VYPR

Vendor CVEs

Paloaltonetworks

All CVEs

417 total · sorted by risk
  • CVE-2020-1978Apr 8, 2020
    risk 0.00cvss epss 0.00

    TechSupport files generated on Palo Alto Networks VM Series firewalls for Microsoft Azure platform configured with high availability (HA) inadvertently collect Azure dashboard service account credentials. These credentials are equivalent to the credentials associated with the…

  • CVE-2020-1979Mar 11, 2020
    risk 0.00cvss epss 0.01

    A format string vulnerability in the PAN-OS log daemon (logd) on Panorama allows a network based attacker with knowledge of registered firewall devices and access to Panorama management interfaces to execute arbitrary code, bypassing the restricted shell and escalating…

  • CVE-2020-1980Mar 11, 2020
    risk 0.00cvss epss 0.01

    A shell command injection vulnerability in the PAN-OS CLI allows a local authenticated user to escape the restricted shell and escalate privileges. This issue affects only PAN-OS 8.1 versions earlier than PAN-OS 8.1.13. This issue does not affect PAN-OS 7.1, PAN-OS 9.0, or later…

  • CVE-2020-1981Mar 11, 2020
    risk 0.00cvss epss 0.00

    A predictable temporary filename vulnerability in PAN-OS allows local privilege escalation. This issue allows a local attacker who bypassed the restricted shell to execute commands as a low privileged user and gain root access on the PAN-OS hardware or virtual appliance. This…

  • CVE-2020-1977Feb 12, 2020
    risk 0.00cvss epss 0.01

    Insufficient Cross-Site Request Forgery (XSRF) protection on Expedition Migration Tool allows remote unauthenticated attackers to hijack the authentication of administrators and to perform actions on the Expedition Migration Tool. This issue affects Expedition Migration Tool…

  • CVE-2020-1976Feb 12, 2020
    risk 0.00cvss epss 0.00

    A denial-of-service (DoS) vulnerability in Palo Alto Networks GlobalProtect software running on Mac OS allows authenticated local users to cause the Mac OS kernel to hang or crash. This issue affects GlobalProtect 5.0.5 and earlier versions of GlobalProtect 5.0 on Mac OS.

  • CVE-2020-1975Feb 12, 2020
    risk 0.00cvss epss 0.01

    Missing XML validation vulnerability in the PAN-OS web interface on Palo Alto Networks PAN-OS software allows authenticated users to inject arbitrary XML that results in privilege escalation. This issue affects PAN-OS 8.1 versions earlier than PAN-OS 8.1.12 and PAN-OS 9.0…

  • CVE-2019-17440Dec 20, 2019
    risk 0.00cvss epss 0.02

    Improper restriction of communications to Log Forwarding Card (LFC) on PA-7000 Series devices with second-generation Switch Management Card (SMC) may allow an attacker with network access to the LFC to gain root access to PAN-OS. This issue affects PAN-OS 9.0 versions prior to…

  • CVE-2019-17437Dec 5, 2019
    risk 0.00cvss epss 0.00

    An improper authentication check in Palo Alto Networks PAN-OS may allow an authenticated low privileged non-superuser custom role user to elevate privileges and become superuser. This issue affects PAN-OS 7.1 versions prior to 7.1.25; 8.0 versions prior to 8.0.20; 8.1 versions…

  • CVE-2019-18646Nov 14, 2019
    risk 0.00cvss epss 0.01

    The Untangle NG firewall 14.2.0 is vulnerable to authenticated inline-query SQL injection within the timeDataDynamicColumn parameter when logged in as an admin user.

  • CVE-2019-18647Nov 14, 2019
    risk 0.00cvss epss 0.02

    The Untangle NG firewall 14.2.0 is vulnerable to an authenticated command injection when logged in as an admin user.

  • CVE-2019-18648Nov 14, 2019
    risk 0.00cvss epss 0.01

    When logged in as an admin user, the Untangle NG firewall 14.2.0 is vulnerable to reflected XSS at multiple places and specific user input fields.

  • CVE-2019-18649Nov 14, 2019
    risk 0.00cvss epss 0.01

    When logged in as an admin user, the Title input field (under Reports) within Untangle NG firewall 14.2.0 is vulnerable to stored XSS.

  • CVE-2019-17435Oct 16, 2019
    risk 0.00cvss epss 0.00

    A Local Privilege Escalation vulnerability exists in the GlobalProtect Agent for Windows 5.0.3 and earlier, and GlobalProtect Agent for Windows 4.1.12 and earlier, in which the auto-update feature can allow for modification of a GlobalProtect Agent MSI installer package on disk…

  • CVE-2019-17436Oct 16, 2019
    risk 0.00cvss epss 0.00

    A Local Privilege Escalation vulnerability exists in GlobalProtect Agent for Linux and Mac OS X version 5.0.4 and earlier and version 4.1.12 and earlier, that can allow non-root users to overwrite root files on the file system.

  • CVE-2019-15014Oct 9, 2019
    risk 0.00cvss epss 0.02

    A command injection vulnerability exists in the Zingbox Inspector versions 1.286 and earlier, that allows for an authenticated user to execute arbitrary system commands in the CLI.

  • CVE-2019-15018Oct 9, 2019
    risk 0.00cvss epss 0.01

    A security vulnerability exists in the Zingbox Inspector versions 1.280 and earlier, where authentication is not required when binding the Inspector instance to a different customer tenant.

  • CVE-2019-15020Oct 9, 2019
    risk 0.00cvss epss 0.01

    A security vulnerability exists in the Zingbox Inspector versions 1.293 and earlier, that could allow an attacker to supply an invalid software update image to the Zingbox Inspector that could result in command injection.

  • CVE-2019-15023Oct 9, 2019
    risk 0.00cvss epss 0.01

    A security vulnerability exists in Zingbox Inspector versions 1.294 and earlier, that results in passwords for 3rd party integrations being stored in cleartext in device configuration.

  • CVE-2019-15017Oct 9, 2019
    risk 0.00cvss epss 0.00

    The SSH service is enabled on the Zingbox Inspector versions 1.294 and earlier, exposing SSH to the local network. When combined with PAN-SA-2019-0027, this can allow an attacker to authenticate to the service using hardcoded credentials.

  • CVE-2019-15016Oct 9, 2019
    risk 0.00cvss epss 0.01

    An SQL injection vulnerability exists in the management interface of Zingbox Inspector versions 1.288 and earlier, that allows for unsanitized data provided by an authenticated user to be passed from the web UI into the database.

  • CVE-2019-15019Oct 9, 2019
    risk 0.00cvss epss 0.01

    A security vulnerability exists in the Zingbox Inspector versions 1.294 and earlier, that could allow an attacker to supply an invalid software update image to the Zingbox Inspector.

  • CVE-2019-15021Oct 9, 2019
    risk 0.00cvss epss 0.01

    A security vulnerability exists in the Zingbox Inspector versions 1.294 and earlier, that can allow an attacker to easily identify instances of Zingbox Inspectors in a local area network.

  • CVE-2019-1584Oct 9, 2019
    risk 0.00cvss epss 0.03

    A security vulnerability exists in Zingbox Inspector version 1.293 and earlier, that allows for remote code execution if the Inspector were sent a malicious command from the Zingbox cloud, or if the Zingbox Inspector were tampered with to connect to an attacker's cloud endpoint.

  • CVE-2019-15015Oct 9, 2019
    risk 0.00cvss epss 0.00

    In the Zingbox Inspector, versions 1.294 and earlier, hardcoded credentials for root and inspector user accounts are present in the system software, which can result in unauthorized users gaining access to the system.

  • CVE-2019-15022Oct 9, 2019
    risk 0.00cvss epss 0.01

    A security vulnerability exists in Zingbox Inspector versions 1.294 and earlier, that allows for the Inspector to be susceptible to ARP spoofing.

  • CVE-2019-1583Aug 23, 2019
    risk 0.00cvss epss 0.01

    Escalation of privilege vulnerability in the Palo Alto Networks Twistlock console 19.07.358 and earlier allows a Twistlock user with Operator capabilities to escalate privileges to that of another user. Active interaction with an affected component is required for the payload to…

  • CVE-2019-1582Aug 23, 2019
    risk 0.00cvss epss 0.01

    Memory corruption in PAN-OS 8.1.9 and earlier, and PAN-OS 9.0.3 and earlier will allow an administrative user to cause arbitrary memory corruption by rekeying the current client interactive session.

  • CVE-2019-1581Aug 23, 2019
    risk 0.00cvss epss 0.03

    A remote code execution vulnerability in the PAN-OS SSH device management interface that can lead to unauthenticated remote users with network access to the SSH management interface gaining root access to PAN-OS. This issue affects PAN-OS 7.1 versions prior to 7.1.24-h1, 7.1.25;…

  • CVE-2019-1580Aug 23, 2019
    risk 0.00cvss epss 0.03

    Memory corruption in PAN-OS 7.1.24 and earlier, PAN-OS 8.0.19 and earlier, PAN-OS 8.1.9 and earlier, and PAN-OS 9.0.3 and earlier will allow a remote, unauthenticated user to craft a message to Secure Shell Daemon (SSHD) and corrupt arbitrary memory.

  • CVE-2019-1575Jul 16, 2019
    risk 0.00cvss epss 0.02

    Information disclosure in PAN-OS 7.1.23 and earlier, PAN-OS 8.0.18 and earlier, PAN-OS 8.1.8-h4 and earlier, and PAN-OS 9.0.2 and earlier may allow for an authenticated user with read-only privileges to extract the API key of the device and/or the username/password from the XML…

  • CVE-2019-1576Jul 16, 2019
    risk 0.00cvss epss 0.02

    Command injection in PAN-0S 9.0.2 and earlier may allow an authenticated attacker to gain access to a remote shell in PAN-OS, and potentially run with the escalated user’s permissions.

  • CVE-2019-1578Jul 1, 2019
    risk 0.00cvss epss 0.01

    Cross-site scripting vulnerability in Palo Alto Networks MineMeld version 0.9.60 and earlier may allow a remote attacker able to convince an authenticated MineMeld admin to type malicious input in the MineMeld UI could execute arbitrary JavaScript code in the admin’s browser.

  • CVE-2019-1577Jul 1, 2019
    risk 0.00cvss epss 0.01

    Code injection vulnerability in Palo Alto Networks Traps 5.0.5 and earlier may allow an authenticated attacker to inject arbitrary JavaScript or HTML.

  • CVE-2019-1568May 9, 2019
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in Palo Alto Networks Demisto 4.5 build 40249 may allow an unauthenticated attacker to run arbitrary JavaScript or HTML.

  • CVE-2019-1574Apr 12, 2019
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in Palo Alto Networks Expedition Migration tool 1.1.12 and earlier may allow an authenticated attacker to run arbitrary JavaScript or HTML in the Devices View.

  • CVE-2019-1573Apr 9, 2019
    risk 0.00cvss epss 0.00

    GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS may allow a local authenticated attacker who has compromised the end-user account and gained the ability to inspect memory, to access authentication and/or session tokens and replay them…

  • CVE-2019-1567Apr 9, 2019
    risk 0.00cvss epss 0.01

    The Expedition Migration tool 1.1.6 and earlier may allow an authenticated attacker to run arbitrary JavaScript or HTML in the User Mapping Settings.

  • CVE-2019-1572Mar 26, 2019
    risk 0.00cvss epss 0.02

    PAN-OS 9.0.0 may allow an unauthenticated remote user to access php files.

  • CVE-2019-1570Mar 26, 2019
    risk 0.00cvss epss 0.01

    The Expedition Migration tool 1.1.8 and earlier may allow an authenticated attacker to run arbitrary JavaScript or HTML in the LDAP server settings.

  • CVE-2019-1569Mar 26, 2019
    risk 0.00cvss epss 0.01

    The Expedition Migration tool 1.1.8 and earlier may allow an authenticated attacker to run arbitrary JavaScript or HTML in the User Mapping Settings for account name of admin user.

  • CVE-2019-9627Mar 8, 2019
    risk 0.00cvss epss 0.00

    A buffer overflow in the kernel driver CybKernelTracker.sys in CyberArk Endpoint Privilege Manager versions prior to 10.7 allows an attacker (without Administrator privileges) to escalate privileges or crash the machine by loading an image, such as a DLL, with a long path.

  • CVE-2019-1566Jan 30, 2019
    risk 0.00cvss epss 0.01

    The PAN-OS management web interface in PAN-OS 7.1.21 and earlier, PAN-OS 8.0.14 and earlier, and PAN-OS 8.1.5 and earlier, may allow an unauthenticated attacker to inject arbitrary JavaScript or HTML.

  • CVE-2019-1565Jan 30, 2019
    risk 0.00cvss epss 0.01

    The PAN-OS external dynamics lists in PAN-OS 7.1.21 and earlier, PAN-OS 8.0.14 and earlier, and PAN-OS 8.1.5 and earlier, may allow an attacker that is authenticated in Next Generation Firewall with write privileges to External Dynamic List configuration to inject arbitrary…

  • CVE-2018-10142Nov 27, 2018
    risk 0.00cvss epss 0.02

    The Expedition Migration tool 1.0.106 and earlier may allow an unauthenticated attacker to enumerate files on the operating system.

  • CVE-2015-4162Jun 2, 2015
    risk 0.00cvss epss 0.01

    XML external entity (XXE) vulnerability in the management interface in PAN-OS before 5.0.16, 6.x before 6.0.8, and 6.1.x before 6.1.4 allows remote authenticated administrators to obtain sensitive information via crafted XML data.

  • CVE-2014-3764Jan 6, 2015
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in the web-based device management interface in Palo Alto Networks PAN-OS before 5.0.15, 5.1.x before 5.1.10, and 6.0.x before 6.0.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Ref ID 64563.

  • CVE-2013-5664Aug 31, 2013
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in the web-based device-management API browser in Palo Alto Networks PAN-OS before 4.1.13 and 5.0.x before 5.0.6 allows remote attackers to inject arbitrary web script or HTML via crafted data, aka Ref ID 50908.

  • CVE-2013-5663Aug 31, 2013
    risk 0.00cvss epss 0.03

    The App-ID cache feature in Palo Alto Networks PAN-OS before 4.0.14, 4.1.x before 4.1.11, and 5.0.x before 5.0.2 allows remote attackers to bypass intended security policies via crafted requests that trigger invalid caching, as demonstrated by incorrect identification of HTTP…

  • CVE-2012-6606Aug 31, 2013
    risk 0.00cvss epss 0.01

    Palo Alto Networks GlobalProtect before 1.1.7, and NetConnect, does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof portal servers and obtain sensitive information via a crafted certificate.

Page 8 of 9