Paloaltonetworks: Security Vulnerabilities
A remote code execution vulnerability in the PAN-OS SSH device management interface that can lead to unauthenticated remote users with network access to the SSH management interface gaining root access to PAN-OS. This issue affects PAN-OS 7.1 versions prior to 7.1.24-h1, 7.1.25; 8.0 versions prior to 8.0.19-h1, 8.0.20; 8.1 versions prior to 8.1.9-h4, 8.1.10; 9.0 versions prior to 9.0.3-h3, 9.0.4.
CVSS Score
9.8
EPSS Score
0.041
Published
2019-08-23
Memory corruption in PAN-OS 8.1.9 and earlier, and PAN-OS 9.0.3 and earlier will allow an administrative user to cause arbitrary memory corruption by rekeying the current client interactive session.
CVSS Score
7.2
EPSS Score
0.006
Published
2019-08-23
Escalation of privilege vulnerability in the Palo Alto Networks Twistlock console 19.07.358 and earlier allows a Twistlock user with Operator capabilities to escalate privileges to that of another user. Active interaction with an affected component is required for the payload to execute on the victim.
CVSS Score
8.0
EPSS Score
0.004
Published
2019-08-23
CVE-2019-1579
Remote Code Execution in PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11-h1 and earlier, and PAN-OS 8.1.2 and earlier with GlobalProtect Portal or GlobalProtect Gateway Interface enabled may allow an unauthenticated remote attacker to execute arbitrary code.
Known exploited
CVSS Score
8.1
EPSS Score
0.927
Published
2019-07-19
Information disclosure in PAN-OS 7.1.23 and earlier, PAN-OS 8.0.18 and earlier, PAN-OS 8.1.8-h4 and earlier, and PAN-OS 9.0.2 and earlier may allow for an authenticated user with read-only privileges to extract the API key of the device and/or the username/password from the XML API (in PAN-OS) and possibly escalate privileges granted to them.
CVSS Score
8.8
EPSS Score
0.007
Published
2019-07-16
Command injection in PAN-0S 9.0.2 and earlier may allow an authenticated attacker to gain access to a remote shell in PAN-OS, and potentially run with the escalated user’s permissions.
CVSS Score
8.8
EPSS Score
0.047
Published
2019-07-16
Code injection vulnerability in Palo Alto Networks Traps 5.0.5 and earlier may allow an authenticated attacker to inject arbitrary JavaScript or HTML.
CVSS Score
6.3
EPSS Score
0.006
Published
2019-07-01
Cross-site scripting vulnerability in Palo Alto Networks MineMeld version 0.9.60 and earlier may allow a remote attacker able to convince an authenticated MineMeld admin to type malicious input in the MineMeld UI could execute arbitrary JavaScript code in the admin’s browser.
CVSS Score
6.1
EPSS Score
0.003
Published
2019-07-01
Cross-site scripting (XSS) vulnerability in Palo Alto Networks Demisto 4.5 build 40249 may allow an unauthenticated attacker to run arbitrary JavaScript or HTML.
CVSS Score
6.1
EPSS Score
0.008
Published
2019-05-09
Cross-site scripting (XSS) vulnerability in Palo Alto Networks Expedition Migration tool 1.1.12 and earlier may allow an authenticated attacker to run arbitrary JavaScript or HTML in the Devices View.
CVSS Score
5.4
EPSS Score
0.004
Published
2019-04-12