CVE-2016-9149 XPath Injection
Attack Vector NETWORK
Scope UNCHANGED
Attack Complexity LOW
Confidentiality Impact NONE
Privileges Required LOW
Integrity Impact HIGH
User Interaction NONE
Availability Impact NONE
Description
The Addresses Object parsing function does not properly escape single quotes. (Ref # PAN-55237/92073/CVE-2016-9149)
This post-authentication vulnerability could allow XPath manipulation.
This issue affects PAN-OS 5.0.19 and earlier; PAN-OS 5.1.12 and earlier; PAN-OS 6.0.14 and earlier; PAN-OS 6.1.14 and earlier; PAN-OS 7.0.10 and earlier; PAN-OS 7.1.5 and earlier
Product Status
Versions | Affected | Unaffected |
---|---|---|
PAN-OS 7.1 | <= 7.1.5 | >= 7.1.6 |
PAN-OS 7.0 | <= 7.0.10 | >= 7.0.11 |
PAN-OS 6.1 | <= 6.1.14 | >= 6.1.15 |
PAN-OS 6.0 | <= 6.0.14 | >= 6.0.15 |
PAN-OS 5.1 | <= 5.1.12 | >= 5.1.13 |
PAN-OS 5.0 | <= 5.0.19 | >= 5.0.20 |
Severity:MEDIUM
CVSSv3.1 Base Score:6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
Weakness Type
Solution
PAN-OS 5.0.20 and later; PAN-OS 5.1.13 and later; PAN-OS 6.0.15 and later; PAN-OS 6.1.15 and later; PAN-OS 7.0.11 and later; PAN-OS 7.1.6 and later
Workarounds and Mitigations
N/A
Acknowledgments
Palo Alto Networks would like to thank Khalilov Mukhammad from HelpAG for reporting this issue to us.