Palo Alto Networks Security Advisories / CVE-2016-9149

CVE-2016-9149 XPath Injection

047910
Severity 6.5 · MEDIUM
Attack Vector NETWORK
Scope UNCHANGED
Attack Complexity LOW
Confidentiality Impact NONE
Privileges Required LOW
Integrity Impact HIGH
User Interaction NONE
Availability Impact NONE

Description

The Addresses Object parsing function does not properly escape single quotes. (Ref # PAN-55237/92073/CVE-2016-9149)

This post-authentication vulnerability could allow XPath manipulation.

This issue affects PAN-OS 5.0.19 and earlier; PAN-OS 5.1.12 and earlier; PAN-OS 6.0.14 and earlier; PAN-OS 6.1.14 and earlier; PAN-OS 7.0.10 and earlier; PAN-OS 7.1.5 and earlier

Product Status

VersionsAffectedUnaffected
PAN-OS 7.1<= 7.1.5>= 7.1.6
PAN-OS 7.0<= 7.0.10>= 7.0.11
PAN-OS 6.1<= 6.1.14>= 6.1.15
PAN-OS 6.0<= 6.0.14>= 6.0.15
PAN-OS 5.1<= 5.1.12>= 5.1.13
PAN-OS 5.0<= 5.0.19>= 5.0.20

Severity:MEDIUM

CVSSv3.1 Base Score:6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)

Weakness Type

CWE-19

Solution

PAN-OS 5.0.20 and later; PAN-OS 5.1.13 and later; PAN-OS 6.0.15 and later; PAN-OS 6.1.15 and later; PAN-OS 7.0.11 and later; PAN-OS 7.1.6 and later

Workarounds and Mitigations

N/A

Acknowledgments

Palo Alto Networks would like to thank Khalilov Mukhammad from HelpAG for reporting this issue to us.
© 2022 Palo Alto Networks, Inc. All rights reserved.