CVE-2020-1975

Summary

Missing XML validation vulnerability in the PAN-OS web interface on Palo Alto Networks PAN-OS software allows authenticated users to inject arbitrary XML that results in privilege escalation. This issue affects PAN-OS 8.1 versions earlier than PAN-OS 8.1.12 and PAN-OS 9.0 versions earlier than PAN-OS 9.0.6. This issue does not affect PAN-OS 7.1, PAN-OS 8.0, or PAN-OS 9.1 or later versions.

Affected Software

VendorProductVersion RangeStatus
Palo Alto NetworksPAN-OS7.1.*unaffected
Palo Alto NetworksPAN-OS8.0.*unaffected
Palo Alto NetworksPAN-OS8.1 < 8.1.12affected
Palo Alto NetworksPAN-OS9.0 < 9.0.6affected

Weaknesses

  • CWE-112: CWE-112 Missing XML Validation

Workarounds

This issue affects the web-based management interface of the appliance. Access to the web-based management interface of the appliance should be limited strictly to only trusted users, hosts, and networks.

ADP Enrichment

CVE Program Container

Additional References

References