CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-3055 – PAN-OS: XML External Entity (XXE) Reference Vulnerability in the PAN-OS Web Interface
https://notcve.org/view.php?id=CVE-2021-3055
An improper restriction of XML external entity (XXE) reference vulnerability in the Palo Alto Networks PAN-OS web interface enables an authenticated administrator to read any arbitrary file from the file system and send a specifically crafted request to the firewall that causes the service to crash. Repeated attempts to send this request result in denial of service to all PAN-OS services by restarting the device and putting it into maintenance mode. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14; PAN-OS 9.1 versions earlier than PAN-OS 9.1.10; PAN-OS 10.0 versions earlier than PAN-OS 10.0.6. This issue does not affect Prisma Access. Una vulnerabilidad de restricción inapropiada de tipo XML external entity (XXE) en la interfaz web de Palo Alto Networks PAN-OS permite a un administrador autenticado leer cualquier archivo arbitrario del sistema de archivos y enviar una petición específicamente diseñada al firewall que cause el bloqueo del servicio. • https://security.paloaltonetworks.com/CVE-2021-3055 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 8.5EPSS: 0%CPEs: 5EXPL: 0CVE-2021-3054 – PAN-OS: Unsigned Code Execution During Plugin Installation Race Condition Vulnerability
https://notcve.org/view.php?id=CVE-2021-3054
A time-of-check to time-of-use (TOCTOU) race condition vulnerability in the Palo Alto Networks PAN-OS web interface enables an authenticated administrator with permission to upload plugins to execute arbitrary code with root user privileges. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11; PAN-OS 10.0 versions earlier than PAN-OS 10.0.7; PAN-OS 10.1 versions earlier than PAN-OS 10.1.2. This issue does not affect Prisma Access. Una vulnerabilidad de condición de carrera de tiempo de comprobación a tiempo de uso (TOCTOU) en la interfaz web de Palo Alto Networks PAN-OS permite a un administrador autenticado con permiso para cargar plugins ejecutar código arbitrario con privilegios de usuario root. Este problema afecta a: PAN-OS versión 8.1 anteriores a PAN-OS 8.1.20; PAN-OS versión 9.0 anteriores a PAN-OS 9.0.14; PAN-OS versión 9.1 anteriores a PAN-OS 9.1.11; PAN-OS versión 10.0 anteriores a PAN-OS 10.0.7; PAN-OS versión 10.1 anteriores a PAN-OS 10.1.2. • https://security.paloaltonetworks.com/CVE-2021-3054 • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-3053 – PAN-OS: Exceptional Condition Denial-of-Service (DoS)
https://notcve.org/view.php?id=CVE-2021-3053
An improper handling of exceptional conditions vulnerability exists in the Palo Alto Networks PAN-OS dataplane that enables an unauthenticated network-based attacker to send specifically crafted traffic through the firewall that causes the service to crash. Repeated attempts to send this request result in denial of service to all PAN-OS services by restarting the device and putting it into maintenance mode. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14; PAN-OS 9.1 versions earlier than PAN-OS 9.1.9; PAN-OS 10.0 versions earlier than PAN-OS 10.0.5. This issue does not affect Prisma Access. Se presenta una vulnerabilidad de administración inapropiada de condiciones excepcionales en el plano de datos de PAN-OS de Palo Alto Networks que permite a un atacante no autenticado basado en la red enviar tráfico específicamente diseñado mediante el firewall que causa un bloqueo del servicio. • https://security.paloaltonetworks.com/CVE-2021-3053 • CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 8.0EPSS: 0%CPEs: 4EXPL: 0CVE-2021-3052 – PAN-OS: Reflected Cross-Site Scripting (XSS) in Web Interface
https://notcve.org/view.php?id=CVE-2021-3052
A reflected cross-site scripting (XSS) vulnerability in the Palo Alto Network PAN-OS web interface enables an authenticated network-based attacker to mislead another authenticated PAN-OS administrator to click on a specially crafted link that performs arbitrary actions in the PAN-OS web interface as the targeted authenticated administrator. This issue impacts: PAN-OS 8.1 versions earlier than 8.1.20; PAN-OS 9.0 versions earlier than 9.0.14; PAN-OS 9.1 versions earlier than 9.1.10; PAN-OS 10.0 versions earlier than 10.0.2. This issue does not affect Prisma Access. Una vulnerabilidad de tipo cross-site scripting (XSS) reflejado en la interfaz web de PAN-OS de Palo Alto Network permite a un atacante autenticado basado en la red engañar a otro administrador autenticado de PAN-OS para que haga clic en un enlace especialmente diseñado que realice acciones arbitrarias en la interfaz web de PAN-OS como el administrador autenticado objetivo. Este problema afecta a: PAN-OS versión 8.1 anteriores a 8.1.20; PAN-OS versión 9.0 anteriores a 9.0.14; PAN-OS versión 9.1 anteriores a 9.1.10; PAN-OS versión 10.0 anteriores a 10.0.2. • https://security.paloaltonetworks.com/CVE-2021-3052 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.2EPSS: 0%CPEs: 4EXPL: 0CVE-2021-3047 – PAN-OS: Weak Cryptography Used in Web Interface Authentication
https://notcve.org/view.php?id=CVE-2021-3047
A cryptographically weak pseudo-random number generator (PRNG) is used during authentication to the Palo Alto Networks PAN-OS web interface. This enables an authenticated attacker, with the capability to observe their own authentication secrets over a long duration on the PAN-OS appliance, to impersonate another authenticated web interface administrator's session. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.19; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14; PAN-OS 9.1 versions earlier than PAN-OS 9.1.10; PAN-OS 10.0 versions earlier than PAN-OS 10.0.4. PAN-OS 10.1 versions are not impacted. Es usado un generador de números pseudoaleatorios (PRNG) débil desde el punto de vista criptográfico durante la autenticación en la interfaz web de PAN-OS de Palo Alto Networks. • https://security.paloaltonetworks.com/CVE-2021-3047 • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) •