CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-3053 – PAN-OS: Exceptional Condition Denial-of-Service (DoS)
https://notcve.org/view.php?id=CVE-2021-3053
An improper handling of exceptional conditions vulnerability exists in the Palo Alto Networks PAN-OS dataplane that enables an unauthenticated network-based attacker to send specifically crafted traffic through the firewall that causes the service to crash. Repeated attempts to send this request result in denial of service to all PAN-OS services by restarting the device and putting it into maintenance mode. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14; PAN-OS 9.1 versions earlier than PAN-OS 9.1.9; PAN-OS 10.0 versions earlier than PAN-OS 10.0.5. This issue does not affect Prisma Access. Se presenta una vulnerabilidad de administración inapropiada de condiciones excepcionales en el plano de datos de PAN-OS de Palo Alto Networks que permite a un atacante no autenticado basado en la red enviar tráfico específicamente diseñado mediante el firewall que causa un bloqueo del servicio. • https://security.paloaltonetworks.com/CVE-2021-3053 • CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 8.0EPSS: 0%CPEs: 4EXPL: 0CVE-2021-3052 – PAN-OS: Reflected Cross-Site Scripting (XSS) in Web Interface
https://notcve.org/view.php?id=CVE-2021-3052
A reflected cross-site scripting (XSS) vulnerability in the Palo Alto Network PAN-OS web interface enables an authenticated network-based attacker to mislead another authenticated PAN-OS administrator to click on a specially crafted link that performs arbitrary actions in the PAN-OS web interface as the targeted authenticated administrator. This issue impacts: PAN-OS 8.1 versions earlier than 8.1.20; PAN-OS 9.0 versions earlier than 9.0.14; PAN-OS 9.1 versions earlier than 9.1.10; PAN-OS 10.0 versions earlier than 10.0.2. This issue does not affect Prisma Access. Una vulnerabilidad de tipo cross-site scripting (XSS) reflejado en la interfaz web de PAN-OS de Palo Alto Network permite a un atacante autenticado basado en la red engañar a otro administrador autenticado de PAN-OS para que haga clic en un enlace especialmente diseñado que realice acciones arbitrarias en la interfaz web de PAN-OS como el administrador autenticado objetivo. Este problema afecta a: PAN-OS versión 8.1 anteriores a 8.1.20; PAN-OS versión 9.0 anteriores a 9.0.14; PAN-OS versión 9.1 anteriores a 9.1.10; PAN-OS versión 10.0 anteriores a 10.0.2. • https://security.paloaltonetworks.com/CVE-2021-3052 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 4EXPL: 0CVE-2021-3050 – PAN-OS: OS Command Injection Vulnerability in Web Interface
https://notcve.org/view.php?id=CVE-2021-3050
An OS command injection vulnerability in the Palo Alto Networks PAN-OS web interface enables an authenticated administrator to execute arbitrary OS commands to escalate privileges. This issue impacts: PAN-OS 9.0 version 9.0.10 through PAN-OS 9.0.14; PAN-OS 9.1 version 9.1.4 through PAN-OS 9.1.10; PAN-OS 10.0 version 10.0.7 and earlier PAN-OS 10.0 versions; PAN-OS 10.1 version 10.1.0 through PAN-OS 10.1.1. Prisma Access firewalls and firewalls running PAN-OS 8.1 versions are not impacted by this issue. Una vulnerabilidad de inyección de comandos del Sistema Operativo en la interfaz web de Palo Alto Networks PAN-OS, permite a un administrador autenticado ejecutar comandos arbitrarios del Sistema Operativo para escalar privilegios. Este problema afecta a: PAN-OS 9.0 versiones 9.0.10 hasta PAN-OS 9.0.14; PAN-OS 9.1 versiones 9.1.4 hasta PAN-OS 9.1.10; PAN-OS 10.0 versiones 10.0.7 y versiones anteriores a PAN-OS 10.0; PAN-OS 10.1 versiones 10.1.0 hasta PAN-OS 10.1.1. • https://security.paloaltonetworks.com/CVE-2021-3050 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 5.9EPSS: 0%CPEs: 3EXPL: 0CVE-2021-3048 – PAN-OS: Invalid URLs in an External Dynamic List (EDL) can Lead to Firewall Outage
https://notcve.org/view.php?id=CVE-2021-3048
Certain invalid URL entries contained in an External Dynamic List (EDL) cause the Device Server daemon (devsrvr) to stop responding. This condition causes subsequent commits on the firewall to fail and prevents administrators from performing commits and configuration changes even though the firewall remains otherwise functional. If the firewall then restarts, it results in a denial-of-service (DoS) condition and the firewall stops processing traffic. This issue impacts: PAN-OS 9.0 versions earlier than PAN-OS 9.0.14; PAN-OS 9.1 versions earlier than PAN-OS 9.1.9; PAN-OS 10.0 versions earlier than PAN-OS 10.0.5. PAN-OS 8.1 and PAN-OS 10.1 versions are not impacted. • https://security.paloaltonetworks.com/CVE-2020-3048 https://security.paloaltonetworks.com/CVE-2021-3048 • CWE-20: Improper Input Validation •
CVSS: 4.2EPSS: 0%CPEs: 4EXPL: 0CVE-2021-3047 – PAN-OS: Weak Cryptography Used in Web Interface Authentication
https://notcve.org/view.php?id=CVE-2021-3047
A cryptographically weak pseudo-random number generator (PRNG) is used during authentication to the Palo Alto Networks PAN-OS web interface. This enables an authenticated attacker, with the capability to observe their own authentication secrets over a long duration on the PAN-OS appliance, to impersonate another authenticated web interface administrator's session. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.19; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14; PAN-OS 9.1 versions earlier than PAN-OS 9.1.10; PAN-OS 10.0 versions earlier than PAN-OS 10.0.4. PAN-OS 10.1 versions are not impacted. Es usado un generador de números pseudoaleatorios (PRNG) débil desde el punto de vista criptográfico durante la autenticación en la interfaz web de PAN-OS de Palo Alto Networks. • https://security.paloaltonetworks.com/CVE-2021-3047 • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) •