerability in PAN-OS and Panorama on Management Interface Through the exploitation of a combination of unrelated vulnerabilities, and via the management interface of the device, an attacker could remotely execute code on PAN-OS or Panorama in the context of the highest privileged user. (Ref # PAN-61094 / PAN-80990 / PAN-80993 / PAN-80994 / CVE-2017-15944) PAN-OS and Panorama contains multiple vulnerabiliti