CVE-2020-2036 PAN-OS: Reflected Cross-Site Scripting (XSS) vulnerability in management web interface

2020-09-0916:45:25

CWE-79

palo_alto

www.cve.org

pan-os management web interface

remote attacker

crafted link

arbitrary javascript code

administrative actions

pan-os 8.1

pan-os 9.0

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

7.7

Confidence

High

EPSS

0.031

Percentile

91.1%

JSON

A reflected cross-site scripting (XSS) vulnerability exists in the PAN-OS management web interface. A remote attacker able to convince an administrator with an active authenticated session on the firewall management interface to click on a crafted link to that management web interface could potentially execute arbitrary JavaScript code in the administrator’s browser and perform administrative actions. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.16; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9.

CNA Affected

[
  {
    "product": "PAN-OS",
    "vendor": "Palo Alto Networks",
    "versions": [
      {
        "changes": [
          {
            "at": "9.0.9",
            "status": "unaffected"
          }
        ],
        "lessThan": "9.0.9",
        "status": "affected",
        "version": "9.0",
        "versionType": "custom"
      },
      {
        "lessThan": "9.1*",
        "status": "unaffected",
        "version": "9.1.0",
        "versionType": "custom"
      },
      {
        "changes": [
          {
            "at": "8.1.16",
            "status": "unaffected"
          }
        ],
        "lessThan": "8.1.16",
        "status": "affected",
        "version": "8.1",
        "versionType": "custom"
      },
      {
        "lessThan": "10.0*",
        "status": "unaffected",
        "version": "10.0.0",
        "versionType": "custom"
      }
    ]
  }
]