CVSS: 9.0EPSS: 0%CPEs: 4EXPL: 0CVE-2020-2027 – PAN-OS: Buffer overflow in authd authentication response
https://notcve.org/view.php?id=CVE-2020-2027
10 Jun 2020 — A buffer overflow vulnerability in the authd component of the PAN-OS management server allows authenticated administrators to disrupt system processes and potentially execute arbitrary code with root privileges. This issue affects: All versions of PAN-OS 7.1 and PAN-OS 8.0; PAN-OS 8.1 versions earlier than PAN-OS 8.1.13; PAN-OS 9.0 versions earlier than PAN-OS 9.0.7. Una vulnerabilidad de desbordamiento del búfer en el componente authd del servidor de administración PAN-OS, permite a administradores autenti... • https://security.paloaltonetworks.com/CVE-2020-2027 • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 9.3EPSS: 0%CPEs: 4EXPL: 0CVE-2020-2018 – PAN-OS: Panorama authentication bypass vulnerability
https://notcve.org/view.php?id=CVE-2020-2018
13 May 2020 — An authentication bypass vulnerability in the Panorama context switching feature allows an attacker with network access to a Panorama's management interface to gain privileged access to managed firewalls. An attacker requires some knowledge of managed firewalls to exploit this issue. This issue does not affect Panorama configured with custom certificates authentication for communication between Panorama and managed devices. This issue affects: PAN-OS 7.1 versions earlier than 7.1.26; PAN-OS 8.1 versions ear... • https://security.paloaltonetworks.com/CVE-2020-2018 • CWE-287: Improper Authentication •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2020-2017 – PAN-OS: DOM-Based cross site scripting vulnerability in management web interface
https://notcve.org/view.php?id=CVE-2020-2017
13 May 2020 — A DOM-Based Cross Site Scripting Vulnerability exists in PAN-OS and Panorama Management Web Interfaces. A remote attacker able to convince an authenticated administrator to click on a crafted link to PAN-OS and Panorama Web Interfaces could execute arbitrary JavaScript code in the administrator's browser and perform administrative actions. This issue affects: PAN-OS 7.1 versions earlier than 7.1.26; PAN-OS 8.1 versions earlier than 8.1.13; PAN-OS 9.0 versions earlier than 9.0.6; All versions of PAN-OS 8.0. ... • https://security.paloaltonetworks.com/CVE-2020-2017 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.5EPSS: 0%CPEs: 4EXPL: 0CVE-2020-2016 – PAN-OS: Temporary file race condition vulnerability in PAN-OS leads to local privilege escalation
https://notcve.org/view.php?id=CVE-2020-2016
13 May 2020 — A race condition due to insecure creation of a file in a temporary directory vulnerability in PAN-OS allows for root privilege escalation from a limited linux user account. This allows an attacker who has escaped the restricted shell as a low privilege administrator, possibly by exploiting another vulnerability, to escalate privileges to become root user. This issue affects: PAN-OS 7.1 versions earlier than 7.1.26; PAN-OS 8.1 versions earlier than 8.1.13; PAN-OS 9.0 versions earlier than 9.0.6; All versions... • https://security.paloaltonetworks.com/CVE-2020-2016 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-377: Insecure Temporary File •
CVSS: 9.0EPSS: 0%CPEs: 5EXPL: 0CVE-2020-2015 – PAN-OS: Buffer overflow in the management server
https://notcve.org/view.php?id=CVE-2020-2015
13 May 2020 — A buffer overflow vulnerability in the PAN-OS management server allows authenticated users to crash system processes or potentially execute arbitrary code with root privileges. This issue affects: PAN-OS 7.1 versions earlier than 7.1.26; PAN-OS 8.1 versions earlier than 8.1.13; PAN-OS 9.0 versions earlier than 9.0.7; PAN-OS 9.1 versions earlier than 9.1.1; All versions of PAN-OS 8.0. Una vulnerabilidad de desbordamiento del búfer en el servidor de administración de PAN-OS permite a los usuarios autentificad... • https://security.paloaltonetworks.com/CVE-2020-2015 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 9.0EPSS: 0%CPEs: 4EXPL: 0CVE-2020-2014 – PAN-OS: OS injection vulnerability in PAN-OS management server
https://notcve.org/view.php?id=CVE-2020-2014
13 May 2020 — An OS Command Injection vulnerability in PAN-OS management server allows authenticated users to inject and execute arbitrary shell commands with root privileges. This issue affects: All versions of PAN-OS 7.1 and 8.0; PAN-OS 8.1 versions earlier than 8.1.14; PAN-OS 9.0 versions earlier than 9.0.7. Una vulnerabilidad de Inyección de Comandos del Sistema Operativo en el servidor de administración de PAN-OS, permite a usuarios autenticados inyectar y ejecutar comandos de shell arbitrarios con privilegios root.... • https://security.paloaltonetworks.com/CVE-2020-2014 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0CVE-2020-2013 – PAN-OS: Panorama context switch session cookie disclosure
https://notcve.org/view.php?id=CVE-2020-2013
13 May 2020 — A cleartext transmission of sensitive information vulnerability in Palo Alto Networks PAN-OS Panorama that discloses an authenticated PAN-OS administrator's PAN-OS session cookie. When an administrator issues a context switch request into a managed firewall with an affected PAN-OS Panorama version, their PAN-OS session cookie is transmitted over cleartext to the firewall. An attacker with the ability to intercept this network traffic between the firewall and Panorama can access the administrator's account a... • https://security.paloaltonetworks.com/CVE-2020-2013 • CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2020-2012 – PAN-OS: Panorama: XML external entity reference ('XXE') vulnerability leads the to information leak
https://notcve.org/view.php?id=CVE-2020-2012
13 May 2020 — Improper restriction of XML external entity reference ('XXE') vulnerability in Palo Alto Networks Panorama management service allows remote unauthenticated attackers with network access to the Panorama management interface to read arbitrary files on the system. This issue affects: All versions of PAN-OS for Panorama 7.1 and 8.0; PAN-OS for Panorama 8.1 versions earlier than 8.1.13; PAN-OS for Panorama 9.0 versions earlier than 9.0.7. Una vulnerabilidad de restricción inapropiada de una referencia de XML ext... • https://security.paloaltonetworks.com/CVE-2020-2012 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2020-2011 – PAN-OS: Panorama registration denial of service
https://notcve.org/view.php?id=CVE-2020-2011
13 May 2020 — An improper input validation vulnerability in the configuration daemon of Palo Alto Networks PAN-OS Panorama allows for a remote unauthenticated user to send a specifically crafted registration request to the device that causes the configuration service to crash. Repeated attempts to send this request result in denial of service to all PAN-OS Panorama services by restarting the device and putting it into maintenance mode. This issue affects: All versions of PAN-OS 7.1, PAN-OS 8.0; PAN-OS 8.1 versions earlie... • https://security.paloaltonetworks.com/CVE-2020-2011 • CWE-20: Improper Input Validation •
CVSS: 9.0EPSS: 0%CPEs: 4EXPL: 0CVE-2020-2010 – PAN-OS: Authenticated user command injection vulnerability
https://notcve.org/view.php?id=CVE-2020-2010
13 May 2020 — An OS command injection vulnerability in PAN-OS management interface allows an authenticated administrator to execute arbitrary OS commands with root privileges. This issue affects: All versions of PAN-OS 7.1 and 8.0; PAN-OS 8.1 versions earlier than 8.1.14; PAN-OS 9.0 versions earlier than 9.0.7. Una vulnerabilidad de inyección de comandos de Sistema Operativo en la interfaz de administración de PAN-OS, permite a un administrador autenticado ejecutar comandos arbitrarios del Sistema Operativo con privilegi... • https://security.paloaltonetworks.com/CVE-2020-2010 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •