cbcvebase.

Paloaltonetworks PAN-OS vulnerabilities

211 known vulnerabilities affecting paloaltonetworks/pan-os.

Total CVEs
211
CISA KEV
14
actively exploited
Public exploits
17
Exploited in wild
15
Severity breakdown
CRITICAL36HIGH77MEDIUM89LOW9

Vulnerabilities

Page 8 of 11
CVE-2020-1997P4MEDIUMCVSS 6.1≥ 7.1.0, < 7.1.26≥ 8.0.0, < 8.0.142020-05-13
CVE-2020-1997 [MEDIUM] CWE-601 CVE-2020-1997: An open redirection vulnerability in the GlobalProtect component of Palo Alto Networks PAN-OS allows An open redirection vulnerability in the GlobalProtect component of Palo Alto Networks PAN-OS allows an attacker to specify an arbitrary redirection target away from the trusted GlobalProtect gateway. If the user then successfully authenticates it will cause them to access an unexpected and potentially malicious website. This issue affects: PAN-OS 7.1
nvd
CVE-2024-2552P4MEDIUMCVSS 6.0≥ 10.2.0, < 10.2.7≥ 11.0.0, < 11.0.6+8 more2024-11-14
CVE-2024-2552 [MEDIUM] CWE-22 CVE-2024-2552: A command injection vulnerability in Palo Alto Networks PAN-OS software enables an authenticated adm A command injection vulnerability in Palo Alto Networks PAN-OS software enables an authenticated administrator to bypass system restrictions in the management plane and delete files on the firewall.
nvd
CVE-2017-15943P4MEDIUMCVSS 5.3fixed in 6.1.19≥ 7.0.0, < 7.0.19+1 more2017-12-11
CVE-2017-15943 [MEDIUM] CWE-918 CVE-2017-15943: The configuration file import for applications, spyware and vulnerability objects functionality in t The configuration file import for applications, spyware and vulnerability objects functionality in the web interface in Palo Alto Networks PAN-OS before 6.1.19, 7.0.x before 7.0.19, and 7.1.x before 7.1.14 allows remote attackers to conduct server-side request forgery (SSRF) attacks and consequently obtain sensitive information via vectors related t
nvd
CVE-2020-1996P4MEDIUMCVSS 5.3≥ 7.1.0, ≤ 7.1.26≥ 8.0.0, ≤ 8.0.20+2 more2020-05-13
CVE-2020-1996 [MEDIUM] CWE-862 CVE-2020-1996: A missing authorization vulnerability in the management server component of PAN-OS Panorama allows a A missing authorization vulnerability in the management server component of PAN-OS Panorama allows a remote unauthenticated user to inject messages into the management server ms.log file. This vulnerability can be leveraged to obfuscate an ongoing attack or fabricate log entries in the ms.log file This issue affects: All versions of PAN-OS 7.1 and 8.0
nvd
CVE-2021-3045P4MEDIUMCVSS 4.9≥ 8.1.0, < 8.1.19≥ 9.0.0, < 9.0.14+1 more2021-08-11
CVE-2021-3045 [MEDIUM] CWE-88 CVE-2021-3045: An OS command argument injection vulnerability in the Palo Alto Networks PAN-OS web interface enable An OS command argument injection vulnerability in the Palo Alto Networks PAN-OS web interface enables an authenticated administrator to read any arbitrary file from the file system. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.19; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14; PAN-OS 9.1 versions earlier than PAN-OS 9.1.10. PAN-OS 1
nvd
CVE-2020-2017P4MEDIUMCVSS 6.1≥ 7.1.0, < 7.1.26≥ 8.0.0, ≤ 8.0.20+2 more2020-05-13
CVE-2020-2017 [MEDIUM] CWE-79 CVE-2020-2017: A DOM-Based Cross Site Scripting Vulnerability exists in PAN-OS and Panorama Management Web Interfac A DOM-Based Cross Site Scripting Vulnerability exists in PAN-OS and Panorama Management Web Interfaces. A remote attacker able to convince an authenticated administrator to click on a crafted link to PAN-OS and Panorama Web Interfaces could execute arbitrary JavaScript code in the administrator's browser and perform administrative actions. This issue a
nvd
CVE-2024-3388P4MEDIUMCVSS 5.0≥ 8.1.0, < 8.1.26≥ 9.0.0, < 9.0.17+7 more2024-04-10
CVE-2024-3388 [MEDIUM] CWE-269 CVE-2024-3388: A vulnerability in the GlobalProtect Gateway in Palo Alto Networks PAN-OS software enables an authen A vulnerability in the GlobalProtect Gateway in Palo Alto Networks PAN-OS software enables an authenticated attacker to impersonate another user and send network packets to internal assets. However, this vulnerability does not allow the attacker to receive response packets from those internal assets.
nvd
CVE-2024-5911P4MEDIUMCVSS 4.9≥ 10.1.0, < 10.1.9≥ 10.2.0, < 10.2.42024-07-10
CVE-2024-5911 [MEDIUM] CWE-434 CVE-2024-5911: An arbitrary file upload vulnerability in Palo Alto Networks Panorama software enables an authentica An arbitrary file upload vulnerability in Palo Alto Networks Panorama software enables an authenticated read-write administrator with access to the web interface to disrupt system processes and crash the Panorama. Repeated attacks eventually cause the Panorama to enter maintenance mode, which requires manual intervention to bring the Panorama back onl
nvd
CVE-2024-5913P4MEDIUMCVSS 6.8≥ 10.1.0, < 10.1.14≥ 10.2.0, < 10.2.10+4 more2024-07-10
CVE-2024-5913 [MEDIUM] CWE-20 CVE-2024-5913: An improper input validation vulnerability in Palo Alto Networks PAN-OS software enables an attacker An improper input validation vulnerability in Palo Alto Networks PAN-OS software enables an attacker with the ability to tamper with the physical file system to elevate privileges.
nvd
CVE-2012-6597P4MEDIUMCVSS 6.3≤ 3.1.10v3.1.9+9 more2013-08-31
CVE-2012-6597 [MEDIUM] CWE-20 CVE-2012-6597: Palo Alto Networks PAN-OS before 3.1.11 and 4.0.x before 4.0.9 allows remote authenticated users to Palo Alto Networks PAN-OS before 3.1.11 and 4.0.x before 4.0.9 allows remote authenticated users to cause a denial of service (management-server crash) by using the command-line interface for a crafted command, aka Ref ID 35254.
nvd
CVE-2020-1993P4MEDIUMCVSS 5.4≥ 7.1.0, ≤ 7.1.26≥ 8.0.0, ≤ 8.0.20+2 more2020-05-13
CVE-2020-1993 [MEDIUM] CWE-384 CVE-2020-1993: The GlobalProtect Portal feature in PAN-OS does not set a new session identifier after a successful The GlobalProtect Portal feature in PAN-OS does not set a new session identifier after a successful user login, which allows session fixation attacks, if an attacker is able to control a user's session ID. This issue affects: All PAN-OS 7.1 and 8.0 versions; PAN-OS 8.1 versions earlier than 8.1.14; PAN-OS 9.0 versions earlier than 9.0.8.
nvd
CVE-2024-5917P4MEDIUMCVSS 4.9≥ 10.1.0, < 10.1.7≥ 10.2.0, < 10.2.22024-11-14
CVE-2024-5917 [MEDIUM] CWE-918 CVE-2024-5917: A server-side request forgery in PAN-OS software enables an authenticated attacker with administrati A server-side request forgery in PAN-OS software enables an authenticated attacker with administrative privileges to use the administrative web interface as a proxy, which enables the attacker to view internal network resources not otherwise accessible.
nvd
CVE-2018-7636P4MEDIUMCVSS 6.1v8.0.102018-07-03
CVE-2018-7636 [MEDIUM] CWE-79 CVE-2018-7636: The URL filtering "continue page" hosted by PAN-OS 8.0.10 and earlier may allow an attacker to injec The URL filtering "continue page" hosted by PAN-OS 8.0.10 and earlier may allow an attacker to inject arbitrary JavaScript or HTML via specially crafted URLs.
nvd
CVE-2020-2005P4MEDIUMCVSS 6.1≥ 7.1.0, < 7.1.26≥ 8.0.0, ≤ 8.0.20+2 more2020-05-13
CVE-2020-2005 [MEDIUM] CWE-79 CVE-2020-2005: A cross-site scripting (XSS) vulnerability exists when visiting malicious websites with the Palo Alt A cross-site scripting (XSS) vulnerability exists when visiting malicious websites with the Palo Alto Networks GlobalProtect Clientless VPN that can compromise the user's active session. This issue affects: PAN-OS 7.1 versions earlier than 7.1.26; PAN-OS 8.1 versions earlier than 8.1.13; PAN-OS 9.0 versions earlier than 9.0.7; All versions of PAN-OS 8.
nvd
CVE-2019-1565P4MEDIUMCVSS 5.4≤ 7.1.21≥ 7.1.22, ≤ 8.0.14+1 more2019-01-30
CVE-2019-1565 [MEDIUM] CWE-79 CVE-2019-1565: The PAN-OS external dynamics lists in PAN-OS 7.1.21 and earlier, PAN-OS 8.0.14 and earlier, and PAN- The PAN-OS external dynamics lists in PAN-OS 7.1.21 and earlier, PAN-OS 8.0.14 and earlier, and PAN-OS 8.1.5 and earlier, may allow an attacker that is authenticated in Next Generation Firewall with write privileges to External Dynamic List configuration to inject arbitrary JavaScript or HTML.
nvd
CVE-2024-3386P4MEDIUMCVSS 5.3≥ 9.0.0, < 9.0.16≥ 9.1.0, < 9.1.17+8 more2024-04-10
CVE-2024-3386 [MEDIUM] CWE-436 CVE-2024-3386: An incorrect string comparison vulnerability in Palo Alto Networks PAN-OS software prevents Predefin An incorrect string comparison vulnerability in Palo Alto Networks PAN-OS software prevents Predefined Decryption Exclusions from functioning as intended. This can cause traffic destined for domains that are not specified in Predefined Decryption Exclusions to be unintentionally excluded from decryption.
nvd
CVE-2024-9471P4MEDIUMCVSS 4.7≥ 9.0.0, < 10.0.0≥ 10.1.0, < 10.1.11+2 more2024-10-09
CVE-2024-9471 [MEDIUM] CWE-269 CVE-2024-9471: A privilege escalation (PE) vulnerability in the XML API of Palo Alto Networks PAN-OS software enabl A privilege escalation (PE) vulnerability in the XML API of Palo Alto Networks PAN-OS software enables an authenticated PAN-OS administrator with restricted privileges to use a compromised XML API key to perform actions as a higher privileged PAN-OS administrator. For example, an administrator with "Virtual system administrator (read-only)" access cou
nvd
CVE-2017-15941P4MEDIUMCVSS 6.1fixed in 6.1.19≥ 7.0.0, < 7.0.19+2 more2018-01-10
CVE-2017-15941 [MEDIUM] CWE-79 CVE-2017-15941: Cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS before 6.1.19, 7.0.x before 7. Cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS before 6.1.19, 7.0.x before 7.0.19, 7.1.x before 7.1.14, and 8.0.x before 8.0.7, when the GlobalProtect gateway or portal is configured, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
nvd
CVE-2017-12416P4MEDIUMCVSS 6.1≤ 6.1.17v7.0.0+27 more2017-09-07
CVE-2017-12416 [MEDIUM] CWE-79 CVE-2017-12416: Cross-site scripting (XSS) vulnerability in the GlobalProtect internal and external gateway interfac Cross-site scripting (XSS) vulnerability in the GlobalProtect internal and external gateway interface in Palo Alto Networks PAN-OS before 6.1.18, 7.0.x before 7.0.17, 7.1.x before 7.1.12, and 8.0.x before 8.0.3 allows remote attackers to inject arbitrary web script or HTML via vectors related to improper request parameter validation.
nvd
CVE-2017-9459P4MEDIUMCVSS 6.1≤ 6.1.17v7.0.1+29 more2017-08-02
CVE-2017-9459 [MEDIUM] CWE-79 CVE-2017-9459: Cross-site scripting (XSS) vulnerability in the management web interface in Palo Alto Networks PAN-O Cross-site scripting (XSS) vulnerability in the management web interface in Palo Alto Networks PAN-OS before 6.1.18, 7.x before 7.0.16, 7.1.x before 7.1.11, and 8.x before 8.0.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
nvd
Paloaltonetworks PAN-OS vulnerabilities | cvebase