The Addresses Object parsing function does not properly escape single quotes. (Ref # PAN-55237/92073/CVE-2016-9149)
This post-authentication vulnerability could allow XPath manipulation.
This issue affects PAN-OS 5.0.19 and earlier; PAN-OS 5.1.12 and earlier; PAN-OS 6.0.14 and earlier; PAN-OS 6.1.14 and earlier; PAN-OS 7.0.10 and earlier; PAN-OS 7.1.5 and earlier
Versions | Affected | Unaffected |
---|---|---|
PAN-OS 7.1 | <= 7.1.5 | >= 7.1.6 |
PAN-OS 7.0 | <= 7.0.10 | >= 7.0.11 |
PAN-OS 6.1 | <= 6.1.14 | >= 6.1.15 |
PAN-OS 6.0 | <= 6.0.14 | >= 6.0.15 |
PAN-OS 5.1 | <= 5.1.12 | >= 5.1.13 |
PAN-OS 5.0 | <= 5.0.19 | >= 5.0.20 |
CVSSv3.1 Base Score: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
PAN-OS 5.0.20 and later; PAN-OS 5.1.13 and later; PAN-OS 6.0.15 and later; PAN-OS 6.1.15 and later; PAN-OS 7.0.11 and later; PAN-OS 7.1.6 and later
N/A