Vulnerabilities (CVE)

CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-15940 1 Paloaltonetworks 1 Pan-os 2020-02-17 9.0 HIGH 9.8 CRITICAL
The web interface packet capture management component in Palo Alto Networks PAN-OS before 6.1.19, 7.0.x before 7.0.19, 7.1.x before 7.1.14, and 8.0.x before 8.0.6 allows remote authenticated users to execute arbitrary code via unspecified vectors.
CVE-2017-15941 1 Paloaltonetworks 1 Pan-os 2020-02-17 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS before 6.1.19, 7.0.x before 7.0.19, 7.1.x before 7.1.14, and 8.0.x before 8.0.7, when the GlobalProtect gateway or portal is configured, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2017-15942 1 Paloaltonetworks 1 Pan-os 2020-02-17 5.0 MEDIUM 7.5 HIGH
Palo Alto Networks PAN-OS before 6.1.19, 7.0.x before 7.0.19, 7.1.x before 7.1.13, and 8.0.x before 8.0.6 allows remote attackers to cause a denial of service via vectors related to the management interface.
CVE-2017-15943 1 Paloaltonetworks 1 Pan-os 2020-02-17 5.0 MEDIUM 5.3 MEDIUM
The configuration file import for applications, spyware and vulnerability objects functionality in the web interface in Palo Alto Networks PAN-OS before 6.1.19, 7.0.x before 7.0.19, and 7.1.x before 7.1.14 allows remote attackers to conduct server-side request forgery (SSRF) attacks and consequently obtain sensitive information via vectors related to parsing of external entities.
CVE-2017-15944 1 Paloaltonetworks 1 Pan-os 2020-02-17 7.5 HIGH 9.8 CRITICAL
Palo Alto Networks PAN-OS before 6.1.19, 7.0.x before 7.0.19, 7.1.x before 7.1.14, and 8.0.x before 8.0.6 allows remote attackers to execute arbitrary code via vectors involving the management interface.
CVE-2017-16878 1 Paloaltonetworks 1 Pan-os 2020-02-17 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in the Captive Portal function in Palo Alto Networks PAN-OS before 8.0.7 allows remote attackers to inject arbitrary web script or HTML by leveraging an unspecified configuration.
CVE-2017-17841 1 Paloaltonetworks 1 Pan-os 2020-02-17 4.3 MEDIUM 5.9 MEDIUM
Palo Alto Networks PAN-OS 6.1, 7.1, and 8.0.x before 8.0.7, when an interface implements SSL decryption with RSA enabled or hosts a GlobalProtect portal or gateway, might allow remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a ROBOT attack.
CVE-2017-5583 1 Paloaltonetworks 1 Pan-os 2020-02-17 4.0 MEDIUM 6.5 MEDIUM
The Management Web Interface in Palo Alto Networks PAN-OS before 6.1.16, 7.0.x before 7.0.13, and 7.1.x before 7.1.8 allows remote authenticated users to read arbitrary files via unspecified vectors.
CVE-2017-5584 1 Paloaltonetworks 1 Pan-os 2020-02-17 3.5 LOW 5.4 MEDIUM
Cross-site scripting (XSS) vulnerability in the Management Web Interface in Palo Alto Networks PAN-OS 5.1, 6.x before 6.1.16, 7.0.x before 7.0.13, and 7.1.x before 7.1.8 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
CVE-2017-7216 1 Paloaltonetworks 1 Pan-os 2020-02-17 4.0 MEDIUM 6.5 MEDIUM
The Management Web Interface in Palo Alto Networks PAN-OS before 7.1.9 allows remote authenticated users to obtain sensitive information via unspecified request parameters.
CVE-2017-7644 1 Paloaltonetworks 1 Pan-os 2020-02-17 4.0 MEDIUM 6.5 MEDIUM
The Management Web Interface in Palo Alto Networks PAN-OS before 6.1.17, 7.x before 7.0.15, and 7.1.x before 7.1.9 allows remote authenticated users to obtain sensitive information by leveraging incorrect permission validation, aka PAN-SA-2017-0013 and PAN-70541.
CVE-2017-7945 1 Paloaltonetworks 1 Pan-os 2020-02-17 5.0 MEDIUM 9.8 CRITICAL
The GlobalProtect external interface in Palo Alto Networks PAN-OS before 6.1.17, 7.x before 7.0.15, 7.1.x before 7.1.9, and 8.x before 8.0.2 provides different error messages for failed login attempts depending on whether the username exists, which allows remote attackers to enumerate account names and conduct brute-force attacks via a series of requests, aka PAN-SA-2017-0014 and PAN-72769.
CVE-2017-8390 1 Paloaltonetworks 1 Pan-os 2020-02-17 10.0 HIGH 9.8 CRITICAL
The DNS Proxy in Palo Alto Networks PAN-OS before 6.1.18, 7.x before 7.0.16, 7.1.x before 7.1.11, and 8.x before 8.0.3 allows remote attackers to execute arbitrary code via a crafted domain name.
CVE-2017-9458 1 Paloaltonetworks 1 Pan-os 2020-02-17 7.5 HIGH 9.8 CRITICAL
XML external entity (XXE) vulnerability in the GlobalProtect internal and external gateway interface in Palo Alto Networks PAN-OS before 6.1.18, 7.0.x before 7.0.17, 7.1.x before 7.1.12, and 8.0.x before 8.0.3 allows remote attackers to obtain sensitive information, cause a denial of service, or conduct server-side request forgery (SSRF) attacks via unspecified vectors.
CVE-2017-9459 1 Paloaltonetworks 1 Pan-os 2020-02-17 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in the management web interface in Palo Alto Networks PAN-OS before 6.1.18, 7.x before 7.0.16, 7.1.x before 7.1.11, and 8.x before 8.0.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2017-9467 1 Paloaltonetworks 1 Pan-os 2020-02-17 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in the GlobalProtect external interface in Palo Alto Networks PAN-OS before 6.1.18, 7.x before 7.0.16, 7.1.x before 7.1.11, and 8.x before 8.0.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2018-10139 1 Paloaltonetworks 1 Pan-os 2020-02-17 4.3 MEDIUM 6.1 MEDIUM
The PAN-OS response for GlobalProtect Gateway in Palo Alto Networks PAN-OS 6.1.21 and earlier, PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11 and earlier may allow an unauthenticated attacker to inject arbitrary JavaScript or HTML. PAN-OS 8.1 is NOT affected.
CVE-2018-10140 1 Paloaltonetworks 1 Pan-os 2020-02-17 4.0 MEDIUM 4.3 MEDIUM
The PAN-OS Management Web Interface in Palo Alto Networks PAN-OS 8.1.2 and earlier may allow an authenticated user to shut down all management sessions, resulting in all logged in users to be redirected to the login page. PAN-OS 6.1, PAN-OS 7.1 and PAN-OS 8.0 are NOT affected.
CVE-2018-10141 1 Paloaltonetworks 1 Pan-os 2020-02-17 4.3 MEDIUM 6.1 MEDIUM
GlobalProtect Portal Login page in Palo Alto Networks PAN-OS before 8.1.4 allows an unauthenticated attacker to inject arbitrary JavaScript or HTML.
CVE-2018-10142 1 Paloaltonetworks 1 Expedition 2020-02-17 5.0 MEDIUM 7.5 HIGH
The Expedition Migration tool 1.0.106 and earlier may allow an unauthenticated attacker to enumerate files on the operating system.
CVE-2018-10143 1 Paloaltonetworks 1 Expedition 2020-02-17 10.0 HIGH 9.8 CRITICAL
The Palo Alto Networks Expedition Migration tool 1.0.107 and earlier may allow an unauthenticated attacker with remote access to run system level commands on the device hosting this service/application.
CVE-2018-7636 1 Paloaltonetworks 1 Pan-os 2020-02-17 4.3 MEDIUM 6.1 MEDIUM
The URL filtering "continue page" hosted by PAN-OS 8.0.10 and earlier may allow an attacker to inject arbitrary JavaScript or HTML via specially crafted URLs.
CVE-2018-8715 1 Embedthis 1 Appweb 2020-02-17 6.8 MEDIUM 8.1 HIGH
The Embedthis HTTP library, and Appweb versions before 7.0.3, have a logic flaw related to the authCondition function in http/httpLib.c. With a forged HTTP request, it is possible to bypass authentication for the form and digest login types.
CVE-2018-9242 1 Paloaltonetworks 1 Pan-os 2020-02-17 6.6 MEDIUM 5.5 MEDIUM
The PAN-OS management web interface page in PAN-OS 6.1.20 and earlier, PAN-OS 7.1.16 and earlier, PAN-OS 8.0.9 and earlier may allow an attacker to delete files in the system via specific request parameters.
CVE-2018-9334 1 Paloaltonetworks 1 Pan-os 2020-02-17 2.1 LOW 5.5 MEDIUM
The PAN-OS management web interface page in PAN-OS 6.1.20 and earlier, PAN-OS 7.1.16 and earlier, PAN-OS 8.0.8 and earlier, and PAN-OS 8.1.0 may allow an attacker to access the GlobalProtect password hashes of local users via manipulation of the HTML markup.
CVE-2018-9335 1 Paloaltonetworks 1 Pan-os 2020-02-17 3.5 LOW 5.4 MEDIUM
The PAN-OS session browser in PAN-OS 6.1.20 and earlier, PAN-OS 7.1.16 and earlier, PAN-OS 8.0.9 and earlier, and PAN-OS 8.1.1 and earlier may allow an attacker to inject arbitrary JavaScript or HTML.
CVE-2018-9337 1 Paloaltonetworks 1 Pan-os 2020-02-17 3.5 LOW 5.4 MEDIUM
The PAN-OS web interface administration page in PAN-OS 6.1.20 and earlier, PAN-OS 7.1.17 and earlier, PAN-OS 8.0.10 and earlier, and PAN-OS 8.1.1 and earlier may allow an attacker to inject arbitrary JavaScript or HTML.
CVE-2019-15015 1 Zingbox 1 Inspector 2020-02-17 7.2 HIGH 8.4 HIGH
In the Zingbox Inspector, versions 1.294 and earlier, hardcoded credentials for root and inspector user accounts are present in the system software, which can result in unauthorized users gaining access to the system.
CVE-2019-15016 1 Zingbox 1 Inspector 2020-02-17 6.5 MEDIUM 8.8 HIGH
An SQL injection vulnerability exists in the management interface of Zingbox Inspector versions 1.288 and earlier, that allows for unsanitized data provided by an authenticated user to be passed from the web UI into the database.
CVE-2019-15017 1 Zingbox 1 Inspector 2020-02-17 7.2 HIGH 8.4 HIGH
The SSH service is enabled on the Zingbox Inspector versions 1.294 and earlier, exposing SSH to the local network. When combined with PAN-SA-2019-0027, this can allow an attacker to authenticate to the service using hardcoded credentials.
CVE-2019-15019 1 Zingbox 1 Inspector 2020-02-17 7.5 HIGH 9.8 CRITICAL
A security vulnerability exists in the Zingbox Inspector versions 1.294 and earlier, that could allow an attacker to supply an invalid software update image to the Zingbox Inspector.
CVE-2019-15022 1 Zingbox 1 Inspector 2020-02-17 5.0 MEDIUM 7.5 HIGH
A security vulnerability exists in Zingbox Inspector versions 1.294 and earlier, that allows for the Inspector to be susceptible to ARP spoofing.
CVE-2019-15023 1 Zingbox 1 Inspector 2020-02-17 5.0 MEDIUM 7.5 HIGH
A security vulnerability exists in Zingbox Inspector versions 1.294 and earlier, that results in passwords for 3rd party integrations being stored in cleartext in device configuration.
CVE-2019-1565 1 Paloaltonetworks 1 Pan-os 2020-02-17 3.5 LOW 5.4 MEDIUM
The PAN-OS external dynamics lists in PAN-OS 7.1.21 and earlier, PAN-OS 8.0.14 and earlier, and PAN-OS 8.1.5 and earlier, may allow an attacker that is authenticated in Next Generation Firewall with write privileges to External Dynamic List configuration to inject arbitrary JavaScript or HTML.
CVE-2019-1567 1 Paloaltonetworks 1 Expedition Migration Tool 2020-02-17 3.5 LOW 5.4 MEDIUM
The Expedition Migration tool 1.1.6 and earlier may allow an authenticated attacker to run arbitrary JavaScript or HTML in the User Mapping Settings.
CVE-2019-1568 1 Paloaltonetworks 1 Demisto 2020-02-17 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in Palo Alto Networks Demisto 4.5 build 40249 may allow an unauthenticated attacker to run arbitrary JavaScript or HTML.
CVE-2019-17440 1 Paloaltonetworks 3 Pa-7050, Pa-7080, Pan-os 2020-02-17 10.0 HIGH 9.8 CRITICAL
Improper restriction of communications to Log Forwarding Card (LFC) on PA-7000 Series devices with second-generation Switch Management Card (SMC) may allow an attacker with network access to the LFC to gain root access to PAN-OS. This issue affects PAN-OS 9.0 versions prior to 9.0.5-h3 on PA-7080 and PA-7050 devices with an LFC installed and configured. This issue does not affect PA-7000 Series deployments using the first-generation SMC and the Log Processing Card (LPC). This issue does not affect any other PA series devices. This issue does not affect devices without an LFC. This issue does not affect PAN-OS 8.1 or prior releases. This issue only affected a very limited number of customers and we undertook individual outreach to help them upgrade. At the time of publication, all identified customers have upgraded SW or content and are not impacted.
CVE-2016-10945 1 Pagelines 1 Pagelines 2020-02-17 6.8 MEDIUM 8.8 HIGH
The PageLines theme 1.1.4 for WordPress has wp-admin/admin-post.php?page=pagelines CSRF.
CVE-2016-10953 1 Headwaythemes 1 Headway 2020-02-17 4.3 MEDIUM 6.1 MEDIUM
The Headway theme before 3.8.9 for WordPress has XSS via the license key field.
CVE-2016-10954 1 Dynamicpress 1 Neosense 2020-02-17 7.5 HIGH 9.8 CRITICAL
The Neosense theme before 1.8 for WordPress has qquploader unrestricted file upload.
CVE-2016-10961 1 Inkthemes 1 Colorway 2020-02-17 4.3 MEDIUM 6.1 MEDIUM
The colorway theme before 3.4.2 for WordPress has XSS via the contactName parameter.
CVE-2016-10993 1 Scoreme Project 1 Scoreme 2020-02-17 3.5 LOW 5.4 MEDIUM
The ScoreMe theme through 2016-04-01 for WordPress has XSS via the s parameter.
CVE-2016-10994 1 Truemag Theme Project 1 Truemag Theme 2020-02-17 4.3 MEDIUM 6.1 MEDIUM
The Truemag theme 2016 Q2 for WordPress has XSS via the s parameter.
CVE-2020-6399 2 Google, Opensuse 2 Chrome, Backports Sle 2020-02-17 4.3 MEDIUM 6.5 MEDIUM
Insufficient policy enforcement in AppCache in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
CVE-2020-6401 2 Google, Opensuse 2 Chrome, Backports Sle 2020-02-17 4.3 MEDIUM 6.5 MEDIUM
Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name.
CVE-2020-6405 1 Google 1 Chrome 2020-02-17 4.3 MEDIUM 6.5 MEDIUM
Out of bounds read in SQLite in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.
CVE-2020-6412 2 Google, Opensuse 2 Chrome, Backports Sle 2020-02-17 5.8 MEDIUM 5.4 MEDIUM
Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name.
CVE-2020-6413 2 Google, Opensuse 2 Chrome, Backports Sle 2020-02-17 6.8 MEDIUM 8.8 HIGH
Inappropriate implementation in Blink in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to bypass HTML validators via a crafted HTML page.
CVE-2020-6414 2 Google, Opensuse 2 Chrome, Backports Sle 2020-02-17 6.8 MEDIUM 8.8 HIGH
Insufficient policy enforcement in Safe Browsing in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
CVE-2020-6417 1 Google 1 Chrome 2020-02-17 4.6 MEDIUM 7.8 HIGH
Inappropriate implementation in installer in Google Chrome prior to 80.0.3987.87 allowed a local attacker to execute arbitrary code via a crafted registry entry.