Palo Alto Networks Security Advisories / CVE-2020-1993

CVE-2020-1993 PAN-OS: GlobalProtect Portal PHP session fixation vulnerability

Severity 3.7 · LOW
Attack Vector NETWORK
Attack Complexity HIGH
Confidentiality Impact LOW
Privileges Required LOW
Integrity Impact LOW
User Interaction REQUIRED
Availability Impact NONE


The GlobalProtect Portal feature in PAN-OS does not set a new session identifier after a successful user login, which allows session fixation attacks, if an attacker is able to control a user's session ID.

This issue affects:

All PAN-OS 7.1 and 8.0 versions;

PAN-OS 8.1 versions earlier than 8.1.14;

PAN-OS 9.0 versions earlier than 9.0.8.

Product Status

PAN-OS 9.1None>= 9.1.0
PAN-OS 9.0< 9.0.8>= 9.0.8
PAN-OS 8.1< 8.1.14>= 8.1.14
PAN-OS 8.08.0.*
PAN-OS 7.17.1.*


CVSSv3.1 Base Score:3.7 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N)

Weakness Type

CWE-384 Session Fixation


This issue is fixed in PAN-OS 8.1.14, PAN-OS 9.0.8, PAN-OS 9.1.0, and all later PAN-OS versions.

PAN-OS 8.0 is now end-of-life as of October 31, 2019, and is no longer covered by our Product Security Assurance policies.

PAN-OS 7.1 is on extended support until June 30, 2020, and is only being considered for critical security vulnerability fixes.

Workarounds and Mitigations

There are no known workarounds for this issue.


This issue was found by a customer.


Initial publication
© 2023 Palo Alto Networks, Inc. All rights reserved.