# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
1 |
CVE-2019-1582 |
119 |
|
Overflow Mem. Corr. |
2019-08-23 |
2019-08-30 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
Memory corruption in PAN-OS 8.1.9 and earlier, and PAN-OS 9.0.3 and earlier will allow an administrative user to cause arbitrary memory corruption by rekeying the current client interactive session. |
2 |
CVE-2019-1581 |
20 |
|
Exec Code Bypass |
2019-08-23 |
2019-08-28 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
Mitigation bypass in PAN-OS 7.1.24 and earlier, PAN-OS 8.0.19 and earlier, PAN-OS 8.1.9 and earlier, and PAN-OS 9.0.3 and earlier will allow a remote, unauthenticated user to execute arbitrary code by crafting a malicious message. |
3 |
CVE-2019-1580 |
119 |
|
Overflow Mem. Corr. |
2019-08-23 |
2019-08-30 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
Memory corruption in PAN-OS 7.1.24 and earlier, PAN-OS 8.0.19 and earlier, PAN-OS 8.1.9 and earlier, and PAN-OS 9.0.3 and earlier will allow a remote, unauthenticated user to craft a message to Secure Shell Daemon (SSHD) and corrupt arbitrary memory. |
4 |
CVE-2019-1579 |
20 |
|
Exec Code |
2019-07-19 |
2019-07-25 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Remote Code Execution in PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11-h1 and earlier, and PAN-OS 8.1.2 and earlier with GlobalProtect Portal or GlobalProtect Gateway Interface enabled may allow an unauthenticated remote attacker to execute arbitrary code. |
5 |
CVE-2019-1576 |
77 |
|
|
2019-07-16 |
2019-10-10 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
Command injection in PAN-0S 9.0.2 and earlier may allow an authenticated attacker to gain access to a remote shell in PAN-OS, and potentially run with the escalated user?s permissions. |
6 |
CVE-2019-1575 |
200 |
|
+Info |
2019-07-16 |
2019-07-19 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
Information disclosure in PAN-OS 7.1.23 and earlier, PAN-OS 8.0.18 and earlier, PAN-OS 8.1.8-h4 and earlier, and PAN-OS 9.0.2 and earlier may allow for an authenticated user with read-only privileges to extract the API key of the device and/or the username/password from the XML API (in PAN-OS) and possibly escalate privileges granted to them. |
7 |
CVE-2019-1572 |
287 |
|
|
2019-03-26 |
2019-04-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
PAN-OS 9.0.0 may allow an unauthenticated remote user to access php files. |
8 |
CVE-2018-18065 |
476 |
|
DoS |
2018-10-08 |
2019-04-03 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
_set_key in agent/helpers/table_container.c in Net-SNMP before 5.8 has a NULL Pointer Exception bug that can be used by an authenticated attacker to remotely cause the instance to crash via a crafted UDP packet, resulting in Denial of Service. |
9 |
CVE-2018-10141 |
79 |
|
XSS |
2018-10-12 |
2018-12-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
GlobalProtect Portal Login page in Palo Alto Networks PAN-OS before 8.1.4 allows an unauthenticated attacker to inject arbitrary JavaScript or HTML. |
10 |
CVE-2018-10139 |
79 |
|
XSS |
2018-08-16 |
2018-10-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
The PAN-OS response for GlobalProtect Gateway in Palo Alto Networks PAN-OS 6.1.21 and earlier, PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11 and earlier may allow an unauthenticated attacker to inject arbitrary JavaScript or HTML. PAN-OS 8.1 is NOT affected. |
11 |
CVE-2018-9337 |
79 |
|
XSS |
2018-07-03 |
2018-09-04 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
The PAN-OS web interface administration page in PAN-OS 6.1.20 and earlier, PAN-OS 7.1.17 and earlier, PAN-OS 8.0.10 and earlier, and PAN-OS 8.1.1 and earlier may allow an attacker to inject arbitrary JavaScript or HTML. |
12 |
CVE-2018-9335 |
79 |
|
XSS |
2018-07-03 |
2018-09-04 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
The PAN-OS session browser in PAN-OS 6.1.20 and earlier, PAN-OS 7.1.16 and earlier, PAN-OS 8.0.9 and earlier, and PAN-OS 8.1.1 and earlier may allow an attacker to inject arbitrary JavaScript or HTML. |
13 |
CVE-2018-9334 |
269 |
|
|
2018-07-03 |
2019-10-02 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
The PAN-OS management web interface page in PAN-OS 6.1.20 and earlier, PAN-OS 7.1.16 and earlier, PAN-OS 8.0.8 and earlier, and PAN-OS 8.1.0 may allow an attacker to access the GlobalProtect password hashes of local users via manipulation of the HTML markup. |
14 |
CVE-2018-9242 |
20 |
|
|
2018-07-03 |
2018-09-04 |
6.6 |
None |
Local |
Low |
Not required |
None |
Complete |
Complete |
The PAN-OS management web interface page in PAN-OS 6.1.20 and earlier, PAN-OS 7.1.16 and earlier, PAN-OS 8.0.9 and earlier may allow an attacker to delete files in the system via specific request parameters. |
15 |
CVE-2018-7636 |
79 |
|
XSS |
2018-07-03 |
2018-09-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
The URL filtering "continue page" hosted by PAN-OS 8.0.10 and earlier may allow an attacker to inject arbitrary JavaScript or HTML via specially crafted URLs. |
16 |
CVE-2017-17841 |
|
|
|
2018-01-10 |
2019-10-02 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
Palo Alto Networks PAN-OS 6.1, 7.1, and 8.0.x before 8.0.7, when an interface implements SSL decryption with RSA enabled or hosts a GlobalProtect portal or gateway, might allow remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a ROBOT attack. |
17 |
CVE-2017-16878 |
79 |
|
XSS |
2018-01-10 |
2018-01-31 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the Captive Portal function in Palo Alto Networks PAN-OS before 8.0.7 allows remote attackers to inject arbitrary web script or HTML by leveraging an unspecified configuration. |
18 |
CVE-2017-15944 |
|
|
Exec Code |
2017-12-11 |
2019-10-02 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
Palo Alto Networks PAN-OS before 6.1.19, 7.0.x before 7.0.19, 7.1.x before 7.1.14, and 8.0.x before 8.0.6 allows remote attackers to execute arbitrary code via vectors involving the management interface. |
19 |
CVE-2017-15943 |
918 |
|
+Info |
2017-12-11 |
2017-12-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The configuration file import for applications, spyware and vulnerability objects functionality in the web interface in Palo Alto Networks PAN-OS before 6.1.19, 7.0.x before 7.0.19, and 7.1.x before 7.1.14 allows remote attackers to conduct server-side request forgery (SSRF) attacks and consequently obtain sensitive information via vectors related to parsing of external entities. |
20 |
CVE-2017-15942 |
|
|
DoS |
2017-12-11 |
2019-10-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
Palo Alto Networks PAN-OS before 6.1.19, 7.0.x before 7.0.19, 7.1.x before 7.1.13, and 8.0.x before 8.0.6 allows remote attackers to cause a denial of service via vectors related to the management interface. |
21 |
CVE-2017-15941 |
79 |
|
XSS |
2018-01-10 |
2018-01-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS before 6.1.19, 7.0.x before 7.0.19, 7.1.x before 7.1.14, and 8.0.x before 8.0.7, when the GlobalProtect gateway or portal is configured, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
22 |
CVE-2017-15940 |
77 |
|
Exec Code |
2017-12-11 |
2017-12-22 |
9.0 |
None |
Remote |
Low |
Single system |
Complete |
Complete |
Complete |
The web interface packet capture management component in Palo Alto Networks PAN-OS before 6.1.19, 7.0.x before 7.0.19, 7.1.x before 7.1.14, and 8.0.x before 8.0.6 allows remote authenticated users to execute arbitrary code via unspecified vectors. |
23 |
CVE-2017-12416 |
79 |
|
XSS |
2017-09-07 |
2017-09-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the GlobalProtect internal and external gateway interface in Palo Alto Networks PAN-OS before 6.1.18, 7.0.x before 7.0.17, 7.1.x before 7.1.12, and 8.0.x before 8.0.3 allows remote attackers to inject arbitrary web script or HTML via vectors related to improper request parameter validation. |
24 |
CVE-2017-9467 |
79 |
|
XSS |
2017-08-02 |
2018-08-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the GlobalProtect external interface in Palo Alto Networks PAN-OS before 6.1.18, 7.x before 7.0.16, 7.1.x before 7.1.11, and 8.x before 8.0.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
25 |
CVE-2017-9459 |
79 |
|
XSS |
2017-08-02 |
2017-08-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the management web interface in Palo Alto Networks PAN-OS before 6.1.18, 7.x before 7.0.16, 7.1.x before 7.1.11, and 8.x before 8.0.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
26 |
CVE-2017-9458 |
611 |
|
DoS +Info |
2017-09-07 |
2017-09-18 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
XML external entity (XXE) vulnerability in the GlobalProtect internal and external gateway interface in Palo Alto Networks PAN-OS before 6.1.18, 7.0.x before 7.0.17, 7.1.x before 7.1.12, and 8.0.x before 8.0.3 allows remote attackers to obtain sensitive information, cause a denial of service, or conduct server-side request forgery (SSRF) attacks via unspecified vectors. |
27 |
CVE-2017-8390 |
20 |
|
Exec Code |
2017-08-02 |
2017-08-08 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
The DNS Proxy in Palo Alto Networks PAN-OS before 6.1.18, 7.x before 7.0.16, 7.1.x before 7.1.11, and 8.x before 8.0.3 allows remote attackers to execute arbitrary code via a crafted domain name. |
28 |
CVE-2017-7945 |
209 |
|
|
2017-04-28 |
2019-10-02 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The GlobalProtect external interface in Palo Alto Networks PAN-OS before 6.1.17, 7.x before 7.0.15, 7.1.x before 7.1.9, and 8.x before 8.0.2 provides different error messages for failed login attempts depending on whether the username exists, which allows remote attackers to enumerate account names and conduct brute-force attacks via a series of requests, aka PAN-SA-2017-0014 and PAN-72769. |
29 |
CVE-2017-7644 |
200 |
|
+Info |
2017-04-28 |
2017-05-11 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
The Management Web Interface in Palo Alto Networks PAN-OS before 6.1.17, 7.x before 7.0.15, and 7.1.x before 7.1.9 allows remote authenticated users to obtain sensitive information by leveraging incorrect permission validation, aka PAN-SA-2017-0013 and PAN-70541. |
30 |
CVE-2017-7409 |
79 |
|
XSS |
2017-04-20 |
2017-07-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Palo Alto Networks PAN-OS before 7.0.15 has XSS in the GlobalProtect external interface via crafted request parameters, aka PAN-SA-2017-0011 and PAN-70674. |
31 |
CVE-2017-7218 |
20 |
|
+Priv |
2017-04-14 |
2019-10-02 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
The Management Web Interface in Palo Alto Networks PAN-OS before 7.1.9 allows remote authenticated users to gain privileges via unspecified request parameters. |
32 |
CVE-2017-7217 |
20 |
|
|
2017-04-14 |
2017-07-10 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
The Management Web Interface in Palo Alto Networks PAN-OS before 7.0.14 and 7.1.x before 7.1.9 allows remote attackers to write to export files via unspecified parameters. |
33 |
CVE-2017-7216 |
200 |
|
+Info |
2017-05-02 |
2017-05-12 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
The Management Web Interface in Palo Alto Networks PAN-OS before 7.1.9 allows remote authenticated users to obtain sensitive information via unspecified request parameters. |
34 |
CVE-2017-5584 |
79 |
|
XSS |
2017-03-15 |
2017-03-17 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the Management Web Interface in Palo Alto Networks PAN-OS 5.1, 6.x before 6.1.16, 7.0.x before 7.0.13, and 7.1.x before 7.1.8 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. |
35 |
CVE-2017-5583 |
200 |
|
+Info |
2017-03-15 |
2017-03-17 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
The Management Web Interface in Palo Alto Networks PAN-OS before 6.1.16, 7.0.x before 7.0.13, and 7.1.x before 7.1.8 allows remote authenticated users to read arbitrary files via unspecified vectors. |
36 |
CVE-2016-9151 |
264 |
|
+Priv |
2016-11-19 |
2017-09-02 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
Palo Alto Networks PAN-OS before 5.0.20, 5.1.x before 5.1.13, 6.0.x before 6.0.15, 6.1.x before 6.1.15, 7.0.x before 7.0.11, and 7.1.x before 7.1.6 allows local users to gain privileges via crafted values of unspecified environment variables. |
37 |
CVE-2016-9150 |
119 |
|
Exec Code Overflow |
2016-11-19 |
2017-09-02 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
Buffer overflow in the management web interface in Palo Alto Networks PAN-OS before 5.0.20, 5.1.x before 5.1.13, 6.0.x before 6.0.15, 6.1.x before 6.1.15, 7.0.x before 7.0.11, and 7.1.x before 7.1.6 allows remote attackers to execute arbitrary code via unspecified vectors. |
38 |
CVE-2016-9149 |
19 |
|
|
2016-11-19 |
2017-07-27 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
The Addresses Object parser in Palo Alto Networks PAN-OS before 5.0.20, 5.1.x before 5.1.13, 6.0.x before 6.0.15, 6.1.x before 6.1.15, 7.0.x before 7.0.11, and 7.1.x before 7.1.6 mishandles single quote characters, which allows remote authenticated users to conduct XPath injection attacks via a crafted string. |
39 |
CVE-2016-3657 |
119 |
|
DoS Exec Code Overflow |
2016-04-12 |
2016-04-14 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
Buffer overflow in the GlobalProtect Portal in Palo Alto Networks PAN-OS before 5.0.18, 6.0.x before 6.0.13, 6.1.x before 6.1.10, and 7.0.x before 7.0.5 allows remote attackers to cause a denial of service (device crash) or possibly execute arbitrary code via an SSL VPN request. |
40 |
CVE-2016-3656 |
119 |
|
DoS Overflow |
2016-04-12 |
2016-04-14 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The GlobalProtect Portal in Palo Alto Networks PAN-OS before 5.0.18, 6.0.x before 6.0.13, 6.1.x before 6.1.10, and 7.0.x before 7.0.5H2 allows remote attackers to cause a denial of service (service crash) via a crafted request. |
41 |
CVE-2016-3655 |
78 |
|
Exec Code |
2016-04-12 |
2016-04-14 |
10.0 |
User |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
The management web interface in Palo Alto Networks PAN-OS before 5.0.18, 6.0.x before 6.0.13, 6.1.x before 6.1.10, and 7.0.x before 7.0.5 allows remote attackers to execute arbitrary OS commands via an unspecified API call. |
42 |
CVE-2016-3654 |
20 |
|
Exec Code |
2016-04-12 |
2016-04-20 |
9.0 |
User |
Remote |
Low |
Single system |
Complete |
Complete |
Complete |
The device management command line interface (CLI) in Palo Alto Networks PAN-OS before 5.0.18, 5.1.x before 5.1.11, 6.0.x before 6.0.13, 6.1.x before 6.1.10, and 7.0.x before 7.0.5H2 allows remote authenticated administrators to execute arbitrary OS commands via an SSH command parameter. |
43 |
CVE-2016-2219 |
79 |
|
XSS |
2016-07-12 |
2016-07-14 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the management interface in Palo Alto Networks PAN-OS 7.x before 7.0.8 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. |
44 |
CVE-2016-1712 |
20 |
|
+Priv |
2016-08-02 |
2016-08-03 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
Palo Alto Networks PAN-OS before 5.0.19, 5.1.x before 5.1.12, 6.0.x before 6.0.14, 6.1.x before 6.1.12, and 7.0.x before 7.0.8 might allow local users to gain privileges by leveraging improper sanitization of the root_reboot local invocation. |
45 |
CVE-2015-6531 |
94 |
|
Exec Code |
2017-06-01 |
2017-06-08 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
Palo Alto Networks Panorama VM Appliance with PAN-OS before 6.0.1 might allow remote attackers to execute arbitrary Python code via a crafted firmware image file. |
46 |
CVE-2015-4162 |
|
|
+Info |
2015-06-02 |
2016-11-28 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
XML external entity (XXE) vulnerability in the management interface in PAN-OS before 5.0.16, 6.x before 6.0.8, and 6.1.x before 6.1.4 allows remote authenticated administrators to obtain sensitive information via crafted XML data. |
47 |
CVE-2014-3764 |
79 |
|
XSS |
2015-01-06 |
2015-01-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the web-based device management interface in Palo Alto Networks PAN-OS before 5.0.15, 5.1.x before 5.1.10, and 6.0.x before 6.0.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Ref ID 64563. |
48 |
CVE-2013-5664 |
79 |
|
XSS |
2013-08-31 |
2013-09-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the web-based device-management API browser in Palo Alto Networks PAN-OS before 4.1.13 and 5.0.x before 5.0.6 allows remote attackers to inject arbitrary web script or HTML via crafted data, aka Ref ID 50908. |
49 |
CVE-2013-5663 |
264 |
|
Bypass |
2013-08-31 |
2018-08-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
The App-ID cache feature in Palo Alto Networks PAN-OS before 4.0.14, 4.1.x before 4.1.11, and 5.0.x before 5.0.2 allows remote attackers to bypass intended security policies via crafted requests that trigger invalid caching, as demonstrated by incorrect identification of HTTP traffic as SIP traffic, aka Ref ID 47195. |
50 |
CVE-2012-6605 |
78 |
|
Exec Code |
2013-08-31 |
2013-10-07 |
9.0 |
None |
Remote |
Low |
Single system |
Complete |
Complete |
Complete |
The device-management command-line interface in Palo Alto Networks PAN-OS before 3.1.11 and 4.0.x before 4.0.9 allows remote authenticated users to execute arbitrary code via unspecified vectors, aka Ref ID 34896. |