Palo Alto Networks · Pan-Os · CVE-2016-9149
**Name of the Vulnerable Software and Affected Versions**
PAN-OS versions 5.0.19 and earlier
PAN-OS versions 5.1.12 and earlier
PAN-OS versions 6.0.14 and earlier
PAN-OS versions 6.1.14 and earlier
PAN-OS versions 7.0.10 and earlier
PAN-OS versions 7.1.5 and earlier
**Description**
The Addresses Object parser in PAN-OS mishandles single quote characters, allowing remote authenticated users to conduct XPath injection attacks via a crafted string. This issue could allow XPath manipulation.
**Recommendations**
For PAN-OS versions 5.0.19 and earlier, update to version 5.0.20 or later.
For PAN-OS versions 5.1.12 and earlier, update to version 5.1.13 or later.
For PAN-OS versions 6.0.14 and earlier, update to version 6.0.15 or later.
For PAN-OS versions 6.1.14 and earlier, update to version 6.1.15 or later.
For PAN-OS versions 7.0.10 and earlier, update to version 7.0.11 or later.
For PAN-OS versions 7.1.5 and earlier, update to version 7.1.6 or later.