CVE-2020-2005
7.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Summary
A cross-site scripting (XSS) vulnerability exists when visiting malicious websites with the Palo Alto Networks GlobalProtect Clientless VPN that can compromise the user's active session. This issue affects: PAN-OS 7.1 versions earlier than 7.1.26; PAN-OS 8.1 versions earlier than 8.1.13; PAN-OS 9.0 versions earlier than 9.0.7; All versions of PAN-OS 8.0.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Palo Alto Networks | PAN-OS | 8.0.* | affected |
| Palo Alto Networks | PAN-OS | 7.1 < 7.1.26 | affected |
| Palo Alto Networks | PAN-OS | 8.1 < 8.1.13 | affected |
| Palo Alto Networks | PAN-OS | 9.0 < 9.0.7 | affected |
Weaknesses
- CWE-79: CWE-79 Cross-site Scripting (XSS)
Workarounds
Configure GlobalProtect Clientless VPN to only access known trusted websites, and block access all other websites.
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.