CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2020-2039 – PAN-OS: Management web interface denial-of-service (DoS) through unauthenticated file upload
https://notcve.org/view.php?id=CVE-2020-2039
An uncontrolled resource consumption vulnerability in Palo Alto Networks PAN-OS allows for a remote unauthenticated user to upload temporary files through the management web interface that are not properly deleted after the request is finished. It is possible for an attacker to disrupt the availability of the management web interface by repeatedly uploading files until available disk space is exhausted. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.16; PAN-OS 9.0 versions earlier than PAN-OS 9.0.10; PAN-OS 9.1 versions earlier than PAN-OS 9.1.4; PAN-OS 10.0 versions earlier than PAN-OS 10.0.1. Una vulnerabilidad de consumo de recursos no controlado en Palo Alto Networks PAN-OS permite a un usuario remoto no autenticado cargar archivos temporales por medio de la interfaz web de administración que no son eliminados apropiadamente una vez finalizada la petición. Es posible que un atacante interrumpa la disponibilidad de la interfaz web de administración cargando archivos de forma repetida hasta que se agote el espacio disponible en disco. • https://security.paloaltonetworks.com/CVE-2020-2039 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.0EPSS: 90%CPEs: 3EXPL: 5CVE-2020-2038 – PAN-OS: OS command injection vulnerability in the management web interface
https://notcve.org/view.php?id=CVE-2020-2038
An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands with root privileges. This issue impacts: PAN-OS 9.0 versions earlier than 9.0.10; PAN-OS 9.1 versions earlier than 9.1.4; PAN-OS 10.0 versions earlier than 10.0.1. Una vulnerabilidad de Inyección de Comandos del Sistema Operativo en la interfaz de administración de PAN-OS que permite a los administradores autenticados ejecutar comandos de Sistema Operativo arbitrarios con privilegios root. Este problema impacta a: Versiones PAN-OS 9.0 anteriores a 9.0.10; Versiones PAN-OS 9.1 anteriores a 9.1.4; Versiones PAN-OS 10.0 anteriores a 10.0.1. PAN-OS version 10.0 suffers from a remote code execution vulnerability. • https://www.exploit-db.com/exploits/51005 https://github.com/und3sc0n0c1d0/CVE-2020-2038 http://packetstormsecurity.com/files/168008/PAN-OS-10.0-Remote-Code-Execution.html http://packetstormsecurity.com/files/168408/Palo-Alto-Networks-Authenticated-Remote-Code-Execution.html https://security.paloaltonetworks.com/CVE-2020-2038 https://swarm.ptsecurity.com/swarm-of-palo-alto-pan-os-vulnerabilities https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/panos_op_cmd_exec. • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 0CVE-2020-2037 – PAN-OS: OS command injection vulnerability in the management web interface
https://notcve.org/view.php?id=CVE-2020-2037
An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands with root privileges. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.16; PAN-OS 9.0 versions earlier than PAN-OS 9.0.10; PAN-OS 9.1 versions earlier than PAN-OS 9.1.3. Una vulnerabilidad de inyección de comandos de Sistema Operativo en la interfaz de administración de PAN-OS que permite a los administradores autenticados ejecutar comandos de Sistema Operativo arbitrarios con privilegios root. Este problema impacta a: Versiones PAN-OS 8.1 anteriores a PAN-OS 8.1.16; Versiones PAN-OS 9.0 anteriores a PAN-OS 9.0.10; Versiones PAN-OS 9.1 anteriores a PAN-OS 9.1.3. • https://security.paloaltonetworks.com/CVE-2020-2037 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 3%CPEs: 2EXPL: 0CVE-2020-2036 – PAN-OS: Reflected Cross-Site Scripting (XSS) vulnerability in management web interface
https://notcve.org/view.php?id=CVE-2020-2036
A reflected cross-site scripting (XSS) vulnerability exists in the PAN-OS management web interface. A remote attacker able to convince an administrator with an active authenticated session on the firewall management interface to click on a crafted link to that management web interface could potentially execute arbitrary JavaScript code in the administrator's browser and perform administrative actions. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.16; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9. Existe una vulnerabilidad de tipo cross-site scripting (XSS) reflejado en la interfaz web de administración de PAN-OS. Un atacante remoto capaz de convencer a un administrador con una sesión autenticada activa en la interfaz de administración del firewall para que haga clic en un enlace diseñado a esa interfaz web de administración podría ejecutar código JavaScript arbitrario en el navegador del administrador y llevar a cabo acciones administrativas. • https://security.paloaltonetworks.com/CVE-2020-2036 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.3EPSS: 66%CPEs: 5EXPL: 1CVE-2020-2034 – PAN-OS: OS command injection vulnerability in GlobalProtect portal
https://notcve.org/view.php?id=CVE-2020-2034
An OS Command Injection vulnerability in the PAN-OS GlobalProtect portal allows an unauthenticated network based attacker to execute arbitrary OS commands with root privileges. An attacker requires some knowledge of the firewall to exploit this issue. This issue can not be exploited if GlobalProtect portal feature is not enabled. This issue impacts PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; all versions of PAN-OS 8.0 and PAN-OS 7.1. Prisma Access services are not impacted by this vulnerability. • https://github.com/blackhatethicalhacking/CVE-2020-2034-POC https://security.paloaltonetworks.com/CVE-2020-2034 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •