CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-1984 – Secdo: Privilege escalation via hardcoded script path
https://notcve.org/view.php?id=CVE-2020-1984
Secdo tries to execute a script at a hardcoded path if present, which allows a local authenticated user with 'create folders or append data' access to the root of the OS disk (C:\) to gain system privileges if the path does not already exist or is writable. This issue affects all versions of Secdo for Windows. Secdo intenta ejecutar un script en una ruta embebida si está presente, lo que permite a un usuario autenticado local con acceso a "create folders or append data" en la root del disco del Sistema Operativo (C:\) para alcanzar privilegios system si la ruta aún no existe o es escribible. Este problema afecta a todas las versiones de Secdo para Windows. • https://security.paloaltonetworks.com/CVE-2020-1984 • CWE-20: Improper Input Validation CWE-73: External Control of File Name or Path •
CVSS: 5.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-1978 – VM-Series on Microsoft Azure: Inadvertent collection of credentials in Tech support files on HA configured VMs
https://notcve.org/view.php?id=CVE-2020-1978
TechSupport files generated on Palo Alto Networks VM Series firewalls for Microsoft Azure platform configured with high availability (HA) inadvertently collect Azure dashboard service account credentials. These credentials are equivalent to the credentials associated with the Contributor role in Azure. A user with the credentials will be able to manage all the Azure resources in the subscription except for granting access to other resources. These credentials do not allow login access to the VMs themselves. This issue affects VM Series Plugin versions before 1.0.9 for PAN-OS 9.0. • https://security.paloaltonetworks.com/CVE-2020-1978 • CWE-255: Credentials Management Errors CWE-522: Insufficiently Protected Credentials •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-1979 – PAN-OS: A format string vulnerability in PAN-OS log daemon (logd) on Panorama allows local privilege escalation
https://notcve.org/view.php?id=CVE-2020-1979
A format string vulnerability in the PAN-OS log daemon (logd) on Panorama allows a network based attacker with knowledge of registered firewall devices and access to Panorama management interfaces to execute arbitrary code, bypassing the restricted shell and escalating privileges. This issue affects only PAN-OS 8.1 versions earlier than PAN-OS 8.1.13 on Panorama. This issue does not affect PAN-OS 7.1, PAN-OS 9.0, or later PAN-OS versions. Una vulnerabilidad de la cadena de formato en el demonio de registro (logd) de PAN-OS en Panorama permite a un atacante basado en la red con conocimiento de los dispositivos de cortafuegos registrados y acceso a las interfaces de gestión de Panorama ejecutar un código arbitrario, omitiendo el shell restringido y escalando privilegios. Este problema afecta sólo a las versiones de PAN-OS 8.1 anteriores a PAN-OS 8.1.13 en Panorama. • https://security.paloaltonetworks.com/CVE-2020-1979 • CWE-134: Use of Externally-Controlled Format String •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-1980 – PAN-OS: Shell injection vulnerability in PAN-OS CLI allows execution of shell commands
https://notcve.org/view.php?id=CVE-2020-1980
A shell command injection vulnerability in the PAN-OS CLI allows a local authenticated user to escape the restricted shell and escalate privileges. This issue affects only PAN-OS 8.1 versions earlier than PAN-OS 8.1.13. This issue does not affect PAN-OS 7.1, PAN-OS 9.0, or later PAN-OS versions. This issue is fixed in PAN-OS 8.1.13, and all later versions. Una vulnerabilidad de inyección de comando de shell en la CLI de PAN-OS, permite a un usuario autenticado local escapar del shell restringido y escalar privilegios. • https://security.paloaltonetworks.com/CVE-2020-1980 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-1981 – PAN-OS: Predictable temporary filename vulnerability allows local privilege escalation
https://notcve.org/view.php?id=CVE-2020-1981
A predictable temporary filename vulnerability in PAN-OS allows local privilege escalation. This issue allows a local attacker who bypassed the restricted shell to execute commands as a low privileged user and gain root access on the PAN-OS hardware or virtual appliance. This issue affects only PAN-OS 8.1 versions earlier than PAN-OS 8.1.13. This issue does not affect PAN-OS 7.1, PAN-OS 9.0, or later PAN-OS versions. Una vulnerabilidad de nombre predecible de archivo temporal en PAN-OS, permite una escalada de privilegios locales. • https://security.paloaltonetworks.com/CVE-2020-1981 • CWE-377: Insecure Temporary File CWE-668: Exposure of Resource to Wrong Sphere •