Missing XML validation vulnerability in the PAN-OS web interface on Palo Alto Networks PAN-OS software allows authenticated users to inject arbitrary XML that results in privilege escalation.
This issue affects PAN-OS 8.1 versions earlier than PAN-OS 8.1.12 and PAN-OS 9.0 versions earlier than PAN-OS 9.0.6.
This issue does not affect PAN-OS 7.1, PAN-OS 8.0, or PAN-OS 9.1 or later versions.
|8.1||< 8.1.12||>= 8.1.12|
|9.0||< 9.0.6||>= 9.0.6|
This issue requires that the web-based management interface is enabled on the hardware or virtual appliance.
CVSSv3.1 Base Score: 6.8 ( CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H )
This issue is fixed in PAN-OS 8.1.12, PAN-OS 9.0.6, and all later versions.
This issue affects the web-based management interface of the appliance. Access to the web-based management interface of the appliance should be limited strictly to only trusted users, hosts, and networks.